Facebook tracking puzzlement
December 13, 2007 7:42 AM   Subscribe

How does Facebook's new Beacon feature work?

Recently Facebook installed this feature called Beacon that sends information from affiliated websites to your Facebook profile even when you're logged out of Facebook and heck, even if you've never registered with Facebook (as explained in this article).

What I haven't found anywhere is a thorough explanation of exactly how the new Beacon feature knows how to associate you with your Facebook profile - which seems to be the useful part of the feature. You want what your friends want right? But how does Beacon make the leap from the raw data to your profile? What sort of information do they use to make the match? Your name? Email?

I suppose if you're the sole user of a computer the gathering of data is straightforward enough but suppose you have multiple Facebook profiles? Or several people use the same computer? Or I don't have a Facebook profile but my friend who visits occasionally and uses my computer does? It's one thing associating your own information with your own information, but is it possible that the two could become mixed up? What happens when Facebook says I purchased "One Night in Paris" to all my friends, but I actually didn't?
posted by tastycracker to Computers & Internet (14 answers total) 1 user marked this as a favorite
I'm betting it's email-address based, which helps explain why I never saw its effects (I use my school alumni e-mail address for facebook, but nowhere else.)
posted by Tomorrowful at 7:47 AM on December 13, 2007

A "beacon-enabled" website loads a javascript file from facebook. That file knows who you are based on your facebook cookie. It then sends back information to facebook about what it is that you're looking at, and allows the third party site to do their magic as well.

Other information is then available to the third party via the facebook API, as the cookie has told them who you are.
posted by Tacos Are Pretty Great at 7:51 AM on December 13, 2007

Here's a technical discussion of how it works.
posted by smackfu at 7:53 AM on December 13, 2007 [1 favorite]

Specifically, if you've never registered with Facebook or you're logged out, Facebook "only" gets your IP address and purchase info.

Sadly, most companies consider your IP address to be not personally identifiable information.

See my blog posts What's the big fuss about IP addresses and Google has your logs (and all it took was a fart lighting video) for some more discussion of this, all of which applies to Facebook as easily as it does to Google.
posted by Caviar at 8:16 AM on December 13, 2007

What happens when Facebook says I purchased "One Night in Paris" to all my friends,

Yeah... I choose to turn it off to protect my privacy.

I use Ad Block in Firefox plus to disable Beacon:

posted by Slenny at 8:16 AM on December 13, 2007 [2 favorites]

Note that Facebook has changed the feature two times since the initial release. It changed from opt-out to opt-in, then to let you disable it completely. So you can now disable it within Facebook, where you couldn't before.
posted by smackfu at 8:33 AM on December 13, 2007

Also note that doing so doesn't prevent that information from being sent to Facebook, it only prevents Facebook from sharing it with your friends.
posted by Caviar at 9:31 AM on December 13, 2007

"See my blog post[] What's the big fuss about IP addresses"

...and feel free to disregard every fear-mongering word of it.

We have a lot bigger privacy-fish to fry than whether or not it's theoretically possible for some unknown malevolent characters to link a massive collection of variable, 32-bit numbers to individuals for their nefarious purposes. If/when we get to the point where anyone has the computing power to mine this data on a large scale and with any sort of consistent accuracy we'll have some other (far more serious) computer and personal security issues to deal with first.

More on topic, the comments above are correct... Javascript pulled from Facebook's servers read your "keep me logged in" facebook cookie and combine it with info from the site itself, it then sends the info back to the mothership where your friends are all alerted that you just bought metamucil and an family-size pack of laxatives.

In addition to Slenny's suggestion of just blocking the javascript entirely (I prefer the noScript extension to AdBlock), I also encourage folks who don't like this to stop shopping with anyone cooperating with Facebook here and send them a note explaining why.
posted by toomuchpete at 2:14 PM on December 13, 2007

I was very curious about this as well, and was fortunate enough to come across this explanation called "Deconstructing Facebook Beacon JavaScript". It's very readable (at least to me as a coder).
posted by phearlez at 2:35 PM on December 13, 2007

Which reminds me: where/how in Facebook does one turn this "feature" off?
posted by DarlingBri at 3:51 PM on December 13, 2007

DarlingBri: Here
posted by smackfu at 5:54 PM on December 13, 2007

Response by poster: thanks for all your comments...the privacy aspect of it doesn't really concern me, i was more interested in how the program seems to assume that all shopping/website activity must somehow be linked to your facebook account (i.e. you are you the one doing all that shopping) when in reality a single computer can have many users. if the data matchup of the feature is solely based upon the fact you have a facebook cookie on your computer, that seems to decrease the effectiveness of the feature - which is to get you to buy what your friends buy, not what your friend's parents/siblings/relatives bought, or a total stranger (say if you accidentally left your self logged on facebook at a public computer). or perhaps facebook doesn't care about that aspect, they just want to put as much advertising on your profile regardless of whether it's actually related to you or not (which i think is the disturbing and greedy part). i wonder if you can pick and choose and delete single purchases once they've been posted to facebook.
posted by tastycracker at 6:22 PM on December 13, 2007

Since it doesn't answer your question, I won't get into a long discussion rebutting toomuchpete's criticism, but feel free to contact me privately if you want to get into it.
posted by Caviar at 7:06 PM on December 14, 2007

tastycracker: If I were inventing this feature, I would feel pretty safe assuming that someone who says 'leave me logged in' was the only user of the computer. Every time you check that box, they give you a little warning popup (and have done forever, AFAIRemember) saying that doing this gives access to your account to anyone else using the computer. And I wouldn't really care about the effect it might have on people who just randomly leave themselves logged in anyway - if you're that careless about your online security/identity, you can suck it up when it gets compromised/confused with others.
Also, I'm pretty sure you can remove individual items once they've been posted by Beacon, yes.
posted by jacalata at 12:58 AM on December 15, 2007

« Older Best value for storage on an MP3 player?   |   Help me find a direction for my website. Newer »
This thread is closed to new comments.