A lovely man called Steven Englehardt who does research into privacy for some swanky PhD he’s doing at Princeton.
His most recent work, which was done with Gunes Acar and Arvind Narayanan, shows how there are at least seven tracking services that could access your Facebook data.
So it’s not as if it’s so bad that Facebook are selling all your info, Naughty People can grab your stuff too. Sigh.
On the face of things, Facebook Login looks great. No need to register for a site, just log in with your facebook creds. What a time saver! Huzzah! But…
Basically, when you let www.ilovecatpics.com get your Facebook deets, any tracking script that site has installed can also get the info. How much info? According to the research its your Facebook ID, email address, name and even gender.
Here’s who can snaffle and what they can snaffle:
|Company||Script Address||Facebook Data Collected|
|OnAudience*||http://api.behavioralengine.com/scripts/be-init.js||User ID (hashed),|
Email (hashed), Gender
|Lytics||https://c.lytics.io/static/io.min.js (loaded via OpenTag)||User ID|
|ProPS^||http://st-a.props.id/ai.js||User ID (has code to collect more)|
Do note that OnAudience have claimed they have stopped collecting this info after Englehardt released a previous study which showed they used browser autofill to grab email addresses.
Could it get worse? Oh yes. Yes it could.
Some third parties are using the Facebook Login feature to authenticate users across a variety of different websites. The commenting tool, Disqus does this all the time, they say. Other hidden third parties could be using iframes like Disqus uses, to turn anon visitors into real people in order to sell more targeted advertising. Nice.
Of course, everyone denied doing anything nefarious, natch. And it’s certainly not a bug in the Facebook auth process. But it is alarming. As is just about all news about Zuck’s cash cow these days.