Facebook doesn't budge on Beacon's broad user tracking

Facebook's CEO and Founder Mark Zuckerberg has profusely apologized for missteps in the design and deployment of the Beacon ad system, but he remains unrepentant about what privacy advocates consider a particularly egregious feature.

Absent from Zuckerberg's mea culpa Wednesday is any indication that Facebook plans to modify the system's ability to indiscriminately track actions of all users on external sites that have implemented Beacon.

While Wednesday's decision to allow Facebook members to completely decline participation in Beacon has been generally welcomed, privacy advocates will likely keep Facebook in their crosshairs until the system's user tracking mechanism is scaled back.

Announced a month ago as part of what Facebook calls Social Ads, Beacon tracks certain actions of Facebook users on some external sites, like Blockbuster and Fandango, in order to report those actions back to users' Facebook friends network.

For Facebook, these notices represent what it considers an innovative and ultimately more effective form of online advertising that leverages the deep social connections of its users.

In other words, by being intricately combined with people's social circle via the actions of friends and family, these notices promote products and services in a more organic way than regular online ads, Facebook maintains.

Even critics of Beacon had generally assumed that the ad system limited its non-Facebook tracking and data reporting to Facebook members who were logged on to the site.

However, in the past week, CA security researcher Stefan Berteau stunned many when he reported that Beacon tracks all users in these external sites, including logged-off and former Facebook members and even non-Facebook members, and sends data back to Facebook. He also found that logged-in Facebook users who declined having their actions broadcast to their friends still had their data sent to Facebook.

Beacon, already blasted for weeks by privacy advocates like MoveOn.org and the Electronic Privacy Information Center, as well as by concerned Facebook users, has come under renewed attacks as a result of the findings from Berteau's independent research.

Facebook confirmed that this broad user tracking function remains untouched in Beacon, despite the changes announced Wednesday, a spokesperson said in an e-mail.

"Facebook does not share profile data with Beacon partner sites. The partner site prompts Facebook to check whether a Facebook user has taken a Beacon-qualified action, and passes the action data to Facebook for potential sharing with friends if the user’s privacy settings permit it," she wrote. "This checking process, which operates in a similar fashion to any embedding on a Web page of third-party content like YouTube videos or network advertisements, may collect information on logged-out Facebook users or non-users."