We Should Stop Using Facebook Login
Various publishers still use Facebook as a sign-in option. Time for a rethink.
Facebook has been bad news for a few years now. The litany of misdeeds and data mishandling is long and well-known — from a billion fake accounts, to 50 million accounts being hacked, to Cambridge Analytica. Even one of these should give any reasonable person pause about feeding data through the Facebook system. It seems like an invitation for privacy violations, social surveillance, and more.
Yet, some publishers still accept Facebook authentication as a sign-in option.
Called “Facebook Login,” the service boasts that it gives users “two-tap account creation using their existing Facebook accounts.”
A recent article in the New York Times details the problems with relying on this service, especially in the wake of Facebook being hacked:
. . . no company, not even one as big and wealthy as Facebook or Google, can guarantee perfect security. . . . Facebook’s size and complexity work against its security. The Facebook hack, for instance, seems to have been caused by three different bugs acting in concert. The other danger to signing on to everything with Facebook is the threat of phishing. . . . Single sign-on compounds the damage — whoever hacks your Facebook account gets access to everything else you tied to Facebook.
Facebook claims that Login is GDPR compliant, and that it only stores data about users for a short time:
- Short-term Data: The SDK measures some user activity for purposes of managing fraud and abuse. This data is only retained for a very short period for those not logged in to Facebook.
Is that a loophole I see? Can you use Facebook Login without being logged into Facebook, rendering the short-term pledge moot?
Publishers using Login get access to the data provided by Facebook for 90 days. What goes unspoken is that Facebook may keep the data in perpetuity. And Facebook is not a reliable data steward — losing data, allowing data to be exploited, and abusing privacy.
So the basic question is: Why continue giving Facebook access to any of your customer data? They have demonstrated they are not capable of handling it in a trustworthy manner. Besides, your users are more suspicious of Facebook than ever, and I’m going to speculate things are about to get far worse for Facebook with an activist EU coming at the company while an agitated Democratic majority in the US Congress is about to start going after the company, as well.
Should we stop using Facebook Login? My answer is, “Yes.”