Facebook Privacy: Site Confirms It Tracks You After You Leave
Congress, the FTC, privacy groups asking questions.
Nov. 16, 2011 -- In recent weeks, Facebook has been wrangling with the Federal Trade Commission over whether the social media website is violating users' privacy by making public too much of their personal information.
Far more quietly, another debate is brewing over a different side of online privacy: what Facebook is learning about those who visit its website.
Facebook officials are now acknowledging that the social media giant has been able to create a running log of the web pages that each of its 800 million or so members has visited during the previous 90 days. Facebook also keeps close track of where millions more non-members of the social network go on the Web, after they visit a Facebook web page for any reason.
To do this, the company relies on tracking cookie technologies similar to the controversial systems used by Google, Adobe, Microsoft, Yahoo and others in the online advertising industry, says Arturo Bejar, Facebook's engineering director.
Facebook's efforts to track the browsing habits of visitors to its site have made the company a player in the "Do Not Track" debate, which focuses on whether consumers should be able to prevent websites from tracking the consumers' online activity.
For online business and social media sites, such information can be particularly valuable in helping them tailor online ads to specific visitors. But privacy advocates worry about how else the information might be used, and whether it might be sold to third parties.
New guidelines for online privacy are being hashed out in Congress and by the World Wide Web Consortium, which sets standards for the Internet.
If privacy advocates get their way, consumers soon could be empowered to stop or limit tech companies and ad networks from tracking them wherever they go online. But the online advertising industry has dug in its heels, trying to retain the current self-regulatory system.
Online tracking involves technologies that tech companies and ad networks have used for more than a decade to help advertisers deliver more relevant ads to each viewer. Until now, Facebook, which makes most of its profits from advertising, has been ambiguous in public statements about the extent to which it collects tracking data.
It contends that it does not belong in the same camp as Google, Microsoft and the rest of the online ad industry's major players. Facebook CEO Mark Zuckerberg made this point to interviewer Charlie Rose on national TV last week.
For the past several weeks, Zuckerberg and other Facebook officials have sought to distinguish how Facebook and others use tracking data. Facebook uses such data only to boost security and improve how "Like" buttons and similar Facebook plug-ins perform, Bejar told USA TODAY. Plug-ins are the ubiquitous web applications that enable you to tap into Facebook services from millions of third-party web pages.
Facebook spokesman Andrew Noyes says the company has "no plans to change how we use this data." He also says the company's intentions "stand in stark contrast to the many ad networks and data brokers that deliberately and, in many cases, surreptitiously track people to create profiles of their behavior, sell that content to the highest bidder, or use that content to target ads."
Conflicting pressures
Rather than appease its critics, Facebook's public explanations of how it tracks and how it uses tracking data have touched off a barrage of questions from technologists, privacy advocates, regulators and lawmakers around the world.
"Facebook could be tracking users without knowledge or permission, which could be an unfair or deceptive business practice," says Rep. Ed Markey, D-Mass., co-sponsor with Rep. Joe Barton, R-Texas, of a bill aimed at limiting online tracking of children.
The company "should be covered by strong privacy safeguards," Markey says. "The massive trove of personal information that Facebook accumulates about its users can have a significant impact on them — now and into the future."
Noting that "Facebook is the most popular social media website in the world," Barton adds, "All websites should respect users' privacy."
After Zuckerberg appeared on the Charlie Rose TV show last week, Markey and Barton sent a letter to the 27-year-old CEO asking him to explain why Facebook recently applied for a U.S. patent for technology that includes a method to correlate tracking data with advertisements. They gave Zuckerberg a Dec. 1 deadline to reply.
"We patent lots of things, and future products should not be inferred from our patent application," Facebook corporate spokesman Barry Schnitt says.
Facebook is under intense, conflicting pressures.
It must prove to its global financial backers that it is worthy of the hundreds of millions of dollars they've poured into the company, financial and tech industry analysts say. Those investors include Microsoft, Goldman Sachs, the Russian investment firm Digital Sky Technologies, Hong Kong financier Sir Ka-shing Li and venture capitalist Peter Andreas Thiel.
The success of the company's initial public offering of stock, expected sometime next year, hinges in part on Facebook's ability to move beyond the bread-and-butter text ads that appear on members' home pages and emerge as a key player in graphical display ads and corporate brand marketing campaigns, says Rebecca Lieb, advertising media analyst at the Altimeter Group.
In advertising, knowing more about consumers' preferences is key. "More data means better targeting, which means more revenue," says Marissa Gluck, managing partner of the media consulting firm Radar Research.
To meet rising expectations, Facebook must increase its annual revenue, now estimated at about $4 billion, by double-digit percentage points for years to come, Gluck says. The company is striving to keep its options open to do this. In doing so, it is bumping into pressure from critics who are concerned that leaving online privacy standards entirely in the hands of corporations might not be the best idea.
Ground rules needed
Companies are incorporating tracking data into new business models "without necessarily appreciating the long-term and collective consequences," says Craig Spiezle, executive director of the non-profit Online Trust Alliance.
Last week, consumer reporter Ric Romero of station KABC in Los Angeles showed how insurance companies monitor Facebook and Twitter, looking for reasons to raise premiums and deny claims. Previously, ABC News reporter Lyneka Little reported on how employers use Facebook information as part of the recruitment process.
Meanwhile, researchers at AT&T Labs and Worcester Polytechnic Institute have documented how tracking data culled from Internet searches and surfing can be meshed with personal information that Internet users disclose at websites for shopping, travel, health or jobs. Personal disclosures made on social networks, along with preference data gathered by new apps for smartphones and tablet PCs, are being tossed into this mix, too.
Privacy advocates worry that before long, corporations, government agencies and political parties could routinely purchase tracking data from data aggregators.
"Tracking data can be used to figure out your political bent, religious beliefs, sexuality preferences, health issues or the fact that you're looking for a new job," says Peter Eckersley, technology projects director at the Electronic Frontier Foundation. "There are all sorts of ways to form wrong judgments about people."
So far, it does not appear that this sort of data correlation is being done, at least not on a wide scale. But in the absence of ground rules, technologists, regulators and privacy advocates worry that companies involved in collecting tracking data could succumb to the temptation to cash in.
Says Michael Fertik, founder and CEO of Reputation.com: "We can only imagine that an advertising company with a richer trove of data will sell more and more of that data."
Facebook's trove of data
Facebook for the first time revealed details of how it compiles its trove of tracking data in a series of phone and e-mail interviews conducted by USA TODAY with Bejar, Noyes and Schnitt, as well as engineering manager Gregg Stefancik and corporate spokeswoman Jaime Schopflin. Here's what they disclosed:
•The company compiles tracking data in different ways for members who have signed in and are using their accounts, for members who are logged-off and for non-members. The tracking process begins when you initially visit a facebook.com page. If you choose to sign up for a new account, Facebook inserts two different types of tracking cookies in your browser, a "session cookie" and a "browser cookie." If you choose not to become a member, and move on, you only get the browser cookie.
•From this point on, each time you visit a third-party webpage that has a Facebook Like button, or other Facebook plug-in, the plug-in works in conjunction with the cookie to alert Facebook of the date, time and web address of the webpage you've clicked to. The unique characteristics of your PC and browser, such as your IP address, screen resolution, operating system and browser version, are also recorded.
•Facebook thus compiles a running log of all your webpage visits for 90 days, continually deleting entries for the oldest day and adding the newest to this log.
If you are logged-on to your Facebook account and surfing the Web, your session cookie conducts this logging. The session cookie additionally records your name, e-mail address, friends and all data associated with your profile to Facebook. If you are logged-off, or if you are a non-member, the browser cookie conducts the logging; it additionally reports a unique alphanumeric identifier, but no personal information.
Bejar acknowledged that Facebook could learn where specific members go on the Web when they are logged off by matching the unique PC and browser characteristics logged by both the session cookie and the browser cookie.
He emphasized that Facebook makes it a point not to do this. " We've said that we don't do it, and we couldn't do it without some form of consent and disclosure," Bejar says.
Bejar also acknowledged "technical similarities" in the cookie-based tracking technologies used by Facebook and the wider online advertising industry. "But we're not like ad networks at all in our stewardship of the data, in the way we use it, and the way we lay everything out," Bejar says. "We have a very clear and transparent approach to how we do advertising that I'm very proud of."
Even so, Facebook's public descriptions of its tracking systems have not satisfied some critics — particularly European privacy regulators. Ilse Aigner, Germany's minister of consumer protection, last month banned Facebook plug-ins from government websites and advised private companies to do the same.
And Thilo Weichert, data protection commissioner in the German state of Schleswig-Holstein, expressed alarm at how Facebook's technology could potentially be used to build extensive profiles of individual Web users.
"Whoever visits Facebook or uses a plug-in must expect that he or she will be tracked by the company for two years," Weichert said in a statement. "Such profiling infringes German and European data protection law."
Adding fuel to such concerns, Arnold Roosendaal, a doctoral candidate at Tilburg University in the Netherlands, and Nik Cubrilovic, an independent Australian researcher, separately documented how Web pages containing Facebook plug-ins carried out tracking more extensive than Facebook publicly admitted to.
Noyes says Germany doesn't understand how the company's tracking technologies work. And he blames "software bugs" for the indiscriminate tracking discovered by Roosendaal and Cubrilovic.
"When we were made aware that certain cookies were sending more information to us than we had intended, we fixed our cookie management system," Noyes says.
However, researcher Roosendaal says Facebook's tracking cookies retain the capacity to extensively track non-members and logged-off members alike. "They have been confronted with the same issue now several times and every time they call it a bug. That's not really contributing to earning trust."
Some corporate security executives have become concerned about cybercriminals getting hold of tracking data relayed by Like buttons, then using that intelligence to steal intellectual property. They've asked firewall supplier Palo Alto Networks to identify and block traffic from Facebook tracking cookies, while enabling their employees to continue using other Facebook services.
"The concern is that Facebook has rich personal information, which Google doesn't have," says Nir Zuk, founder and chief technology officer for Palo Alto Networks. "Combining that personal information with Web browsing patterns could be revelatory."