Facebook JavaScript SDK is often illegal

Facebook JavaScript SDK is often included in websites.

It provides feature to help integrate with Facebook.

It provides Facebook with tracking capabilities that assist with audience data and their advertising targeting.

From a privacy perspective, under GDPR, this is a consent nightmare and although it may be possible to get legitimate explicit consent to send data to Facebook, is it still legal to be given when there is a second problem… security and access control.

If a website loads third party JavaScript into a page using a <script> tag then by default it loads with a security context of same-origin – this means that it often it can do whatever JavaScript hosted from the websites’ server can do, so likely:

  • Read any content on the page it is loaded
    • Read your user details and often session cookies
  • Modify (add/change/remove) any content on the page
    • Add a username and password field, capture the values
  • Make network requests to the websites’ servers
    • POST form data
    • Send ajax requests to backend servers as you
  • Make network requests elsewhere
    • Append data read to image or script links and add them to the page
    • Make an AJAX call to its own servers or elsewhere
  • Access any webpage on your site and do all of the above
    • If Facebook is loaded on /about, it can iframe /user/account
    • Default security context of iframes in the same domain is that it can access the child iframe and execute scripts in that iframe.

There are various security mechanisms that may reduce this risk, but the problem with these, is that they are very complex to implement: adding in security contexts to ban eval(), SRI, CORS headers  and more, requires a lot of security review: but also it negates much if not all of the Facebook functionality if you ban Facebook from receiving data, so why load it?

Put this all together and you can demonstrate to organisations that they need to remove Facebook.

So I got Facebook removed from RBS’s online banking landing page because it could access the account pages (which it was not loaded on).

And I got it removed off of a noticeable amount of nhs.uk because when loaded on pages offering advice (like about Flu) it could access data about your GP and your account.

Why is it illegal?

Especially in regulated contexts (finance, healthcare, etc) there are typically requirements that companies must maintain control of their systems (https://www.handbook.fca.org.uk/handbook/SYSC/3/1.html) and this cannot mean providing an advertising company with unaudited, uncontrolled access to do whatever it likes. This isn’t like self-hosted JS that would have gone through QA processes to validate it.

But GDPR and similar privacy laws internationally, also demand that companies have access controls. Not just for what they want to give companies (that’s a consent/legitimate interest problem), but to make sure they cannot access other data they don’t have rights to. So should Facebook have access to do whatever they like without any control?

Why should Facebook get access to your account data, be able to do anything on a page or more? Whether you believe Facebook is safe or not is not important. Whatever you justify here for Facebook to have access to, you justify for any organisation, (so gambling, religious, policing, political, etc: why is an advertising company any better?) in any jurisdiction that the UK has a data protection relationship with and when it comes to the USA, that relationship is pretty terrible: the ICO rarely if ever does anything (beyond getting ‘promises’) when it comes to US  companies and in dialogue with them appears to not be able to regulate them.

For NHS users, please check this petition: https://www.change.org/p/uk-parliament-nhs-should-respect-privacy-online as Facebook is not completely removed from their online services, only from some areas.

 


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s