Moreover, Berteau also found that Beacon doesn't limit its tracking to Facebook members. It actually tracks activities from all users in its third-party partner sites, including from people who have never signed up with Facebook or who have deactivated their accounts.
In those cases, Beacon captures detailed data on what users do on these external partner sites and sends it back to Facebook along with users' IP addresses, although there is no Facebook ID to tie to the data.
The information captured by Beacon in these cases includes the addresses of Web pages visited by the user and a string with the action taken in the partner site, Berteau said.
Facebook's response to Berteau's research has been a brief statement in which it confirms the findings, but says that in the case of logged-off users, deactivated accounts, and nonmembers, Facebook deletes the data upon receiving it.
Facebook's admission of Berteau's findings contradicted earlier statements from company officials.
Unsurprisingly, Facebook's reaction -- brief and lacking details -- has done little to calm the concerns and complaints arising from Berteau's research.
"Some say that if you belong to a social-networking site, you've given up your privacy. This shows that Facebook is the one that's really overreaching, collecting a lot of information from all over the place," said attorney Guilherme Roschke, a Skadden Fellow at the Electronic Privacy Information Center (EPIC).
EPIC believes that for this ad program to work properly from a privacy perspective, Facebook needs to give people full control over their information and obtain their explicit permission, Roschke said.
Facebook has declined repeated requests from IDG News Service to address the CA findings, which industry experts believe merit further modifications to Beacon and public comments from Facebook executives.
The tracking and transmission of data from logged-off users and non-Facebook members in Beacon sites "is a real no-no," Sterling said. "It crosses the line of propriety and, arguably, ethics."
Companies like Facebook are wrong to think that they are obtaining informed consent from their users to track them online as long as they place fine-print clauses in privacy policies written in complicated legalese.
"You need to get explicit, active approval for the tracking of your users, and if you don't, you shouldn't track them," said Peter Eckersley, staff technologist at the Electronic Frontier Foundation (EFF).
It's also not helping that Facebook is having to reverse itself in light of evidence produced by independent observers like CA. "Facebook isn't being entirely candid about what it's doing, and that's what's causing a lot of their problems," Sterling said.
Facebook urgently needs to infuse Beacon with a massive dose of transparency and do a significant transfer of control over the program to end-users, Sterling said.
Other online advertising providers should pay close attention to the mess in which Facebook has gotten itself into. "Everyone doing online tracking needs to be under the same scrutiny," Eckersley said.