Not sure what is "illegal" about the scripts themselves. I would tend, however, suggest that the sites using these scripts may be using them in ways that are illegal (as in HIPAA for instance in the US). Under HIPAA the violator would NOT be facebook, because they didn't install the script on other companies' sensitive sites, nor are they aware of such usages and they didn't sign BAAs with them. The ones that would be doing something illegal are the ones that sign BAAs or otherwise are directly responsible for keeping health information secure.
edit: Loving the downvotes on every comment I make regardless of content guys, keep them coming! You have about 13,000 to go before I get to 0, and you've only taken about 60 this week so far. At that rate it's going to take you a while, but I know you'll get there!
If you're getting a lot of signals that you're wrong, it's often worthwhile to stop and consider why, rather than dig a deeper hole.
Finance, healthcare, etc are all likely to include requirements for information security controls that go as specific as demanding access controls and audit logs; which appear completely impossible to achieve with what Facebook offer with their SDK. As an example, ICH GCP applies internationally for pharma. However, these are much smaller areas of regulation than most of us are not exposed to
Whether all countries have more general provisions, like GDPR, that would apply to a very wide audience of businesses I don't know: but I know GDPR is now recognisable internationally and has parallels in many countries outside of the EU, so is hopefully a trigger for those in other areas to check what their privacy laws demand.
"Stealing" is a loaded term here. I've observed myself that at least some pages with the FB SDK installed send a tracking HTTP request with every page click - FB appears to be hooking into some very high level page event. Depending on what content is on the page, I could see that being a HIPAA violation: even if they aren't deliberately doing it they could well be logging confidential data.
Second, while the title mentions GDPR, it also mentions banking, this cannot mean providing an advertising company with unaudited, uncontrolled access to do whatever it likes, you seem to be excluding these cases as you repeat your argument about GDPR.
Likely you are being downvoted as your posts aren't fitting with the guidelines. Oh, and your comment I don't know if you read it or not, is a reply to a comment made by the author. Please stop.
I don't hold user data or regulated data... so I'm hopefully one of the cases that isn't illegal, but if I'm wrong then please let me know a worthwhile wordpress.com -> static site tool. With a baby abusing my free time, new hosting has been a low priority.
Update: I don't like that Facebook gets told what you read on my site, but I'm not sure it indicates much to them, maybe they'll sack Facebook employees who read this? Let me know.
(I haven't used that plugin, but it's similar to what I normally do in WP themes manually)
I personally like Ghost, although it is not without its critics. Jekyll is great too.
Read any content on the page it is loaded
Read your user details and often session cookies
Modify (add/change/remove) any content on the page
Add a username and password field, capture the values
Thing is, I don't see why technically it's the company providing the website 's fault. They are sending a webpage, and it's the user's browser who is sending it's own data to facebook.com / google / twitter / metrics scripts / shady stuff... What would be illegal would be for company to make direct connection from their servers with your data.
* i.e. since I learned web development
They do, constantly. You just only hear about the massive ones at public companies. That's why we have GDPR now. The web has become a complete utter nightmare in terms of security. Users have absolutely no idea how critically dangerous it is to plop a third party CDN script into their pages.
 My most available example stemming from:
> ... relying on democratically enacted laws.
I find these often lack the required subtlety at best, or are precipitated by general ignorance at worst, and while are much better than anarchy, can cause significant harm in their own right.
The idea is meant to imply a fractal society of checks: the minimum amount of radically skeptical and power-focused individuals and campaigns per issue and scope would be needed to keep powerful people and groups from being able to get away with abuse. We have some pieces of this in place today, more in the U.S. than many other countries.
Side note : state backed safety laws and inspection may bring more harm than good, and I will never send my children to schools it would be the best way to make them stupid
If a bank wrote code on their website button that told your browser to send your account username and password to an evil person, technically the bank is at fault.
you can install this on your router too. but no way to do this on locked down ios or android, because of those ad dollars.
And really, most established players in tech have HIPAA-compliant offerings and go the BAA route. It's too lucrative a sector to pass up.
Basically, when you are a covered entity -- someone who is directly required to comply with HIPAA because of what you do (for example, you're a doctor, or a pharmacy, or a health insurance company) -- any services or contractors/subcontractors you use that might end up handling protected health information as a result of what they do for you have to sign a BAA with you outlining what information they'll be receiving/handling and and how they'll be handling it, along with any specific requirements you each have to fulfill as part of your relationship.
So, for example, if you are a company in the health care industry (so you're a HIPAA covered entity) and you want to use AWS for some things that involve protected health information, you need a BAA with Amazon (and Amazon will happily sign one and take your money).
Google will also sign a BAA with you to let you use their cloud services, Google Docs, etc. Microsoft will sign a BAA with you. Sentry will sign a BAA with you so you can use it for monitoring on your systems. It's extra work, but health care is a big enough market to be well worth the trouble for these companies.
Some, upon closer look, even send my payment total and what I bought to GA as extra data with a tracking request. (when I cancel the payment)
Some of these tracking solutions even let you see what the user is seeing on the website in real time, including his/her mouse cursor, etc.
It's supported by default in most ecommerce platforms, and is one of the tools that enables really sophisticated performance analytics, A/B testing, and remarketing if you really leverage it.
But in return you're giving Google incredibly detailed insight into your business model and performance. Which would be really concerning if you were in an industry Google decided to come after.
I should mention, that demanding tracking may well be okay in GDPR, in necessary contexts: for instance a banking service may have to do some natures of fraud prevention using tracking, perhaps of recent internet facing IP addresses used and may have a regulatory need to do something like this.
Also bear in mind that GDPR isn't the only law here. If you want to access data stored on a user's terminal (mobile device, laptop, etc), then you likely need consent too under ePrivacy: for example "Article 5" https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX...
Using any map application (especially google maps) does not actually need to store my location for posterity to give me useful service, and I did not opt-in but android still does; Perhaps it's because I haven't been back inside Europe in the last month or so (and when I do, I'll get a "please opt in" prompt).
You could also use a defibrillator to beat someone to death but surely discouraging violence and not condemning the defibrillator is the answer (this is a crappy analogy I know).
But I went with https://developers.facebook.com/docs/facebook-login/manually...
I guess since I don't load any external js, this is fine, right ?
(And that's considering only UX, not privacy issues.)
Also, the common argument for this technique that CDN lets you cache content so that users don't have to re download it every time. But I think it could also be done at the HTML level by precising a hash value of the file that we want to integrate (I stopped web dev for a few years I don't know if that has been added to HTML ?)
The property is used to ensure the CDN is serving legit content that has not been tampered with.
/* latin */
src: local('Tangerine Regular'), local('Tangerine-Regular'), url(https://fonts.gstatic.com/s/tangerine/v9/IurY6Y5j_oScZZ784Ox...) format('woff2');
It is the websites that invite them into a secure context that are often illegal.
In the physical realm, is it okay for an advertising company to be invited into a bank safe or customer records storage without any business controls to audit, monitor or check their actions? Same is true on websites.
What would be interesting to see are these stats:
1) How many users get upset about non-compliance and complain about GDPR. Just how many do actually follow up with the ICO?
2) How many users who see non-compliance but just don't want to bother and move to another "compliant" site?
3) How many users just don't want to bother, want to consume the content and click "OK". In effect, GDPR turns into the "cookie-law" effect. Where users become blind to it.
Also, to follow up on 1. How many complaints to the ICO are actually dealt with and enforced?
I think for now, we are in a holding pattern. This needs to be tested in the courts first. Google and FB are going to be the front line. Whatever happens there, will affect how things move from there.
There was a collective bit of Y2K style madness about it, I do wonder how big most people's mailing lists are after sending out emails they need not have sent. The law was never aimed at regular businesses wanting to update their customers, it was aimed at the Facebooks of this world.
Just from a performance aspect:
An additional DNS resolve, additional TCP handshake, additional TLS, just to deliver a .js file that you could have easily served from the original website.
Not to mention the security aspect.
But there is still a problem with loading third party JS, even beyond the SaaS type that you expect to change regularly (where SRI+CORS becomes difficult-impossible to control), just loading Bootstrap has risks.
Although a good web developer hopefully knows how to add SRI, uses a validated third party library, will pick a fixed version and use a CDN with qualities as good as their hosting solution... they are rare to find and I doubt any data protection controller/officer responsible for GDPR should allow this risk.
The developer might: forget to add SRI; pick a CDN that allows tracking (read https://www.maxcdn.com/dpa/); pick a CDN registered or running servers outside of the EU.
So, the data protection office therefore has to check the terms of services of the CDNs, audit them regularly and then ensure there is appropriate staff training and QA to put in SRI and validate it it as needed.
Meanwhile, if the developer or data protection officer changes, there has to be enough documentation and process around to transition these practices to the next staff.. it all adds up.
The only thing it got going for it, is the bandwidth savings for the original website.