Facebook has said that it deletes the data in all the cases flagged by Berteau: logged-in users who declined the broadcast; logged-off users; former members and non-members.
In his latest note regarding Beacon, published on Thursday afternoon, Berteau, who is senior research engineer at CA's Threat Research Group, commends Facebook for the most recent changes, but reminds the company that it needs to go further.
As long as Beacon silently tracks logged-off, former and non-members, people who use Facebook and the sites affiliated with Beacon face a privacy threat, Berteau wrote.
"The silent transmission of data about actions on third-party websites to Facebook poses a serious risk, and must be mitigated by both prominent notice to the user, and a binding commitment on Facebook's part to handle the data properly," Berteau wrote.
If a user has ever checked the option for Facebook to 'remember me' - which saves the user from having to log on to the site upon every return to it - Facebook can tie his activities on third-party Beacon sites directly to him, even if he's logged off and has opted out of the broadcast, Berteau reported in his first note on Beacon.
If the user has never chosen this option, the information still flows back to Facebook, although without it being tied to his Facebook ID. For non-members, Beacon captures addresses of web pages visited, IP addresses and the actions taken on the site.
Berteau has said that it's particularly concerning that people aren't informed that data on their activities at these sites is flowing back to Facebook, nor given the option to block that information from being transmitted.
More than 40 websites have signed up for Beacon, although not all have implemented the system. Non-Facebook activities that can be broadcast to one's Facebook friends include purchasing a product, signing up for a service and including an item on a wish list.
In addition to Wednesday's changes, Facebook also modified Beacon last week, prior to Berteau's revelations. In the first set of changes, Facebook responded to complaints that Beacon was too confusing to manage and opt out of. As a result, Facebook made its workings more explicit to Facebook users and simplified the way to nix a broadcast message and opt out of having activities tracked on specific websites.