IF YOU LOGIN to websites through Facebook, we've got some bad news: hidden trackers can suck up more of your data than you'd intended to give away, potentially opening it up to abuse.
That's what researchers Steven Englehardt, Gunes Acar, and Arvind Narayanan from the Freedom To Tinker hosted by Princeton University's Center For Information Technology Policy, discovered when they were *ahem* tinkering with the login process.
Such trackers are provided by firms not linked to Facebook or indeed the websites using them. But the researchers found that seven of the trackers they looked at abuse a website's access to Facebook data, while one third-party tool uses its own Facebook 'app' to track users across the web.
The researchers couldn't say for sure what the third-party trackers were doing with the data, but they suspected it was being monetised for advertising purposes given the trackers' parent companies offer publisher monetisation services fuelled by user data. This is a big no-no if done in a clandestine fashion.
"Hidden third-party trackers can also use Facebook Login to deanonymise users for targeted advertising. This is a privacy violation, as it is unexpected and users are unaware of it," they explained.
The use of the Facebook Login API is not uncommon and is a perfectly fine way for people to authenticate themselves across many websites.
However, the use of hidden trackers is a problem, not just due to their clandestine nature, but also due to the fact that visitors not only need to trust the website they visit to not abuse their data but also need to have faith in third-party tools on the site. Given the Cambridge Analytica Facebook data use scandal, such trust is not likely to be in high supply.
While some people might shrug at the idea of their data being used for targeted advertising, as that's now commonplace on the web, there's potential for malicious trackers to siphon Facebook data and allow less than scrupulous third-parties to abuse it.
The researchers noted that Facebook was not to blame for this situation, nor was it a security hole, but it does highlight some privacy problems.
"This unintended exposure of Facebook data to third parties is not due to a bug in Facebook's Login feature. Rather, it is due to the lack of security boundaries between the first-party and third-party scripts in today's web," the researchers explained.
"Still, there are steps Facebook and other social login providers can take to prevent abuse: API use can be audited to review how, where, and which parties are accessing social login data. Facebook could also disallow the lookup of profile picture and global Facebook IDs by app-scoped user IDs. It might also be the right time to make Anonymous Login with Facebook available following its announcement four years ago."
We contacted Facebook for its take on the situation but the social network has yet to respond.
All in all, it looks like Facebook has some more work ahead of its to ensure its users' data remains private and that what data they do share they do knowingly. And websites that make use of Facebook Login could also do a bit of housekeeping to ensure any tools they use are using data in a legitimate fashion.
If such sneaky data harvesting continues, we can expect to seem websites and online services face the ire of regulators and narked-off people sick of having their data harvested all the damn time. µ
Linux hits the DeX
The Net' is closing in
Firm was quick to CClean up after the attack
Sorry (not Siri)