Facebook is in hot water again, this time for “Facebook Beacon” which posts your activity at various partner sites to your Facebook newsfeed. Buy a self-help book at Amazon? Your friends will know. Browse some recipes at Epicurious? Your girlfriend might get some idea of what you’re cooking for Valentine’s Day. The fuss is mostly about whether this system is opt-in or opt-out. In fact, this is the best example I’ve seen to date of why the opt-in/opt-out distinction is important.
But the fascinating issue to me is a bit different. It goes back to the question I fear most people never ask themselves about Facebook and other sites like it. Instead of “what can my friends see about me?”, people should be asking themselves “what can Facebook, the company, see about me?” The answer, of course, is “everything you and your friends type in.” With Beacon, it also includes “everything you do at partner sites.”
Interestingly, for the first time, this issue of Facebook’s omnipotence seems to be making the headlines, and all because of an interesting technical gotcha. The gotcha is a result of a long sequence of technical issues that begin with a tip of the hat to Facebook: the Beacon design indicates that Facebook deserves credit for trying to protect your privacy (yes, really.)
As soon as I heard about the Facebook Beacon system, I asked myself “how do Amazon and Facebook reconcile their databases to post the message to the right profile?” Then I read Jay Goldman’s fantastic Beacon reverse-engineering. So simple, so elegant, and so obvious that I was surprised I hadn’t thought of it earlier.
So, Facebook, nice work. The fact that you’re protecting my Facebook data from Amazon is welcome, and the press isn’t giving you enough credit for this (likely because they don’t understand it, it is a bit technical after all.)
Of course, no good deed goes unpunished. The technical gotcha with this one-way communication is that Amazon sends the data, via your browser, whether or not you’re logged in to Facebook, whether or not you’ve opted out of the entire Beacon program. Only when the data hits the Facebook servers can Facebook decide whether to post it or not, based on your preferences. And that’s led to the “Facebook gets your data even if you’re logged out!” headlines. Because the data has to enter the confines of Facebook before Facebook can tell whether it needs to discard it.
There are good reasons to worry about this gotcha: with all of the attorney generals chasing Facebook over child predators, who knows what Facebook feels legally obliged to log. Once the data’s inside the fence, it might fall under some we-must-log-everything policy.
But there’s hope, I think. First, Facebook needs to fully switch to opt-in (they seem to be doing this now). That won’t be enough. They need to deploy even greater technical kung-fu. As it turns out, I think there is a way for them to tweak their technical architecture so that the opt-out is enforced within the user’s browser, before the data penetrates the Facebook enclave. It involves having Amazon run a server that Facebook willingly names amazon.facebook.com, and borrowing some inter-frame airlock and communication techniques from Collin Jackson’s Subspace project, so that two frames within your browser can decide, together, without communicating with the Facebook server, whether the Amazon message should be forwarded to Facebook or not.
What this points to is the power of your browser. Your browser contains your logins to various sites. It is your data multiplexer, and Beacon is one of the first applications to attempt to harness it (attackers have been trying to harness it for years, of course). The legitimate techniques will evolve, and not all will be as gentle as Beacon. Yes, Beacon is gentle compared to what could have been implemented. The security and privacy implications will be tremendous, and it’s high time we think about how to prepare browser technology and users to deal with this.