Time to ditch the Facebook login: If customers' data should be protected, why hand it over to Zuckerberg?
How The Social Network and its partners use that info is a total black box
Comment Mark Zuckerberg recently endured a grilling from the US Congress over Facebook's inability to stop bleeding user data. A week later, investors rewarded his company with a $50bn increase in its market capitalisation on news that – surprise! – a massive userbase pays big dividends.
Sure, Cambridge Analytica got the headlines, but there's a less reported side to Facebook data sharing. That is, when companies – retailers, travel sites, banks, media and a plethora of apps – invite you to take the oh-so-simple and hassle-free step of logging into their application or service using your Facebook credentials.
Convenience for a price
Of course, the reason we use things like Facebook Login is convenience, both for the site developer and the end user. Rather than create a user name and password for every random website, developers can simply piggyback on Facebook's (or Google's) generosity.
For its part, Facebook will happily tell you why it's a great idea for developers. Take Skyscanner, for example: "Using Facebook's Analytics for Apps cohort analysis, the team improved their onboarding messages for new launches based on the 'first launch to search' patterns of their cohorts, thus increasing Facebook logins by 2X."
Facebook's login-to-other-sites service lets scum slurp your stuffREAD MORE
Or maybe not. If you're a consumer, it can become unwieldy to detangle from the social login morass. As Baratunde Thurston puts it: "If I never used Twitter again, I'd still be a Twitter user, because the company is like the school janitor with a fat ring of jangling keys to various doors in my online life."
Facebook is the most-used social login tool by far, with far more "jangling keys" just waiting for some hacker to infiltrate, even long after you've used Facebook Login.
If you're a retailer like Safeway, for example, and you use Facebook Login, you're not only using Facebook to authenticate users, you're giving all that user data back to Facebook – and Facebook's partners. Does Facebook really need to know that your customer likes to order merguez sausage on Fridays and beer and ice cream on Tuesdays? Nope.
What about its "partners"? Definitely not. But will they? Oh yes. In the wake of the Cambridge Analytica scandal, Facebook now assures us that it is going to limit how much data its partners get (user's name, profile photo, and email address upfront, with access to Facebook posts upon further permission), will restrict access to a user's data once they stop using the partner's app, and will have to get Facebook's permission for additional information.
While this sounds good, it's not clear how Facebook actually plans to audit its partners to ensure compliance, and beyond saying the partners "will sign a contract", it's not really clear how tight the restrictions will be anyway. This is, after all, Facebook, and a strict focus on user privacy is hardly what it's known for.
Additionally, while Facebook claims to be tightening access to personal data for its partners, there's apparently no limit on its own appetite. How Facebook will use that data – perhaps to enrich a profile and then serve ads from a competitor? – is a black box to the businesses using Facebook Login, and an even "blacker box" for consumers.
Not to worry. It gets worse.
Sneaking in the Facebook Login front door
Researchers Steven Englehardt, Gunes Acar and Arvind Narayanan recently published a report saying how Facebook Login (and its Google equivalent) are a honey pot for "the exfiltration of personal identifiers". The Reg covered it here.
As the report explains:
When a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site. We found seven scripts collecting Facebook user data using the first party's Facebook access... Most of them grab the user ID, and two grab additional profile information such as email and username.
The user ID collected through the Facebook API is specific to the website... which would limit the potential for cross-site tracking. But these app-scoped user IDs can be used to retrieve the global Facebook ID, user's profile photo, and other public profile information, which can be used to identify and track users across websites and devices.
The researchers also note that "hidden third-party trackers can also use Facebook Login to deanonymize users for targeted advertising". While a privacy violation, these hidden trackers can get away with it "when the same tracker is also a first party that users visit directly".
According to the researchers, the unintended exposure of Facebook data to third parties is not due to a bug in Facebook's Login feature but rather the lack of security boundaries between the first-party and third-party scripts in today's web.
Facebook has called scraping of Facebook data a "direct violation of our policies". It said it would investigate the issues raised by the research but, just to be careful, a spokesperson said:
We have taken immediate action by suspending the ability to link unique user IDs for specific applications to individual Facebook profile pages, and are working to institute additional authentication and rate limiting for Facebook Login profile picture requests.
While a good move, it feels a bit whack-a-mole. Facebook only reacts to security holes, rather than proactively making it harder to exploit its lax approach.
As just one example, Facebook doesn't always read the terms and conditions imposed by its partners, as it revealed in Parliamentary hearings. Do you really think it is going to instigate deep investigations to ensure the partners that feed it data are in turn respecting user data? It's not likely to bite the hand that feeds it.
Getting out of lazy mode
However, the real question is whether businesses have an obligation to stop shovelling data into Facebook through the medium of Login.
Yes, it is convenient, but having learned that Cambridge Analytica hoovered personal data on 87 million Facebook users and the possible political uses of that data, the discussion must be had as to whether factors other than convenience should be the primary driver.
Yes, businesses risk losing user engagement: no one really wants to create another username/password for a site they may not visit more than once or a handful of times. Asking them to do so, rather than piggybacking on Facebook or Google, introduces risk of them churning.
Even so, the price of that increased engagement is also handing over that user's data to Facebook, trusting that it will keep it at least as secure as your business would. That's a fool's bet, given Facebook's history with privacy.
Back in the day, banks, telcos and others went to great lengths to avoid having the other giant of its time come between them and their customers – and for good reason. They didn't want Microsoft, .NET or MSN to become the gateway provider for services like web, mobile or login.
So no Microsoft or Windows brand inserting itself on home pages, start screens or mobile platforms provided by Amex or AT&T.
They feared a company as powerful as Microsoft would first take their users' loyalties and then their business for its own.
How nineties and noughties. How quaint.
Today, the value has gone from slipping in and stealing your business to slipping in and exploiting your customers' data. A much better way to increase the appeal of that big old social platform you are flogging to more developers.
It's time for the corporate world to stop paying lip service to the sensitivity of their customer data, and shut off access to Facebook and its partners. Forget #deletefacebook, businesses need to #deletefacebooklogin. ®
Matt Asay is Head of Developer Ecosystem at Adobe.
Sponsored: Becoming a Pragmatic Security Leader