Update: Three weeks is a long time on the Internet. It was on Nov. 6 that I raised the question: Is Facebook Beacon a Privacy Nightmare? Three days later, my next post, Facebook’s Cruel Intentions elicited some response from the Palo Alto, Calif.-based company, which responded and clarified their position. But soon after, the situation got a bit out of control. MoveOn.org got involved and the whole thing started to look like a major PR disaster.
In a classic example of marketing doublespeak, the company saw privacy concerns as an issue in the minds of pundits. (Never heard them complain about pundits praising their “innovations.”) A few hours later, the Palo Alto-based company outdid John Kerry when it came to flip-flopping and announced what are being perceived as big changes to the Beacon system. Why? Because it was not the pundits, but instead Facebook users who were up in arms about it. Facebook finally backed down, more or less acquiescing to the demands of those concerned about its seemingly blatant abuse of privacy of its fast-growing user base. Now you are explicitly asked whether to publish or not publish the information that is being innocuously called “stories.” There doesn’t seem to be a universal opt-out, however.
Regardless, I think it is laudable that Zuckerberg’s crew is at least listening to its community and responding accordingly. [FAQ on New Beacon] Of course, the cynical take on this would be: it isn’t the last time they are going to test the outer limits and see what they can get away with. And how much of these changes were instituted to ensure that the potential advertising partners don’t get scared, putting the future revenue streams at risk? (Maybe the Beacon flip-flop was influenced by the fact that Facebook was negotiating to get a $60 million investment from Li Ka-Shing, the Chinese tycoon who has previously made a killing with his tech investments.)
There is one issue that remains unanswered. During my initial inquiries, when I asked the company executives if Facebook continues to collect data even if that data (stories if you may) wasn’t published. They assured me that is not the case, and gave me written and verbal assurances. Those doubts have resurfaced, largely because of the language used by Facebook in their statement regarding changes to Beacon.
If a user does nothing with the initial notification on Facebook, it will hide after some duration without a story being published. When a user takes a future action on a Beacon site, it will reappear and display all the potential stories along with the opportunity to click “OK” to publish or click “remove” to not publish.
Following their argument, unless they are storing information being sent to Facebook from the partner sites, it is unlikely that “all potential stories be published at a later stage.” It can’t be auto-magically recreated from thin air.
Users will have clear options in ongoing notifications to either delete or publish. No stories will be published if users navigate away from their home page. If they delay in making this decision, the notification will hide and they can make a decision at a later time.
If you decide to opt out completely, you are in the clear, but if you forget to do so, and take no action, then the Facebook system will keep collecting data. In other words, Beacon continues to do its job — collect information from partner sites and also fine-tune the advertising system. From that perspective, nothing has really changed. Except perhaps the public perception that Facebook listens to its community.
Update: CA Security Advisor Research Blog has tangible proof and details on information flowing back to Facebook from partner sites.