The information captured by Beacon in these cases includes the addresses of Web pages visited by the user and a string with the action taken in the partner site, Berteau said.
Facebook's response to Berteau's research has been a brief statement in which it confirms the findings, but says that in the case of logged-off users, deactivated accounts and nonmembers, Facebook deletes the data upon receiving it.
Facebook's admission of Berteau's findings contradicted earlier statements from company officials.
Unsurprisingly, Facebook's reaction -- brief and lacking details -- has done little to calm the concerns and complaints arising from Berteau's research.
"Some say that if you belong to a social-networking site, you've given up your privacy. This shows that Facebook is the one that's really overreaching, collecting a lot of information from all over the place," said attorney Guilherme Roschke, a Skadden Fellow at the Electronic Privacy Information Center (EPIC).
EPIC believes that for this ad program to work properly from a privacy perspective, Facebook needs to give people full control over their information and obtain their explicit permission, Roschke said.
Facebook has declined repeated requests from IDG News Service to address the CA findings, which industry experts believe merit further modifications to Beacon and public comments from Facebook executives.
The tracking and transmission of data from logged-off users and non-Facebook members in Beacon sites "is a real no-no," Sterling said. "It crosses the line of propriety and, arguably, ethics."
Companies like Facebook are wrong to think that they are obtaining informed consent from their users to track them online as long as they place fine-print clauses in privacy policies written in complicated legalese.
"You need to get explicit, active approval for the tracking of your users and if you don't, you shouldn't track them," said Peter Eckersley, staff technologist at the Electronic Frontier Foundation (EFF).
It's also not helping that Facebook is having to reverse itself in light of evidence produced by independent observers like CA. "Facebook isn't being entirely candid about what it's doing and that's what's causing a lot of their problems," Sterling said.
Facebook urgently needs to infuse Beacon with a massive dose of transparency and do a significant transfer of control over the program to end-users, Sterling said.
Other online advertising providers should pay close attention to the mess in which Facebook has gotten itself into. "Everyone doing online tracking needs to be under the same scrutiny," Eckersley said.
A positive outcome from the brouhaha is that it has made people more aware of privacy threats online. "This controversy may help awaken consumers to the fact that [privacy violations] happen on Web sites everywhere all the time," said Beau Brendler, director of Consumer Reports WebWatch.
And awake people must be, considering that just as Facebook is trying to push the envelope of online advertising tracking and profiling, so are many other companies in this market, according to Joseph Turow, a professor at the University of Pennsylvania's Annenberg School for Communication.
"The more competition there is [in online advertising], the more we'll see this happen, and in more subtle ways," Turow said. "Beacon is symptomatic of a larger development in the trajectory of the Web."