Log in

Facebook and Privacy - Jen's Sweetie and Code Poet [entries|archive|friends|userinfo]
Jen's Sweetie and Code Poet

[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

Facebook and Privacy [Dec. 11th, 2007|05:03 pm]
Jen's Sweetie and Code Poet
[Tags|, ]

[Still not dead ;) The recent privacy issues with Facebook Beacon have inspired me to post.]

The Beacon sounds like a neat idea. I like being able to share my (dubious) tastes with other people automagically. I like Amazon's wishlists, Last.fm's automatic music tracking, I've flirted (briefly) with twitter, and played around with some interesting mobile phone tracking tools.

Clearly, I don't mind sharing :) So what's wrong with beacon?

The problem is that they don't give their users (or anyone) a way to control information leakage. It works roughly like this:
  1. Purchase a product or perform a 'trackable' operation at an affiliated site. (a list of these is available in my first link)
  2. Some Facebook-provided script is included in the page by the affiliate. This script sends a message to the beacon web service. It looks something like: "A movie called 'The Matrix' was purchased".
  3. If the user has ever logged into Facebook, the message will have a cookie attached. The message becomes "A movie called 'The Matrix' was purchased by 'Adam'".
  4. If the user has never logged into Facebook, the person associated with the purchase is unknown. However, they will get a cookie of their own. The message becomes "A movie called 'The Matrix' was purchased by '12345'".

This doesn't seem too invasive for the case of a single 'leaked' purchase. However, it becomes more interesting once many different 'beacons' are sent out. Instead of having a single pseudo-anonymous entry ("Someone purchased 'The Matrix'"), they now have a lot more data to work with:
  • Ebay is participating. Now you've leaked your ebay ID if you've posted any auctions. That's much easier to link to a real-world identity.
  • Travelocity is also participating. Now you've leaked your travel plans.
  • Check out the link for a more complete list.
They claim that data from users that aren't Facebook members is just discarded. This still isn't acceptable:
  • It requires that we trust a company that doesn't have any reason to have access to personal information anyway.
  • It assumes that they won't change their mind in the future.

Want to disable this completely? Some helpful person wrote a quick howto for firefox.