www facebook co id log in
Time to ditch the Facebook login: If customers' data should be protected, why hand it over to Zuckerberg? • The Register
Mark Zuckerberg recently endured a grilling from the US Congress over Facebook's inability to stop bleeding user data. A week later, investors rewarded his company with a $50bn increase in its market capitalisation on news that – surprise! – a massive userbase pays big dividends.
But it's worse than 87 million users' data that was "improperly obtained" from Facebook by GSR, part of which was later licensed by Cambridge Analytica.
Sure, Cambridge Analytica got the headlines, but there's a less reported side to Facebook data sharing. That is, when companies – retailers, travel sites, banks, media and a plethora of apps – invite you to take the oh-so-simple and hassle-free step of logging into their application or service using your Facebook credentials.
Convenience for a price
Of course, the reason we use things like Facebook Login is convenience, both for the site developer and the end user. Rather than create a user name and password for every random website, developers can simply piggyback on Facebook's (or Google's) generosity.
For its part, Facebook will happily tell you why it's a great idea for developers. Take Skyscanner, for example: "Using Facebook's Analytics for Apps cohort analysis, the team improved their onboarding messages for new launches based on the 'first launch to search' patterns of their cohorts, thus increasing Facebook logins by 2X."
Or maybe not. If you're a consumer, it can become unwieldy to detangle from the social login morass. As Baratunde Thurston puts it: "If I never used Twitter again, I'd still be a Twitter user, because the company is like the school janitor with a fat ring of jangling keys to various doors in my online life."
Facebook is the most-used social login tool by far, with far more "jangling keys" just waiting for some hacker to infiltrate, even long after you've used Facebook Login.
If you're a retailer like Safeway, for example, and you use Facebook Login, you're not only using Facebook to authenticate users, you're giving all that user data back to Facebook – and Facebook's partners. Does Facebook really need to know that your customer likes to order merguez sausage on Fridays and beer and ice cream on Tuesdays? Nope.
What about its "partners"? Definitely not. But will they? Oh yes. In the wake of the Cambridge Analytica scandal, Facebook now assures us that it is going to limit how much data its partners get (user's name, profile photo, and email address upfront, with access to Facebook posts upon further permission), will restrict access to a user's data once they stop using the partner's app, and will have to get Facebook's permission for additional information.
While this sounds good, it's not clear how Facebook actually plans to audit its partners to ensure compliance, and beyond saying the partners "will sign a contract", it's not really clear how tight the restrictions will be anyway. This is, after all, Facebook, and a strict focus on user privacy is hardly what it's known for.
Additionally, while Facebook claims to be tightening access to personal data for its partners, there's apparently no limit on its own appetite. How Facebook will use that data – perhaps to enrich a profile and then serve ads from a competitor? – is a black box to the businesses using Facebook Login, and an even "blacker box" for consumers.
Not to worry. It gets worse.
Sneaking in the Facebook Login front door
Researchers Steven Englehardt, Gunes Acar and Arvind Narayanan recently published a report saying how Facebook Login (and its Google equivalent) are a honey pot for "the exfiltration of personal identifiers". The Reg covered it here.
As the report explains:
When a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site. We found seven scripts collecting Facebook user data using the first party's Facebook access... Most of them grab the user ID, and two grab additional profile information such as email and username.
The user ID collected through the Facebook API is specific to the website... which would limit the potential for cross-site tracking. But these app-scoped user IDs can be used to retrieve the global Facebook ID, user's profile photo, and other public profile information, which can be used to identify and track users across websites and devices.
The researchers also note that "hidden third-party trackers can also use Facebook Login to deanonymize users for targeted advertising". While a privacy violation, these hidden trackers can get away with it "when the same tracker is also a first party that users visit directly".
According to the researchers, the unintended exposure of Facebook data to third parties is not due to a bug in Facebook's Login feature but rather the lack of security boundaries between the first-party and third-party scripts in today's web.
Facebook has called scraping of Facebook data a "direct violation of our policies". It said it would investigate the issues raised by the research but, just to be careful, a spokesperson said:
We have taken immediate action by suspending the ability to link unique user IDs for specific applications to individual Facebook profile pages, and are working to institute additional authentication and rate limiting for Facebook Login profile picture requests.
While a good move, it feels a bit whack-a-mole. Facebook only reacts to security holes, rather than proactively making it harder to exploit its lax approach.
As just one example, Facebook doesn't always read the terms and conditions imposed by its partners, as it revealed in Parliamentary hearings. Do you really think it is going to instigate deep investigations to ensure the partners that feed it data are in turn respecting user data? It's not likely to bite the hand that feeds it.
Getting out of lazy mode
However, the real question is whether businesses have an obligation to stop shovelling data into Facebook through the medium of Login.
Yes, it is convenient, but having learned that Cambridge Analytica hoovered personal data on 87 million Facebook users and the possible political uses of that data, the discussion must be had as to whether factors other than convenience should be the primary driver.
Yes, businesses risk losing user engagement: no one really wants to create another username/password for a site they may not visit more than once or a handful of times. Asking them to do so, rather than piggybacking on Facebook or Google, introduces risk of them churning.
Mark Zuckerberg recently endured a grilling from the US Congress over Facebook's inability to stop bleeding user data. A week later, investors rewarded his company with a $50bn increase in its market capitalisation on news that – surprise! – a massive userbase pays big dividends.
But it's worse than 87 million users' data that was "improperly obtained" from Facebook by GSR, part of which was later licensed by Cambridge Analytica.
Sure, Cambridge Analytica got the headlines, but there's a less reported side to Facebook data sharing. That is, when companies – retailers, travel sites, banks, media and a plethora of apps – invite you to take the oh-so-simple and hassle-free step of logging into their application or service using your Facebook credentials.
Convenience for a price
Of course, the reason we use things like Facebook Login is convenience, both for the site developer and the end user. Rather than create a user name and password for every random website, developers can simply piggyback on Facebook's (or Google's) generosity.
For its part, Facebook will happily tell you why it's a great idea for developers. Take Skyscanner, for example: "Using Facebook's Analytics for Apps cohort analysis, the team improved their onboarding messages for new launches based on the 'first launch to search' patterns of their cohorts, thus increasing Facebook logins by 2X."
Or maybe not. If you're a consumer, it can become unwieldy to detangle from the social login morass. As Baratunde Thurston puts it: "If I never used Twitter again, I'd still be a Twitter user, because the company is like the school janitor with a fat ring of jangling keys to various doors in my online life."
Facebook is the most-used social login tool by far, with far more "jangling keys" just waiting for some hacker to infiltrate, even long after you've used Facebook Login.
If you're a retailer like Safeway, for example, and you use Facebook Login, you're not only using Facebook to authenticate users, you're giving all that user data back to Facebook – and Facebook's partners. Does Facebook really need to know that your customer likes to order merguez sausage on Fridays and beer and ice cream on Tuesdays? Nope.
What about its "partners"? Definitely not. But will they? Oh yes. In the wake of the Cambridge Analytica scandal, Facebook now assures us that it is going to limit how much data its partners get (user's name, profile photo, and email address upfront, with access to Facebook posts upon further permission), will restrict access to a user's data once they stop using the partner's app, and will have to get Facebook's permission for additional information.
While this sounds good, it's not clear how Facebook actually plans to audit its partners to ensure compliance, and beyond saying the partners "will sign a contract", it's not really clear how tight the restrictions will be anyway. This is, after all, Facebook, and a strict focus on user privacy is hardly what it's known for.
Additionally, while Facebook claims to be tightening access to personal data for its partners, there's apparently no limit on its own appetite. How Facebook will use that data – perhaps to enrich a profile and then serve ads from a competitor? – is a black box to the businesses using Facebook Login, and an even "blacker box" for consumers.
Not to worry. It gets worse.
Sneaking in the Facebook Login front door
Researchers Steven Englehardt, Gunes Acar and Arvind Narayanan recently published a report saying how Facebook Login (and its Google equivalent) are a honey pot for "the exfiltration of personal identifiers". The Reg covered it here.
As the report explains:
When a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site. We found seven scripts collecting Facebook user data using the first party's Facebook access... Most of them grab the user ID, and two grab additional profile information such as email and username.
The user ID collected through the Facebook API is specific to the website... which would limit the potential for cross-site tracking. But these app-scoped user IDs can be used to retrieve the global Facebook ID, user's profile photo, and other public profile information, which can be used to identify and track users across websites and devices.
The researchers also note that "hidden third-party trackers can also use Facebook Login to deanonymize users for targeted advertising". While a privacy violation, these hidden trackers can get away with it "when the same tracker is also a first party that users visit directly".
According to the researchers, the unintended exposure of Facebook data to third parties is not due to a bug in Facebook's Login feature but rather the lack of security boundaries between the first-party and third-party scripts in today's web.
Facebook has called scraping of Facebook data a "direct violation of our policies". It said it would investigate the issues raised by the research but, just to be careful, a spokesperson said:
We have taken immediate action by suspending the ability to link unique user IDs for specific applications to individual Facebook profile pages, and are working to institute additional authentication and rate limiting for Facebook Login profile picture requests.
While a good move, it feels a bit whack-a-mole. Facebook only reacts to security holes, rather than proactively making it harder to exploit its lax approach.
As just one example, Facebook doesn't always read the terms and conditions imposed by its partners, as it revealed in Parliamentary hearings. Do you really think it is going to instigate deep investigations to ensure the partners that feed it data are in turn respecting user data? It's not likely to bite the hand that feeds it.
Getting out of lazy mode
However, the real question is whether businesses have an obligation to stop shovelling data into Facebook through the medium of Login.
Yes, it is convenient, but having learned that Cambridge Analytica hoovered personal data on 87 million Facebook users and the possible political uses of that data, the discussion must be had as to whether factors other than convenience should be the primary driver.
Yes, businesses risk losing user engagement: no one really wants to create another username/password for a site they may not visit more than once or a handful of times. Asking them to do so, rather than piggybacking on Facebook or Google, introduces risk of them churning.
0 comments:
Post a Comment
Facebook has greatly reduced the distribution of our stories in our readers' newsfeeds and is instead promoting mainstream media sources. When you share to your friends, however, you greatly help distribute our content. Please take a moment and consider sharing this article with your friends and family. Thank you.