Facebook tweaks Beacon again, Zuckerberg apologizes

Facebook is giving members of its social network the ability to completely decline participating in the company's controversial Beacon ad system, a reaction to intense criticism that Beacon is too intrusive and compromises people's privacy.

The announcement was made in an official blog post by Facebook founder and CEO Mark Zuckerberg on Wednesday morning, in which he also apologized for missteps in the design and deployment of Beacon.

"We've made a lot of mistakes building this feature, but we've made even more with how we've handled them. We simply did a bad job with this release, and I apologize for it," Zuckerberg wrote.

The ability to skip Beacon altogether is the second major modification to the program. Last Thursday, Facebook gave members more control over Beacon and made the way it works clearer so that people could manage it properly.

Beacon, part of the company's new ad platform, tracks certain actions of Facebook users on some external sites like Blockbuster and Fandango in order to report those actions back to users' Facebook friends network.

The idea is to generate advertising that is more effective because it is intricately combined with people's social circle, so that products and services are promoted in a more organic way via the actions of friends and family.

More than 40 Web sites have signed up for Beacon, although not all have implemented the system. Off-Facebook activities that can be broadcast to one's Facebook friends include purchasing a product, signing up for a service and including an item on a wish list.

Still, Zuckerberg's blog posting doesn't directly address the findings of a CA security researcher that have fueled the privacy controversy over Beacon in recent days.

Stefan Berteau found that Beacon tracks users even if they are logged off from the social-networking site and have declined having their activities broadcast to friends.

In this case, users aren't informed that data on their activities at these sites is flowing back to Facebook or given the option to block that information from being transmitted, according to Berteau, senior research engineer at CA's Threat Research Group.

If a user has ever checked the option for Facebook to "remember me" -- which saves the user from having to log on to the site upon every return to it -- Facebook can tie his activities on third-party Beacon sites directly to him, even if he's logged off and has opted out of the broadcast. If he has never chosen this option, the information still flows back to Facebook, although without it being tied to his Facebook ID, according to Berteau.

Moreover, Berteau also found that Beacon doesn't limit its tracking to Facebook members. It actually tracks activities from all users in its third-party partner sites, including from people who have never signed up with Facebook or who have deactivated their accounts.