Home > Insights 

CA Security Advisor Research Blog

Find out what our research team is saying about the latest security threats in the CA Security Advisor blog

Facebook's Misrepresentation of Beacon's Threat to Privacy: Tracking users who opt out or are not logged in.

[Update 12/03/07 - We have received a statement from facebook, asserting that they do not use or retain any of the data which is received if a user is not logged in or does not consent.  It is posted in full here]


As follow-up to Ben's look at Facebook's Beacon system, I began investigating the extent of its privacy implications.  What I found is extremely disconcerting.  Facebook is collecting information about user actions on affiliate sites regardless of whether or not the user chose to opt out, and regardless of whether or not the user is logged into Facebook at that time.  The evidence I present below directly contradicts both public statements made by Facebook, and direct email correspondence from their privacy department, demonstrating that Beacon is a serious threat to user privacy.

I would like to offer special thanks and recognition to Ben Googins for "Facebook SocialAds - Going Too Far?", his initial blog entry on this subject, and to Jay Goldman, whose blog post on deconstructing Beacon was one of, if not the first to provide a detailed analysis of the beacon code, which proved invaluable to this investigation.  I recommend it to anyone who wants a more in-depth technical look at the underlying code of Beacon.

Third party sites which affiliate with Beacon are given javascript code to place on specific pages.  From a high level perspective, this code and the further code it pulls in from facebook.com takes the following actions:

  1. Prepares a series of variables to be sent to Facebook.  These include a request to queue information, the url of the item viewed on the affiliate site, modified to include a Facebook tag, a random number, the "source id" (presumably a unique affiliate number), and the referring URL, including any variables.
  2. Calls a page on facebook.com (http://www.facebook.com/beacon/auth_iframe.php), passing as parameters the variables which were previously prepared. 
  3. If the browser has previously been used to access facebook.com, a Facebook cookie is sent as well.  This contains a randomly generated ID, and if the user has ever selected "remember me" while logging into Facebook, it will also contain their Facebook login ID.
  4. At this point, if the user is currently logged in to Facebook, a javascript function is called to pop up an alert window, asking if they want to publish this item to their feed.  If they opt out, the feed is not updated, but by this point all the information mentioned above has already been transmitted to Facebook.

To test this in real life, I created an account on epicurious.com, and tried saving three recipes as favorites.   The first recipe was saved while logged in to Facebook in the same browser session.  An alert appeared allowing me to opt out of Facebook's publishing this as a story on my feed, which I did.  The second one was saved after I had closed the Facebook window, but had not logged out or ended the browser session.  The same alert appeared, and I opted out again, selecting "No thanks".  I then closed the browser entirely and launched a new session.  After confirming that I was not logged in to Facebook, I saved the third recipe.  No alert appeared.

I then checked the network traffic logs, and was dismayed to find that in all three cases, data about where I was on Epicurious, what action I had just taken, and what my Facebook account name is was transmitted to Facebook.  The first two cases involve the transmission of user data despite "No thanks" having been selected on the opt-out dialog, and are are causes for deep concern.  They pale, however, in comparison to the third case, where Facebook was receiving data about my online habits while I was not logged in, and was doing so silently, without even alerting me to the cross-site communication.


Network packet capture

As the screenshot above indicates, a GET request was issued to http://www.facebook.com/beacon/auth_iframe.php, with variables which included my current location on Epicurious, and the URL I had loaded to get there, including the variable indicating my action, namely "Save to Box".  A Facebook cookie was also returned, which includes a variable named h_user (presumably a user ID), and my login email address in plaintext.  (The email address is partially visible as the value of login_x on the right side of the screenshot, as I didn't feel like posting my alumni address to the world).

Despite the fact that I was not logged in, Facebook just received enough information to tie the activity I took on their affiliate to my individual account, which combined with the social data they already have, such as circles of friends, level of education, , communication patterns, and geographic locations, would allow them to profile individual consumer behavior on a nearly unprecedented level of detail.

How can this transfer of data be prevented?  The blocking method from Ben's blog will continue to be effective against Beacon, whether you are logged on to Facebook or not.  In addition, deleting your facebook.com cookies and avoiding the "remember me" option when logging in will keep Facebook from being able to track you while not logged in.  Your data will still be sent if you are logged in to Facebook, however, regardless of the choice you make when presented with the opt-out dialog.

I emailed Facebook's privacy department (privacy@facebook.com), expressing my concerns about the data that was being collected despite opt-outs and users not being logged in, and inquiring as to the existence of a privacy or data retention policy for this silently collected information.  If this information is received by Facebook, but purged as a matter of policy if the user was not logged on, or had opted out of feed publication, then my concerns would at least be eased slightly.  I received a prompt response, containing what seemed to be a boilerplate statement about Beacon:


Hi Stefan,

Facebook is now affiliated with  a variety of websites, all of whom can, with your permission, send the actions you take on their sites back into Facebook. These actions will appear in your Mini-Feed and may appear in the News Feeds of your friends.

If you are logged in to Facebook and take an action on an affiliated site, the website will alert you that it has a story it would like to send to your Facebook profile. You can then choose to take the following actions:

  1. You can click the ‘Learn More' link to find out more about that story or edit your privacy settings for these external stories.
  2. You can click the ‘This isn't me' link if the Facebook account does not match the person using the external site. In this case, Facebook will never publish the story or otherwise share any information with the user's friends on Facebook.
  3. You can click ‘No Thanks' in which case Facebook will never publish that story or otherwise share any information with your friends on Facebook.
  4. You can click 'close' or simply ignore the notification in which case the story will be sent to Facebook, but will not be published on the site. Next time you navigate to the Facebook Home page after interacting with an affiliate site, you'll receive a second reminder that the affiliate website is about to publish a story on your behalf. If you select ‘See More' and then click the 'X' next to any story, the story will not be published. If you click 'close' or navigate away from your home page, the external story will then be published in your Mini-Feed and potentially the News Feeds of your friends.

Please keep in mind that affiliate websites never have access to your profile information, nor does Facebook receive any personal data about you from an affiliate site.  Let us know if you have any further questions regarding the privacy settings for this feature.

Thanks for contacting Facebook,

[Name removed - Stefan]
Customer Support Representative


This letter strongly implies that the data will only be sent to Facebook with my permission.  I replied explaining that I was not particularly worried about the feeds, which are only shown to friends who I have previously vetted, but that I was more concerned about the silently collected data, particularly the possibility of that data being sold to third parties.  I clarified exactly how I knew that the data was being collected without my permission, (referencing only the javascript actions at that time as I had not had a chance to independently verify my packet capture results), and asked if there was a policy in place to prevent this data from being misused.


The response I received was polite and prompt, but once again only addressed control of the feeds.  Of particular interest, however, was the closing paragraph:


While we do not currently have the functionality you are requesting for this new feature, we appreciate your feedback and we will certainly keep it in mind as we continue to improve the site. Please note that as long as you are logged out of Facebook, no actions you have taken on other websites can be sent to Facebook. [Emphasis mine - Stefan]  Let me know if you have any further questions.


[Name removed - Stefan]
Customer Support Representative


The emphasized line is directly contradicted by all of my tests, which have been run multiple times and verified by independent parties.  Now I don't expect the customer support representatives to be intimately aware of the technical workings of their web site's scripting, but they do need to be made aware of the actual privacy impact of a program.  I am continuing the dialog in an attempt to explain the concerns that this raises, because the bottom line is that Facebook is materially misrepresenting the privacy impact of their Beacon program, and presenting users with the appearance of control over their information when in fact they have almost none.


Share this post: Email it! | bookmark it! | digg it! | reddit!


Facebook SocialAds ??? Going Too Far? - CA Security Advisor Research Blog - CA said:

Pingback from  Facebook SocialAds ??? Going Too Far? - CA Security Advisor Research Blog - CA

November 30, 2007 11:20 AM

Jose said:

Thanks for the research. Wow... that's all i can say.

I just downloaded the plug in for Firebox and blocked their becon stuff as per the other blog suggests.

November 30, 2007 9:48 PM

J M Fahey said:

Do you think that Google´s  ORKUT does something similar?

November 30, 2007 10:13 PM

CA Security Advisor Research Blog said:

Following the publication of the last two blogs about Facebook's Beacon program and the data we observed

November 30, 2007 11:18 PM

Oliver Taco said:


I have decided that the more a company protestith too much (google: do no evil) the more likely they are to have something to protest about!


December 1, 2007 7:44 AM

PJ Brunet said:

"Your data will still be sent if you are logged in to Facebook, however, regardless of the choice you make when presented with the opt-out dialog."

Can you elaborate a little?  Does this include your IP address?  The CW article on this says the data gets back to Facebook without your Facebook ID.  But if Facebook wants the data, what do they do with it?  Why do they want this data?  Do they connect it back to you by IP?  

December 1, 2007 12:43 PM

Chris Marino said:

First let me state that Facebook gives me the creeps and anyone that doesn't block their .js ought to have their head examined.

That said, it seems to me that gathering this information while you are not logged in is the proper way to do this.

Assuming that I do want to share my on-line behavior with my friends I'd want that activity to be captured whenever it occurred regardless of being logged in or not.  Then when I am logged in, I can opt-in/out per activity.  Seems pretty logical if you as me.

Otherwise, I've got to be logged in all the time (which might be nice for facebook), or remember to log in before I do anything to be sure that my activity gets captured.  That's silly.

Where would anyone get the idea that this kind of tracking activity would be contingent on being logged in?

The fundamental issue here is opt-in vs. opt-out, and their obfuscated variations. Not when tracking occurs.

December 2, 2007 12:29 PM

penelope said:

Yes, I have some questions -- How does Facebook know that it is *you* on Epicurious and not your mom or little sister? Do they collect data based on the name you use? Or on your IP address? Or because there are cookies stored on your computer? Or by the email that you use on other sites? I don't understand all the technical stuff. can you just use another email or form of your name for all your out-side Facebook stuff? What if your husband or friend looks at pornography on your computer when you are not home? Does that show up as if *you* looked at porn? I don't get how this works. If would be great if someone could answer me here.

December 2, 2007 6:32 PM

geniedren said:


This might help, at least it did for me.


December 3, 2007 8:32 AM

anon said:


This is vitally important research that you have completed and published here!  People have no idea how invasive these violations can be, nor do they realize how dangerous these are to our freedom, our democracy (in the US), and life as we know it.  

Thank you, and keep up the good work.  Readers may also be interested in Bruce Schneier's early comments on facebook privacy:


"Companies like Facebook need to respect the social rules of their sites, to think carefully about their default settings -- they have an enormous impact on the privacy mores of the online world -- and to give users as much control over their personal information as they can.

But we all need to remember that much of that control is illusory."

December 3, 2007 11:55 AM

Neil said:


Great article, first off.

Secondly, there's no need to redact the CSR names.  During my correspondence with them, trying to get my account name changed to not have my last name in it, I found out that their CSRs' names are all fake.

Apparently they value employee privacy, but not user privacy.


December 3, 2007 7:10 PM


We will pay the conseguences due to the lack of privacy of social networks in the next 10 years.

December 5, 2007 10:14 AM

Eric Baillargeon said:

Another concern I've got with FB. A lot of people download their address book directly in FB.

I'd like to know if a person who never get in FB (but was in a address book download) and then go to an Beacon affiliates like Epicurious, what will be happening ? Will the affiliate try to ping FB ?

December 5, 2007 10:26 AM

Ms Ross said:

Can you tell me who the 'affiliated' sites are? is there a list anywhere? I want to make sure that to DO NOT visit their sites or purchase anything from them. EVER!

December 6, 2007 7:26 AM

Winslow Theramin said:

How is this any different from Google Analytics?

December 6, 2007 4:50 PM

Jane said:

I wouldn't bother removing the names from the customer support reps, since they all use aliases anyway.

December 6, 2007 7:06 PM

Rick said:

Has anyone taken a look at the Amazon Honor System? You will be surfing a site and you will find an ad with your name on it - on a non Amazon site, a site you have never before visited. I went to my Amazon account to see if I could turn off this "feature". That effort did not go all that well. Interesting....

December 8, 2007 4:40 PM

Sheesh said:

I just don't get it.  Perhaps because I'm an open book and I don't really give a sh!t what people think or do with my info online.  

Do I care that Blockbuster wants to post a news item on my FB mini-feed? Hell no.  Do I care if I buy something for my wife from Victoria's Secret?  Maybe. But I control my mini-feed so if it finds its way there, I'll delete it.  End of story.  Sheesh.

Does everyone think that Facebook is the first (and only) website or application of the dozens they use each day that has the ability to somehow track "who" you are and what you do?  Hello, website usage statistics?!


Solution: throw up a VMWare session and conduct all your "private" eCommerce transactions in a one-off browser session and be done with it. Hell, that's how I surf my ***.

Just my $0.02 CAD.  ;)

December 11, 2007 4:50 PM

Leave a Comment


About Stefan Berteau

Stefan Berteau is a senior research engineer with CA's Anti-Spyware Research team. He holds a B.S. in Multimedia Design and Development from American University, where his studies concentrated on machine learning and graphics programming. Stefan's research-related interests include automated identification and behavioral analysis of threats, analysis of the complex systems created by botnets, modeling the economics of malware, and cryptography.