Facebook's Beacon Ad System Also Tracks Non-Facebook Users

— -- If you think that just because you have never signed up for Facebook you're immune to the tracking and collecting of user activities surrounding the popular social networking site, think again.

Facebook's controversial Beacon ad system tracks the activities of all users of its third-party partner sites, including people who have never signed up with Facebook or who have deactivated their accounts, CA (Computer Associates) has found.

Beacon captures detailed data on what users do on the external partner sites and sends it back to Facebook along with users' IP addresses, Stefan Berteau, senior research engineer at CA's Threat Research Group, said today in an interview.

This happens even if users delete the Facebook cookie. "The Facebook JavaScript [code] is still called by the affiliate site, and the information is passed in," he says. In the case of users without accounts or with deactivated accounts, the data isn't tied to a Facebook ID, he says.

IP addresses, however, are well known to provide a variety of information about users, and they have in some cases been used to identify individuals.

The information that Beacon captures includes the addresses of Web pages the user visits, and a string with the action taken in the partner site, Berteau says.

CA has tested Beacon partner sites Epicurious.com, which focuses on food, and Kongregate.com, which focuses on video games, he says. More than 40 sites have signed up for Beacon, although not all of them have implemented it.

Berteau's colleague Benjamin Googins posted an article with some suggestions for users who want to protect themselves from the Beacon tracking.

It's important for Facebook and the partner sites participating in Beacon to alert users about the data being captured and passed back to Facebook, Berteau says.

"There is, to a certain extent, a privacy concern with the affiliate site, in that it's important for them to disclose that they'll be sending information about user actions to Facebook," he says.

While Web users' activities are already tracked in various ways for different purposes, most commonly with tracking cookies in banner ads, the Beacon implementation is one that Berteau has never come across before in terms of the details of users' actions that it can capture and send back.

These latest findings build on Berteau's report last week that even if they are logged off from Facebook and previously declined having their activities reported back to their Facebook friends.

Over the weekend, , but said that it deletes the data it receives under these circumstances.

Still, Friday's findings deepened the privacy concerns surrounding Beacon since its introduction several weeks ago. And the admission Monday added to the concerns, since it contradicted what had, until then, been the official company line about the issue.

CA's research, which is ongoing, has demonstrated that Beacon is more intrusive and stealthy than previously acknowledged and imagined.

Beacon is a major part of the Facebook Ads platform that Facebook introduced with much fanfare several weeks ago. Beacon tracks certain activities of Facebook users on participating Web sites, including those of Blockbuster and Fandango, and reports those activities to the user's set of Facebook friends, unless told not to do so.

Off-Facebook activities that can be broadcast to one's Facebook friends include purchasing a product, signing up for a service, and adding an item to a wish list.

The program has been blasted by groups such as MoveOn.org, as well as by individual users who have unwittingly broadcast information about recent purchases and other Web activities to their Facebook friends.

On Thursday night Facebook tweaked Beacon to make its workings more explicit to Facebook users, and to make it easier for users to nix broadcast messages and opt out of having their activities tracked on specific Web sites. Facebook didn't go all the way to providing a general opt-out option for the entire Beacon program, as some had hoped.

Then on Friday, just hours after Facebook had scored some points with its modifications to Beacon, Berteau published his note about Beacon's previously unknown ability to monitor logged-off users' activities and send the data back to Facebook.

Users aren't informed that data on their activities at these sites is flowing back to Facebook, nor are they given the option to block that information from being transmitted, Berteau said at the time.

If users have ever checked the option for Facebook to "remember me"--which saves users from having to log on to the site upon every return to it--Facebook can tie their activities on third-party Beacon sites directly to them, even if they're logged off and have opted out of the broadcast. If they have never chosen this option, the information still flows back to Facebook, although with no tie to their Facebook ID, according to Berteau.

Berteau plans to post another note at some point Monday evening detailing his latest findings.

Facebook didn't immediately reply to a request for comment.

Berteau says, however, that he shared this latest finding with Facebook officials, and that they told him that Facebook deletes data that comes in from non-Facebook users and from deactivated accounts.

Berteau says he is encouraged that the Facebook officials he talked to seemed truly interested in his findings, and he believes that Facebook will make changes to address the privacy concerns his research raises.