Is Facebook Beacon a Privacy Nightmare?

from GigaOM by Om Malik

Mark Zuckerberg & Co. stood up in front of the advertising community in New York today and unveiled Facebook Ads, an ad system that allows companies to use the Facebook social graph and to develop highly targeted ads. Large brands such as Coca-Cola (KO), Sony Pictures (SNE) and Verizon (VZ) have signed on for this effort. Part of the engine powering this new ad system is called Beacon, which takes data from 44 web destinations and mashes it up with Facebook's internal information to help build more focused advertising messages.

While it seems to be a clever idea, a quick review reveals that Beacon might turn out to be a privacy hairball for the company.

The 44 sites that have partnered with Facebook include everyone from Kongregate, LiveJournal, NYTimes (NYT), Sony Online, Blockbuster (BBI), Bluefly.com, STA Travel, The Knot, TripAdvisor, Travel Ticker, TypePad, viagogo, Vox, Yelp, WeddingChannel.com and Zappos.com.

These partner sites put a little a piece of Facebook javascript on their web site and certain information, cleverly (and innocuously) labeled as a user alert, is sent to Facebook. For instance, Fandago users can publish information about the movies they saw. It all seems like a clever idea because it lets Facebook triangulate your likes and dislikes even more, and deliver more focused ads.

Facebook Beacon provides advanced privacy controls so Facebook users can decide whether to distribute specific actions from participating sites with their friends.

Reading that line prompted the following questions, which I put to Facebook:

1. Can consumers opt out of this?
2. If yes, does their data get erased?
3. Will the sites for example, Fandango, stop sending all personal and any kind of information to Facebook once the user opts out?
4. Why didn't they make this an opt-in feature, instead of being an opt-out feature?

Their PR spokesperson emailed me this response:

Users can opt-out of Beacon on a per-site basis. They can opt-out for each action, or they can opt-out to never have an affiliated site send stories to Facebook. For instance, a user that buys The Notebook from Blockbuster can stop a story from being published about it, or she can opt-out of having Blockbuster publish any actions she takes on the Blockbuster site.

The response doesn't seem to answer my questions and basically makes it seem like users have control over this data, when in reality, this is a privacy disaster waiting to happen. The javascript on the Fandango site pops up a little screen which asks if you want to publish the information on Facebook. If you say no, your friends won't see the information, but apparently Facebook still receives it. This means that if you are a Facebook member, Facebook will know what you are doing on each of their partner sites. And there is no way for you to opt out of that. Or is there? I asked Facebook to clarify and I am still waiting for them to write back.

As for the rest of their announcement, while long and elaborate, it doesn't contain any information we haven't already seen. MySpace (NWS) has been doing brand specific-pages for a while now, in addition to using other targeting techniques.