Facebook's Beacon ad service may, ironically, be the best thing that's happened to the online privacy movement in a while.
The controversy raised by the social networking site's use of the Beacon technology has helped drag into the open the widespread but hitherto largely hidden problem of online consumer-tracking and information-sharing, according to privacy advocates.
"This Facebook debacle is in one way very good, because it shows people just what is happening," said Pam Dixon executive director of the World Privacy Forum. "There are other sites and other places where very similar data arrangements exist, but it is all happening under the radar and people simply don't realize it."
A bushel of Beacons, and worse
Facebook's Beacon was released in early November as a part of its Facebook Ads platform. It is ostensibly designed to track the activities of Facebook users on more than 44 participating Web sites, and to report those activities back to the users' Facebook friends, unless specifically told not to do so.
The idea is to give participating online companies a way to monitor the activities of Facebook users on their Web sites and to use that information to then deliver targeted messages to the friends of those Facebook users.
But the relative lack of disclosure about what was going on -- and the relative difficulty involved in opting out of the program -- has led to a maelstrom of criticism against Facebook over the past few days. Adding fuel to the fire have been a series of damaging disclosures by a CA Inc. security researcher that show that Facebook's tracking was far more invasive and extensive that the company originally let on.
According to the researcher, Facebook's Beacon tracked the activities of users even if they had logged off from Facebook and had declined the option of having their activities on other sites broadcast back to their friends.
Likely to be even more damaging was another disclosure Monday afternoon that Beacon's tracking did not stop with just those of Facebook users. Rather, it tracks activities from all users in its third-party partner sites, including IP address data of people who never signed up with Facebook or those who deactivate their accounts.
Unfortunately, such tracking is not at all unusual in the online world -- it's far more the norm than the exception, Dixon said. "One of the things we have been saying about behavioral advertising is that people don't know it's happening.... You have to be tremendously technically savvy to know what is happening under the hood," she said.
Dixon's organization was one of was one of nine privacy advocacy groups that in October submitted a proposal to the Federal Trade Commission asking the agency to consider implementing a Do Not Track list to protect people from having their online activities unknowingly tracked and used by marketers. The FTC itself held a two-day workshop in early November to hear industry and consumer views on online tracking and behavioral-based advertising amid growing concerns about the privacy implications of those activities.
Bad as it might appear to be, what Facebook is doing is less egregious than what a majority of other sites do, according to some privacy advocates. In Facebook's case, for instance, the company at least made the information-sharing transparent and gave users an opportunity to control it, said Chris Hoofnagle, senior staff attorney at the Berkeley Center for Law and Technology at the University of California, Berkeley.
Even those that claim not to collect or share the information in their privacy policies often find a way to do so anyway without the individual's knowledge, according to privacy advocates. For instance, many use tracking technologies such as flash cookies and first-party subdomain cookies to skirt around commitments they may have made in their polices regarding information collection and sharing with third parties. Others simply revise privacy policies quietly when they get into new marketing agreements.