Mark Alan Richards

Facebook JavaScript SDK is often illegal

facebook privacy data-protection

Facebook JavaScript SDK is often included in websites.

It provides feature to help integrate with Facebook.

It provides Facebook with tracking capabilities that assist with audience data and their advertising targeting.

From a privacy perspective, under GDPR, this is a consent nightmare and although it may be possible to get legitimate explicit consent to send data to Facebook, is it still legal to be given when there is a second problem... security and access control.

If a website loads third party JavaScript into a page using a <script> tag then by default it loads with a security context of same-origin - this means that it often it can do whatever JavaScript hosted from the websites' server can do, so likely:

There are various security mechanisms that may reduce this risk, but the problem with these, is that they are very complex to implement: adding in security contexts to ban eval(), SRI, CORS headersĀ  and more, requires a lot of security review: but also it negates much if not all of the Facebook functionality if you ban Facebook from receiving data, so why load it?

Put this all together and you can demonstrate to organisations that they need to remove Facebook.

So I got Facebook removed from RBS's online banking landing page because it could access the account pages (which it was not loaded on).

And I got it removed off of a noticeable amount of because when loaded on pages offering advice (like about Flu) it could access data about your GP and your account.

Why is it illegal?

Especially in regulated contexts (finance, healthcare, etc) there are typically requirements that companies must maintain control of their systems ( and this cannot mean providing an advertising company with unaudited, uncontrolled access to do whatever it likes. This isn't like self-hosted JS that would have gone through QA processes to validate it.

But GDPR and similar privacy laws internationally, also demand that companies have access controls. Not just for what they want to give companies (that's a consent/legitimate interest problem), but to make sure they cannot access other data they don't have rights to. So should Facebook have access to do whatever they like without any control?

Why should Facebook get access to your account data, be able to do anything on a page or more? Whether you believe Facebook is safe or not is not important. Whatever you justify here for Facebook to have access to, you justify for any organisation, (so gambling, religious, policing, political, etc: why is an advertising company any better?) in any jurisdiction that the UK has a data protection relationship with and when it comes to the USA, that relationship is pretty terrible: the ICO rarely if ever does anything (beyond getting 'promises') when it comes to USĀ  companies and in dialogue with them appears to not be able to regulate them.

For NHS users, please check this petition: as Facebook is not completely removed from their online services, only from some areas.