
Facebook JavaScript SDK is often illegal under GDPR - markarichards
https://markssoftware.com/2018/06/23/facebook-javascript-sdk-is-often-illegal/
======
rhacker
CVS Pharmacy definitely includes the facebook scripts and hooks into every
damn button you click on.

Not sure what is "illegal" about the scripts themselves. I would tend,
however, suggest that the sites using these scripts may be using them in ways
that are illegal (as in HIPAA for instance in the US). Under HIPAA the
violator would NOT be facebook, because they didn't install the script on
other companies' sensitive sites, nor are they aware of such usages and they
didn't sign BAAs with them. The ones that would be doing something illegal are
the ones that sign BAAs or otherwise are directly responsible for keeping
health information secure.

~~~
downandout
This article isn’t about HIPAA, it’s about GDPR. If CVS does not have stores
in the EU, then they’re most likely in the clear. Under Recital 23 [1], in
order for the GDPR to apply to any site, the site must “envisage” serving EU
customers. It would be a stretch to argue that a website designed to help
customers of a chain of stores that has no presence in the EU does in fact
“envisage” serving EU customers.

[1] [http://www.privacy-
regulation.eu/en/recital-23-GDPR.htm](http://www.privacy-
regulation.eu/en/recital-23-GDPR.htm)

~~~
markarichards
It's not just about GDPR. It's about any regulated environment that requires
systems and controls in place to maintain information security.

~~~
downandout
I don't know if you read it or not, but the article focuses mainly on GDPR.
I’m apparently not the only one with this impression. The poster of this story
on HN actually titled it “ _Facebook JavaScript SDK is often illegal under
GDPR”_.

edit: Loving the downvotes on every comment I make regardless of content guys,
keep them coming! You have about 13,000 to go before I get to 0, and you've
only taken about 60 this week so far. At that rate it's going to take you a
while, but I know you'll get there!

~~~
guptaneil
Regarding the downvotes, it may have to do with the fact that the person
you're accusing of not having read the article happens to be the author of
said article. I think they know what's in the article and are a bit of an
authority on its intent.

If you're getting a lot of signals that you're wrong, it's often worthwhile to
stop and consider why, rather than dig a deeper hole.

------
fareesh
Read the post and saw Facebook like button at the bottom. Was pretty amused

~~~
markarichards
I find it amusing too.

I don't hold user data or regulated data... so I'm hopefully one of the cases
that isn't illegal, but if I'm wrong then please let me know a worthwhile
wordpress.com -> static site tool. With a baby abusing my free time, new
hosting has been a low priority.

Update: I don't like that Facebook gets told what you read on my site, but I'm
not sure it indicates much to them, maybe they'll sack Facebook employees who
read this? Let me know.

~~~
enzanki_ars
Jekyll has a self-hosted wordpress [1] and a wordpress.com [2] import tool.
Jekyll works on GitHub pages and GitLab pages, the GitHub option requiring
very little effort to use. Posts are easy to write in Markdown, which is used
in a basic form here on HN, and themes are readily available and easy to make.

[1]:
[https://import.jekyllrb.com/docs/wordpress/](https://import.jekyllrb.com/docs/wordpress/)

[2]:
[https://import.jekyllrb.com/docs/wordpressdotcom/](https://import.jekyllrb.com/docs/wordpressdotcom/)

------
ttoinou

       If a website loads third party JavaScript into a page using a <script> tag then by default it loads with a security context of same-origin – this means that it often it can do whatever JavaScript hosted from the websites’ server can do, so likely:
    
        Read any content on the page it is loaded
            Read your user details and often session cookies
        Modify (add/change/remove) any content on the page
            Add a username and password field, capture the values
    
    

I always* wondered why there isn't more data breaches out there. Most websites
have trackers and shady scripts that can do a lot of harm... Even on banks
websites or payment pages !

Thing is, I don't see why technically it's the company providing the website
's fault. They are sending a webpage, and it's the user's browser who is
sending it's own data to facebook.com / google / twitter / metrics scripts /
shady stuff... What would be illegal would be for company to make direct
connection from their servers with your data.

* i.e. since I learned web development

~~~
aphextron
>I always wondered why there isn't more data breaches out there. Most websites
have trackers and shady scripts that can do a lot of harm... Even on banks
websites or payment pages !

They do, constantly. You just only hear about the massive ones at public
companies. That's why we have GDPR now. The web has become a complete utter
nightmare in terms of security. Users have absolutely no idea how critically
dangerous it is to plop a third party CDN script into their pages.

~~~
ttoinou
You mean web developers not users ? I think dev and users don't feel concerned
enough and that's a shame. I am not for GDPR though, I think users should
educate themselves and try to get to know which browser + extensions fits
their privacy / security needs. We also need more benchmarking / consumer
information so that we can select website best, competition will do the rest.
It seems it's a niche market as of now

~~~
detcader
I always educate myself on any technical subject instead of relying on
democratically enacted laws. I educate myself on biochemistry instead of
relying on The State to keep my food safe. If I have offspring I will educate
myself on teaching techniques so I can choose the right private school instead
of relying on publicly funded ones. This is all highly efficient.

~~~
ShroudedNight
While I think that there are fair critiques of this post[1], I can definitely
empathize with the overwhelming sense of drowning in ignorance and the limited
energy I have to defend against goods and services that entail hidden
compromises I would not consent to were I properly informed.

[1] My most available example stemming from:

> ... relying on democratically enacted laws.

I find these often lack the required subtlety at best, or are precipitated by
general ignorance at worst, and while are much better than anarchy, can cause
significant harm in their own right.

~~~
detcader
I don't deny there are hidden compromises all over (I think that is a good way
to put it) and we need to educate ourselves all the time. I can't imagine a
more efficient way to handle all of it than fostering a political tradition
that is inherently critical of concentrated and unchecked power, whether
private or governmental, and having individuals of the tradition succeed in
democratic government and adversarial journalism.

The idea is meant to imply a fractal society of checks: the minimum amount of
radically skeptical and power-focused individuals and campaigns per issue and
scope would be needed to keep powerful people and groups from being able to
get away with abuse. We have some pieces of this in place today, more in the
U.S. than many other countries.

------
TomK32
There's a very simple fix to this:
[https://raw.githubusercontent.com/jmdugan/blocklists/master/...](https://raw.githubusercontent.com/jmdugan/blocklists/master/corporations/facebook/all)

~~~
rhacker
That might be useful for the 0.00000001% of the population that read your
post, but wouldn't it make sense that sites using the script make changes?

~~~
iandanforth
That's ~0.76 people.

~~~
fahadkhan
Assuming every person (worldwide) read the post.

~~~
reificator
No, that's assuming only .76 of a person read the post.

------
maxehmookau
This has always worried me. My company works a lot with healthcare
organisations and as a developer often my first task is to add google
analytics to a page. But of course, this is dangerous and in the case of
healthcare, should be avoided. Google could, if it so chose, scrape the data
of every user whenever they wanted to.

~~~
DoreenMichele
To state more clearly what you only implied, this is a potential HIPAA
violation waiting to happen.

~~~
ubernostrum
FWIW Google will sign BAAs with HIPAA-covered entities. Several of their
services are popular in the industry, including Google Docs.

And really, most established players in tech have HIPAA-compliant offerings
and go the BAA route. It's too lucrative a sector to pass up.

~~~
DoreenMichele
BAA is not an acronym I an familiar with and the internet assures me it is a
sound a sheep makes. I would appreciate clarification.

Thanks.

~~~
ubernostrum
Business Associate Agreement/Addendum.

Basically, when you are a covered entity -- someone who is directly required
to comply with HIPAA because of what you do (for example, you're a doctor, or
a pharmacy, or a health insurance company) -- any services or
contractors/subcontractors you use that might end up handling protected health
information as a result of what they do for you have to sign a BAA with you
outlining what information they'll be receiving/handling and and how they'll
be handling it, along with any specific requirements you each have to fulfill
as part of your relationship.

So, for example, if you are a company in the health care industry (so you're a
HIPAA covered entity) and you want to use AWS for some things that involve
protected health information, you need a BAA with Amazon (and Amazon will
happily sign one and take your money).

Google will also sign a BAA with you to let you use their cloud services,
Google Docs, etc. Microsoft will sign a BAA with you. Sentry will sign a BAA
with you so you can use it for monitoring on your systems. It's extra work,
but health care is a big enough market to be well worth the trouble for these
companies.

------
megous
Good number of websites put random third party javascript on pages that they
shouldn't. My favorite are pages where I'm entering my payment details.

Some, upon closer look, even send my payment total and what I bought to GA as
extra data with a tracking request. (when I cancel the payment)

Some of these tracking solutions even let you see what the user is seeing on
the website in real time, including his/her mouse cursor, etc.

~~~
cosmie
That would be the Enhanced Ecommerce functionality of GA[1].

It's supported by default in most ecommerce platforms, and is one of the tools
that enables really sophisticated performance analytics, A/B testing, and
remarketing if you really leverage it.

But in return you're giving Google incredibly detailed insight into your
business model and performance. Which would be really concerning if you were
in an industry Google decided to come after.

[1]
[https://support.google.com/analytics/answer/6014841?hl=en](https://support.google.com/analytics/answer/6014841?hl=en)

------
beagle3
Tangential: Does anybody know or have a reference about whether the opt-out-
or-can't-even-opt-out tracking in Android, Windows 10 and possibly iOS are
GDPR compliant? My reading is that it isn't, but I'm not well versed on the
subject.

~~~
markarichards
I'm not sure I can answer this, but it might help anyone who could if you know
an example of an application that does the nature of tracking you are
concerned with?

I should mention, that demanding tracking may well be okay in GDPR, in
necessary contexts: for instance a banking service may have to do some natures
of fraud prevention using tracking, perhaps of recent internet facing IP
addresses used and may have a regulatory need to do something like this.

Also bear in mind that GDPR isn't the only law here. If you want to access
data stored on a user's terminal (mobile device, laptop, etc), then you likely
need consent too under ePrivacy: for example "Article 5" [https://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX...](https://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:HTML)

~~~
beagle3
> I'm not sure I can answer this, but it might help anyone who could if you
> know an example of an application that does the nature of tracking you are
> concerned with?

Using any map application (especially google maps) does not actually need to
_store_ my location for posterity to give me useful service, and I did not
opt-in but android still does; Perhaps it's because I haven't been back inside
Europe in the last month or so (and when I do, I'll get a "please opt in"
prompt).

------
cmurf
There are days when I wish all JavaScript was illegal... Step 1: Go to media
website with Firefox on my mobile phone. Step 2: Mobile phone hangs, gets hot,
jerky scrolling, delayed scrolling, unprompted scrolling (as ads load and get
inserted and reflow everything), combinations of all of these. Step 3: Give up
and use Firefox Focus for the same g.d. site, and it just works.

Some sites won't load at all though if you block JavaScript. They've ruined
the internet.

~~~
hermitdev
Sites that wont load on the internet without JavaScript dont deserve to be on
the internet.

Edit: left out the important without javascript

~~~
pnloyd
This is an outdated and flawed mentality in my opinion. JavaScript has great
potential to enchance UX if used selectively with care. There are plenty of
ways to ruin a website, JavaScript is but one.

You could also use a defibrillator to beat someone to death but surely
discouraging violence and not condemning the defibrillator is the answer (this
is a crappy analogy I know).

And the appropriate use of JavaScript is being encouraged more and more.
Browers have increasingly usful features against "user hostile" sites. And
then there's the old "vote with your wallet" except this time it's vote with
your visits - if a site uses JavaScript or anything else you find unpleasant
then.. don't go to that site.

Leave JavaScript alone already!

------
hycaria
That's funny, I had to do this for the first time this week.

But I went with [https://developers.facebook.com/docs/facebook-
login/manually...](https://developers.facebook.com/docs/facebook-
login/manually-build-a-login-flow)

I guess since I don't load any external js, this is fine, right ?

~~~
gcb0
your local files still send data to their servers.

------
chinathrow
If you want to respect your users, use self-hosted shariff.

[https://github.com/heiseonline/shariff](https://github.com/heiseonline/shariff)

~~~
smt88
As a user, I despise social buttons and never trust or use them. I'm very
curious if I'm in the minority on that or not.

(And that's considering only UX, not privacy issues.)

------
noncoml
Firefox + uMatrix should take care of this if I am not mistaken

~~~
gcb0
you only forgot the last factor: + 5 years of webdevelopment experience.

------
gsibble
I don't see how this has anything to do with Facebook specifically as any 3rd
party JS script can do this. Clickbaity title.

~~~
smt88
It's an extremely common and well-known library. Why is that clickbait? It's
also helpful to study one concrete example at times. We know what Facebook
collects and how they use it, and that closes the loop on whether this is
scary vs. merely interesting.

------
CGamesPlay
So, ability to commit a crime is illegal? Did I miss something in this
article?

~~~
markarichards
Facebook who have the ability are not necessarily criminal.

It is the websites that invite them into a secure context that are often
illegal.

In the physical realm, is it okay for an advertising company to be invited
into a bank safe or customer records storage without any business controls to
audit, monitor or check their actions? Same is true on websites.

~~~
ruszki
It's maybe not okay, but legal for sure.

------
TekMol
From what I can tell, GDPR did not have any impact at all. It was supposed to
end tracking without explicit consent. But did even a single big website end
their tracking? Not that I know.

~~~
craftyguy
Does the EU plan to actually enforce the GDPR?

~~~
no1youknowz
We have to wait and see, both Google and Facebook were sued on day 1 [0].

There have been many implementations. From outright banning EU sites [1]. To
companies such as medium who tell you their privacy policy has changed and to
accept, to companies who give you a modal window on how to change your
security settings or just click "OK".

What would be interesting to see are these stats:

1) How many users get upset about non-compliance and complain about GDPR. Just
how many do actually follow up with the ICO?

2) How many users who see non-compliance but just don't want to bother and
move to another "compliant" site?

3) How many users just don't want to bother, want to consume the content and
click "OK". In effect, GDPR turns into the "cookie-law" effect. Where users
become blind to it.

Also, to follow up on 1. How many complaints to the ICO are actually dealt
with and enforced?

I think for now, we are in a holding pattern. This needs to be tested in the
courts first. Google and FB are going to be the front line. Whatever happens
there, will affect how things move from there.

[0]:
[https://www.theguardian.com/technology/2018/may/25/facebook-...](https://www.theguardian.com/technology/2018/may/25/facebook-
google-gdpr-complaints-eu-consumer-rights)

[1]: [https://www.standard.co.uk/news/uk/gdpr-compliance-us-
websit...](https://www.standard.co.uk/news/uk/gdpr-compliance-us-websites-
block-uk-and-eu-readers-as-new-data-rules-come-into-force-a3848081.html)

------
gsich
If you need to let load external JS, you have failed as a webdeveloper.

Just from a performance aspect: An additional DNS resolve, additional TCP
handshake, additional TLS, just to deliver a .js file that you could have
easily served from the original website.

Not to mention the security aspect.

~~~
tmikaeld
How else would you suggest loading social media?

~~~
megous
<a
href="[https://www.facebook.com/sharer/sharer.php?u=whateverurl">Li...](https://www.facebook.com/sharer/sharer.php?u=whateverurl">Like)
on FB</a>

