Privacy vs. Omnipotence, Mashups and your browser.

Facebook is in hot water again, this time for “Facebook Beacon” which posts your activity at various partner sites to your Facebook newsfeed. Buy a self-help book at Amazon? Your friends will know. Browse some recipes at Epicurious? Your girlfriend might get some idea of what you’re cooking for Valentine’s Day. The fuss is mostly about whether this system is opt-in or opt-out. In fact, this is the best example I’ve seen to date of why the opt-in/opt-out distinction is important.

But the fascinating issue to me is a bit different. It goes back to the question I fear most people never ask themselves about Facebook and other sites like it. Instead of “what can my friends see about me?”, people should be asking themselves “what can Facebook, the company, see about me?” The answer, of course, is “everything you and your friends type in.” With Beacon, it also includes “everything you do at partner sites.”

Interestingly, for the first time, this issue of Facebook’s omnipotence seems to be making the headlines, and all because of an interesting technical gotcha. The gotcha is a result of a long sequence of technical issues that begin with a tip of the hat to Facebook: the Beacon design indicates that Facebook deserves credit for trying to protect your privacy (yes, really.)

As soon as I heard about the Facebook Beacon system, I asked myself “how do Amazon and Facebook reconcile their databases to post the message to the right profile?” Then I read Jay Goldman’s fantastic Beacon reverse-engineering. So simple, so elegant, and so obvious that I was surprised I hadn’t thought of it earlier.

The reconciliation happens in your browser, of course, since your browser is logged in to Amazon and (most likely) to Facebook. The Amazon HTML includes some JavaScript code that it pulls down from Facebook. This JavaScript code opens up a hidden frame onto Facebook, which recognizes you. There’s some fancy inter-server communication stuff going on (the details are interesting only to folks like me), but the point is that the communication between Amazon and Facebook is mediated by your browser. And the reason Facebook deserves some credit is because this architecture ensures that communication is one-way: the Amazon frame sends data to the Facebook servers, the Facebook frame asks for opt-in, but Amazon never gets any data back. Amazon doesn’t even know if you are a Facebook user, it just throws data over the fence into Facebook, trusting that, if you are a logged-in Facebook user, it will end up on your profile and they’ll get a link back to their site, courtesy of Facebook’s terms of service.

So, Facebook, nice work. The fact that you’re protecting my Facebook data from Amazon is welcome, and the press isn’t giving you enough credit for this (likely because they don’t understand it, it is a bit technical after all.)

Of course, no good deed goes unpunished. The technical gotcha with this one-way communication is that Amazon sends the data, via your browser, whether or not you’re logged in to Facebook, whether or not you’ve opted out of the entire Beacon program. Only when the data hits the Facebook servers can Facebook decide whether to post it or not, based on your preferences. And that’s led to the “Facebook gets your data even if you’re logged out!” headlines. Because the data has to enter the confines of Facebook before Facebook can tell whether it needs to discard it.

There are good reasons to worry about this gotcha: with all of the attorney generals chasing Facebook over child predators, who knows what Facebook feels legally obliged to log. Once the data’s inside the fence, it might fall under some we-must-log-everything policy.

But there’s hope, I think. First, Facebook needs to fully switch to opt-in (they seem to be doing this now). That won’t be enough. They need to deploy even greater technical kung-fu. As it turns out, I think there is a way for them to tweak their technical architecture so that the opt-out is enforced within the user’s browser, before the data penetrates the Facebook enclave. It involves having Amazon run a server that Facebook willingly names amazon.facebook.com, and borrowing some inter-frame airlock and communication techniques from Collin Jackson’s Subspace project, so that two frames within your browser can decide, together, without communicating with the Facebook server, whether the Amazon message should be forwarded to Facebook or not.

What this points to is the power of your browser. Your browser contains your logins to various sites. It is your data multiplexer, and Beacon is one of the first applications to attempt to harness it (attackers have been trying to harness it for years, of course). The legitimate techniques will evolve, and not all will be as gentle as Beacon. Yes, Beacon is gentle compared to what could have been implemented. The security and privacy implications will be tremendous, and it’s high time we think about how to prepare browser technology and users to deal with this.