In this case, users aren't informed that data on their activities at these sites is flowing back to Facebook or given the option to block that information from being transmitted, according to Berteau, senior research engineer at CA's Threat Research Group.
If a user has ever checked the option for Facebook to "remember me" - which saves the user from having to log on to the site upon every return to it - Facebook can tie his activities on third-party Beacon sites directly to him, even if he's logged off and has opted out of the broadcast. If he has never chosen this option, the information still flows back to Facebook, although without it being tied to his Facebook ID, according to Berteau.
Moreover, Berteau also found that Beacon doesn't limit its tracking to Facebook members. It actually tracks activities from all users in its third-party partner sites, including from people who have never signed up with Facebook or who have deactivated their accounts.
In those cases, Beacon captures detailed data on what users do on these external partner sites and sends it back to Facebook along with users' IP (Internet Protocol) addresses, although there is no Facebook ID to tie to the data.
The information captured by Beacon in these cases includes the addresses of Web pages visited by the user and a string with the action taken in the partner site, Berteau said.
Facebook's response to Berteau's research has been a brief statement in which it confirms the findings, but says that in the case of logged-off users, deactivated accounts and non-members, Facebook deletes the data upon receiving it.
Facebook's admission of Berteau's findings contradicted earlier statements from company officials.
Unsurprisingly, Facebook's reaction, brief and lacking details, has done little to calm the concerns and complaints arising from Berteau's research.
"Some say that if you belong to a social-networking site, you've given up your privacy. This shows that Facebook is the one that's really overreaching, collecting a lot of information from all over the place," said attorney Guilherme Roschke, a Skadden Fellow at the Electronic Privacy Information Center (EPIC).
EPIC believes that for this ad program to work properly from a privacy perspective, Facebook needs to give people full control over their information and obtain their explicit permission, Roschke said.