Facebook Beacon: yes, they should know better

Via Slashdot I see that folks are finding new things to dislike about Facebook's privacy-threatening Beacon initiative. This PC World article relates that Beacon transmits data from Epicurious back to Mr. Zuckerberg & friends even when the user is logged out of Facebook.

My first thought was that this objection might be silly: if Epicurious is serving the Javascript that sends the AJAX request (via some sort of XSS technique) there should be no way for Epicurious to detect whether a user is logged into FB or not. Doing so would violate all sorts of other, more important security principles — the sorts of ones that prevent me from writing some Javascript to, say, have this page read that open Gmail session one tab over and report its contents back to my hidden lair.

But sure enough, the Beacon Javascript is being served from Facebook.com, which means that your session cookies are perfectly available to it. Epicurious pulls the Beacon code from the following URL:

http://facebook.com/beacon/beacon.js.php?source=5194643289

And yeah, it serves exactly the same code regardless of whether my browser is logged into FB or not.

So this story's legitimate: Facebook could turn off Beacon for logged-out users with something as simple as two lines in .htaccess. Based on this example, here's a snippet that would check for Facebook's h_user cookie, if they wanted to:

RewriteCond %{HTTP_COOKIE}!^.*h_user.*$ [NC]
RewriteRule .* /innocuous-javascript-for-logged-out-users.js [NC,L]

There's little choice but to conclude that Facebook is simply acting greedily: they decided to help themselves to as much affiliate data as possible. Even if actions by logged-out users are never made public, I suspect that FB stores them somewhere for analysis. I'm sure that advertisers like that approach, but users are understandably less than sanguine about Facebook running in zombie mode even after they've tried to log out of it.