"The first two cases involve the transmission of user data despite 'No thanks' having been selected on the opt-out dialog, and are causes for deep concern. They pale, however, in comparison to the third case, where Facebook was receiving data about my online habits while I was not logged in, and was doing so silently, without even alerting me to the cross-site communication," he wrote in the research note.
If a user has ever checked the option for Facebook to "remember me" -- which saves the user from having to log on to the site upon every return to it -- Facebook can tie his activities on third-party Beacon sites directly to him, even if he's logged off and has opted out of the broadcast. If he has never chosen this option, the information still flows back to Facebook, although without it being tied to his Facebook ID, according to Berteau.
Berteau wasn't able to determine where this data flows to in Facebook. "That's part of the concern here," he said in the interview. He repeated the Epicurious experiment with Kongregate.com, another Beacon-affiliated site, and got similar results.
In e-mail correspondence with Facebook's privacy department, Berteau was told, among other things, that "as long as you are logged out of Facebook, no actions you have taken on other websites can be sent to Facebook."
A similar statement was made by a high-ranking Facebook official on Thursday. In an interview with The New York Times, Chamath Palihapitiya, vice president of product marketing and operations at Facebook, was asked whether Facebook would receive information about a user's purchase if the user declined to broadcast the purchase to his Facebook friends.
His answer: "Absolutely not. One of the things we are still trying to do is dispel a lot of misinformation that is being propagated unnecessarily."
Facebook didn't immediately reply to requests for comment from IDG News Service.