A Big Win for Privacy Advocates: Facebook Agrees to Shut Down Beacon

Here's a bit of news everybody can celebrate: Facebook has agreed to shut down its Beacon advertising system. Granted, the company has taken this step to settle a class-action lawsuit filed in August 2008 that alleged Facebook and its Beacon affiliates like Blockbuster and Overstock.com violated a series of laws, including the Electronic Communications Privacy Act, the Video Privacy Protection Act, the California Consumer Legal Remedies Act and the California Computer Crime Law.

The proposed settlement, announced last week, calls not only for Facebook to discontinue Beacon, but also back the creation of an independent foundation devoted to promoting online privacy, safety and security. As reported by Computerwold, the money for the foundation will come from a $9.5 million settlement fund.

The Facebook/Beacon case highlights growing concerns about the increasingly sophisticated technologies that are being used to track online activities in an effort to more precisely target advertising. Another truth highlighted in the case: Social networking sites have not exactly been forthcoming about how much user information they harvest, share, and with whom.

The controversy raised by Facebook's use of the Beacon technology - and the subsequent victory of privacy advocates - has helped ignite a larger debate ot the largely hidden and growing problem of online consumer-tracking and information-sharing.

As Pam Dixon executive director of the World Privacy Forum stated at the outset of the lawsuit: "This Facebook debacle is in one way very good, because it shows people just what is happening. There are other sites and other places where very similar data arrangements exist, but it is all happening...One of the things we have been saying about behavioral advertising is that people don't know it's happening...You have to be tremendously technically savvy to know what is happening under the hood."

Facebook's Beacon was released in early November of 2007 as a part of its Facebook Ads platform. It was ostensibly designed to track the activities of Facebook users on more than 44 participating Web sites, and to report those activities back to the users' Facebook friends, unless specifically told not to do so.

The idea is to give participating online companies a way to monitor the activities of Facebook users on their Web sites and to use that information to then deliver targeted messages to the friends of those Facebook users.

As also originally reported in ComputerWorld, the relative lack of disclosure about what was going on - and the relative difficulty involved in opting out of the program - led to a maelstrom of criticism against Facebook. In addition, there were disclosures by a CA Inc. security researcher that showed that Facebook's tracking was far more invasive and extensive that the company originally let on.

Facebook's Beacon tracked the activities of users even if they had logged off from and had declined the option of having their activities on other sites broadcast back to their friends. Likely to be even more damaging was another disclosure that Beacon's tracking did not stop with just those of Facebook users. Rather, it tracks activities from all users in its third-party partner sites, including IP address data of people who never signed up with Facebook or those who deactivate their accounts.

So with that backdrop, one can understand why privacy advocates are celebrating this long overdue decision by Facebook. Computerworld reports:

"Beacon was a disaster, not because it used people's personal information for commercial marketing purposes," said James Grimmelmann, an associate professor at New York Law School. "It was a disaster because it used people's personal information commercially and then rubbed their faces in it, literally."

...

...the stealthy nature of the service, its intrusive tracking of users and the extensive sharing of user information between Facebook and its Beacon affiliates resulted in an outpouring of protest against the service. Though, Facebook tweaked Beacon several times to make it more user-friendly, the concerns persisted. Grimmelmann, for instance, was among the first to question whether Blockbuster was violating the Video Privacy Protection Act when it shared information about a Facebook's users movie choices to others.

The big problem with Beacon was that the information Facebook collected was not being used to help users but to help affiliates sell goods, Grimmelmann sai8d. "It interfered with people's self-presentation, turning them into shills against their will," he said. "Beacon wasn't just illegal, it was a bad idea -- it made it obvious to users that large, impersonal companies were pushing private data around in order to hijack their identities and mess up relationships of friendship and trust."

...

Marc Rotenberg, executive director of the Washington-based Electronic Privacy Information Center (EPIC), welcomed Facebook's decision. But he said he hopes the settlement in San Jose does not preclude the litigation in Texas, where EPIC has filed a friend-of-the-court brief supporting the plaintiffs. According to Rotenberg, it is almost certain that federal privacy laws were broken if Blockbuster shared information about an individual's movie rental habits with other Facebook users while participating in Beacon.

Click here to read more from the article.

I think what a lot of privacy advocates would like to see Web sites do - and the government should require them to do - is give users as much control over their identities online as they have offline. In other words, if I'm online, I'd like to be asked if I want my personal information to be viewable by others, and by whom, be it their friends or be it everyone in the world.

Privacy settings, which allow for this kind of screening, should be prominent, clear and easily managed. Again, it's really about making the "opt-in" principle the Golden Rule of the web. That means that BEFORE the users information is disseminated he/she should be notified and should have to affirmatively “opt in".