Seeing this and being surprised is like watching a teen movie where the gossiper invites the entire school to listen in on the phone line while the protagonist is (unwisely) sharing a secret with them, and thinking as you watch, "that's totally out of character for the gossiper - even though they want to collect people's information themselves, there's no way they would invite other people to listen in as they're in the process of receiving that information."
This argument was used last time . It didn't work then and it's a silly excuse now.
Users gave Facebook their "name, email address, age range, gender, locale, and profile photo" . Some of them marked those data private (i.e. only for friends). Those data were shared, without the users' informed consent, with third parties through the log-in function.
Documenting a breach doesn't unmake it a breach. And a breach can be a breach without involving any technical exploits. This was a breach.
> Seeing this and being surprised is like watching a teen movie where the gossiper...
People didn't realize Facebook was selling their secrets. That may strike you as naïve. But it's this asymmetry, between specialists (e.g. Facebook employees and technologists at large) and non-specialists (i.e. most of Facebook's users), that drives the need for regulation.
An analogy can be found in lemon laws . We protect consumers from specialists (e.g. car salespersons) taking advantage of the customers' reasonable ignorance of cars. Facebook is selling the world lemons and mocking them for buying.
The website or app implements Facebook Login. When a user visits that they can choose to share their profile information with that app. Through poor security or malicious action that app leaks that information to third parties.
You can’t control data on systems you don’t own. So Facebook’s options are either (a) limit how platform apps use data via non-technical/legal methods (b) better educate users on the implications of sharing their data with external apps, or (c) refuse to share any user data with external apps.
We’ve seen the first option fail with the Cambridge Analytica scandal. Educating users consistently fails. And before Facebook built a platform, they were accused of building a walled garden.
A user absolutely can choose what they share with Facebook, but Facebook makes no effort to tell you why you should edit the defaults. Instead, you have to click an edit button, and look at a list of checkboxes, and understand what each thing means, and double and triple check that this doesn't override your personal privacy preferences or have some other unintended side-effects. The default expectation from Facebook (and similar) is biased heavily against the user, purely by virtue of it being opt out.
It depends on users not being educated well enough, and giving them a good reason to care less about being more judicious with their profile.
Under GDPR, as a data controller, you cant share data with another organisation without ensuring that they follow the same rules that you have set out for processing data. This may get interesting in Europe.
It's neither poor security or malicious action. Web site isolation rules by design give full privileges to any third party script the website includes. If a website uses facebook login, all third party scripts can access the facebook user name.
That's not any kind of argument for the privacy-diluting practices of Facebook. If Facebook were a totally closed environment that shared your data with nobody, that's a problem for Facebook and the private companies who would prefer to exploit that information, not for the users, who at this point would very much prefer Facebook to be a "walled", but but in actuality a "regulated", garden.
Facebook doesn't give a shit about its users. And for that I don't blame them. They're fighters. When they went public, so many assumed they were dead for lacking a mobile presence. Time and again, they've been called out as moribund and time and again they've won. That takes--and develops--thick skin.
That thick skin is now a hard head obstructing their view of the truth. When they drop the ball, it is never their fault. Someone is mis-defining a term, users aren't reading fine print, lawmakers are being mean, et cetera. The onus is put on us, the public, to determine how our rights can be balanced with their business model. As if their business is a given.
If Facebook were liable for repeatedly losing our data, for repeatedly refusing to tell users what it does with what they give them, for constantly lying about what it's doing and going to do, this would stop. Or Facebook would stop.
Neither users nor advertisers can unilaterally disengage. Not in meaningful numbers. Facebook is too powerful. The only solution is for it to be broken up.
Should Facebook be 100% held responsible to the law? Of course.
Should some laws be updated/created to help fill gaps where we might need more privacy? Possibly.
Should Facebook be held to some nebulous moral standard of what some people want but don't have the will power or public support to codify into law? Absolutely not.
Too powerful? If people actually cared more about privacy, then either the law would get changed (which is happening in some places), or Facebook would lose market share and be forced to make changes from market forces alone. No need for governments to arbitrarily pick winners and losers.
"Market failure is a situation in which the allocation of goods and services is not efficient" . They are known failure modes that free markets suffer, and must be defended, from. Laissez-faire doesn't work.
Facebook Ireland Ltd. Does.
> Pick one or the other
why not both?
In other words, it's not taking advantage of some accidental bug Facebook never intended to have; it's Facebook's system working as Facebook designed it to work.
Now, from the perspective of an individual person whose personal information was collected and distributed in this fashion, it certainly is unexpected and likely unwanted. But calling it a "breach" or "exploit" of Facebook implicitly covers for Facebook by implying that Facebook is a victim of some type of attack here. Facebook was not a victim of an attack.
Facebook doesn't sell data, it sells ads.
That sounds like selling data but with extra steps.
In the end you have a click associated with an advertising campaign linked to a real life (or even pseudo) identity.
It doesn't really matter if ads are served to everyone or if they are shown only to a targeted demographic - either way, only people who are interested will click on them. Also, I think it is safe to say that, roughly, it is only the efficiency of clicks per ad-view that will increase if one uses targeted advertising.
So, if the act of clicking a targeted advertisement does not in itself somehow "transfer" any more identifying data than a click on a regular ad would, which I don't think it does, then what's the problem?
Same knowledge as your first example (names, expecting). I do admit you only get the information from people who come into the store.
Given Target was able to figure out someone was expecting based on behavior in their store, back in 2011 , even though they dont have a loyalty program, imagine what can be done with so many trackers that are on the web datamining your behavior from one website to another.
Google can know that you're expecting, because of a congratulation email. Facebook can know you're expecting, because of a life event. Arbitrary companies can't know who their baby store ad is being shown to.
You can argue that Google and Facebook are too big, and data being shared between YouTube, Gmail, Google Adwords, etc. is suboptimal. But that's still better than a company that will freely sell a database of information to be resold, mixed, etc. forevermore.
Is fingerprinting so good that cookies are now irrelevant? I mean most mobile devices have the same screen sizes etc.
I'm sorry but if you care about privacy, you shouldn't be using Gmail.
That doesn't mean they are going to give you their name.
And if they choose to give you their name, it's their right and responsibility.
The GDPR really can't come to soon. I hope it'll finally smite these crappy companies.
If you want to talk about what people “should” know, there’s s reasonable man statute, and it definitely doesn’t include what you’re describing.
From an end user point of view - I don't think it's reasonable for a bhphotovideo.com user logging in with Facebook to assume their Facebook data is being sent to ntvk1.ru
I suspect it's not even really reasonable to expect the website owner at some of those "434 of the top million sites" to be technical enough to understand the privacy implications for their users of running both "Log in with Facebook" and 3rd party ad serving on their sites at the same time.
To be fair everyone expects MongoDB to leak data like a sieve.
Doesn’t that depend on who’s surprised? My parents would be shocked by this, people working in the software industry should be less shocked. I bet that a poll of 100 randomly selected people asking, “What does documentation mean in the context of software?” would discover that few knew the answer. Never mind actually reading the docs, or understanding their implications.
Facebook goes to some trouble to ensure that only a small minority of people grasp the implications of how they’re monetizing their users.
Maybe I am reading this wrong but if Facebook makes an assumption which is inherently unsafe and publishes it. And then someone utilizes the unsafe assumption to siphon data, the ball is still in Facebook's court. They have to ensure that scripts cannot do this.
Sure, this might make it difficult for anyone trying to develop using Facebook library. But that is still better than asking people to read T&C and ensuring data is not leaked.
It’s unfortunate that browsers and standards organisations haven’t done more to promote safer methods of third party integration. The state of the art is still injecting script tags into the document. Given that the web is powered by embeds, ads, and analytics, there should be better sandboxing tools.
Fixed that for you, but I agree with the sentiment: it's a real problem that browser vendors are disincentivized to address.
Sure, you can't break everything tomorrow...
The analytics tag allows for arbitrary logging endpoints to be used, but that solves one very specific use case.
I believe that they’re going to allow worker scripts in the future, but again, that I don’t believe that will solve every case, and will be AMP specific.
uMatrix is one way to block third-party scripts, but it requires some knowledge to use.
Apple should take the new Firefox Facebook extension and apply it by default to Safari. But also do Google and every other major ad-tech company. Not sure if this can be done without breaking the web though. Also not sure how different Firefox's extension is from Safari's Intelligent Tracking Prevention. It's possible they already do this.
Genuine question, I don't do much mobile development: aren't native apps able to collect just as much information as a web app/site? Except with a mobile app you can't just open a Dev console and see what requests are being made?
Again not trying to troll, I just don't know if I'm missing something here.
So there might be technical reasons why native apps are more privacy preserving than web apps, but I think that pales in comparison to having an actor that actually follows the principles of Privacy By Design running the platform . If the platform owner doesn't actually want to vet what goes in their stores beyond "machine learning" , had a useless permission model until recently, or does dark pattern bullshit , I doubt there's much of a difference between native vs web apps.
At the end of the day the only thing that matters is incentives, and that informs how these actors will behave.
Trick user to open FB or any site. Open the requested site in the built-in browser. Let user login to the site, and then scrap all the information. Apple and Google can't stop that.
You can't do that in the browser.
> A native app could leak/abuse information like a web app, but in general the surface area is way smaller for that to happen on iOS
Now think about login pages, oauth flows, etc...
There are lots of opportunities to slurp data from a native app.
If that's the case, the web is already broken.
I'm talking about big players like SimilarWeb and JumpShot. Clickstream companies.
[for the record, I know there are other issues w/ FB, but A LOT of the fallout seems to be related to the apps users were connecting to their profiles.]
One of many:
As far as I know, it only sends URLs of your visits to its affiliates, but not for other sites
The third party JS scripts simply cut out the middleman, but as a side effect the sharing is detectable.
It's interesting that Netograph has seen this exclusively on .pl domains, and that it hasn't cropped up again in the last month. You can do similar digging through the dataset for all the other trackers they list.
It would be great if we could filter the lists (eg. I just want to see html and js)
The trouble is that a lot of good and bad JS/CSS/content is gotten from third-party sites. Some websites are simply useless unless your browser loads third-party JS (e.g. Bootstrap). The ability to load third-party code/content is built into HTML and web developers naturally take advantage of that capability.
These sites are definitely making the problem much bigger, typically not even caring.
The developer a site actually gives instead of a user an access to the user's data to any other entity from which the developer "just references the scripts or fonts or whatever" to shorten his development time.
A huge problem. The article that we comment to shows very specific examples.
For some time now, I've used ublock origin, which I find better overall than umatrix.
Privacy Badger assumes that third-party scripts used by more than one first party are potential trackers and blocks them by default, except common CDNs which just get cookies blocked. It's pretty usable: doesn't break nearly as much stuff as NoScript et al, and unlike an ad-blocker only blocks ads that track.
The article says:
> The following could indicate the first party’s awareness of the Facebook data access:
> 1) third-party initiates the Facebook login process instead of passively waiting for the login to happen; 2) third-party includes the unique App ID of the website it is embedded on. The seven scripts listed above neither initiate the login process, nor contain the app ID of the websites.
> Still, it is very hard to be certain about the exact relationship between the first parties and third parties.
But I can certainly imagine a situation where a site owner would inject a third-party analytics script into their site and have no problem with it including information from Facebook logins as part of the analytics data it collects.
After all, as a site owner why wouldn't I want my analytics dashboard (provided by a third-party) to include information like "percentage of visitors between the age of 18-25"? That seems like a useful thing to know, and the users who granted my site access to that info did so explicitly via a Facebook permissions prompt, so what's the issue?
The issue, of course, being that my site's user's data is now being handled by a third party. But I obviously had no problem with that when I decided to use a third-party analytics company in the first place; why would that change now?
The article was written by a gentleman who wrote some early code for Facebook to do this which was later the subject of a Microsoft patent.
Would it be fair to say that once a user submits an email address to a website, that website can locate the users Facebook profile, if one exists. No "Facebook Login" required.
Also, the curious reader may find these interesting, regarding the ease with which an attacker/website could learn a Facebook user's private friends list:
Finally, I have read that a major dating website has now removed Facebook Login.
Have a browser which intercepts requests and encrypts all of them with your public keys, which can only be used to decrypt stuff on the client side.
Wesites would have to start indicating that they understand this new contract and that their servers won’t understand ANYTHING.
It could be a new protocol like https but called something else such as shttp:// or encrypted://
Any encrypted:// site can only load other encrypted:// resources so it can’t send any info to the server via postMessage etc.
There would be no cookies. Sessions would be kept on the client side, as they should be. Using sessionStorage.
Business logic done on servers now would be pushed to the edges, or could be further secured by validators that you allow into your VPNs and group activities.
People would share keys to group activities.
I am talking about somethig that breaks the current Web. No more cookies. No more AJAX the way you know it. Files are loaded from static bundles loaded ahead of time, before the website can learn custom information about your user agent.
Then we got Google, Facebook and the cadre of TLA's and criminal orgs turning it into a panopticon and a tool to manipulate people.
I think no matter what technology or tool we create, it'll be abused because that's the society we've created - one that encourages and rewards this behaviour when performed by a small group of very greedy, very misanthropic people.
We did not continue the patent application process to the end, so you’re free to use it.