Social Login Systems May Share too Much
You thought you heard a click behind that site’s “Sign in with Facebook” button. But did you also hear the inaudible sigh of your personal data disappearing into the maw of yet another application?
Social login is the ability to access a web site or application using an account on a social network. You may have already used it, or at least seen the login buttons as an option on various sites’ sign-in screens. Per my post on back to the future (of federation), today the largest identity networks are the social networks. And unfortunately, they and their sprawling empires of third party applications and advertising affiliates create vulnerabilities for users: See my NEW POST describing Covert Redirects and Perverse Incentives.
According to Janrain’s quarterly numbers and other sources, Facebook Login has almost 50% of the social login “market” and Google Plus (which is growing more rapidly) about 35%. Yahoo, Twitter and LinkedIn also register with smaller slices of the pie. Janrain notes: “Despite the possible perception that this is a two-horse race, it is critical to note the diversity of consumer preferences on different types of sites…We also have observed disparate preferences across geographic regions. For example, Hyves contends with Facebook as the most popular social network in the Netherlands…In Brazil and India, Orkut is a popular identity provider for social login, while in China, Sina Weibo and Renren maintain popularity. Mixi is a common social login choice in Japan, while VK is preferred in Russia.”
As I work on putting the together the slides for our September 10 “Respect Connect: From Social Login to Personal Cloud Login” webinar I’ve been studying Facebook and other implementations closely. It’s somewhat new territory for me, because as a security person I’ve only used these perilous tools of convenience twice:
- LinkedIn to log into ConnectMe: Importing my professional contacts into this reputation service is actually useful!
- Facebook Login (formerly Facebook Connect) for Spotify: If not stopped by changing the default setting, Spotify has the annoying habit of posting every song you listen to on Facebook.
The inaudible sigh (or giant sucking sound) is the whoosh of your social graph going into the data banks of the relying party, such as Spotify. I retested the Facebook-to-Spotify login experience and experienced a gratuitous one click data transfer. No notification of the data whoosh, no opt in process other than the login act itself.
One should, however, give Facebook credit for being open about what it does and for having an opt out process. Midway into the program’s complex privacy preferences under “apps” I found the following screen, which states up front “On Facebook, your name, profile picture, cover photo, gender, networks, username, and user id are always publicly available, including to apps.” The screen clipping below shows my own Spotify configuration on Facebook.
The screen also gives one the opportunity to view Facebook’s data use policy, Spotify (or whichever app’s) privacy policy and to remove the app if desired. But even after removal, what happens to the data remains indeterminate – from my initial preliminary reading, it seems that the app is allowed to cache personal data and to make relatively free use of it as long as it doesn’t compete with Facebook.
The Facebook Platform isn’t about privacy, it’s about sharing. According to Wikipedia’s “Facebook Platform” entry, it “Offers a set of programming interfaces and tools which enable developers to integrate with the “open graph” of personal relations and other things such as [potentially any of your posted data and activities].”
Other than allowing one to choose or remove applications one by one, Facebook provides no granularity over how one’s data is handled. If, next to “Use apps, plugins, games and websites on Facebook and elsewhere?” one click’s on “Edit” there is only the draconian option to “Turn off Platform” and the stern warning shown in the figure below.
The bottom line is that social login gives users a mixed bag. On one hand, there’s an ostensible benefit of convenience. On the other hand, there’s heightened risk of identity theft from the data proliferation and expansion of other risks peculiar to social networks such as becoming a victim of stalking, doxing or permament reputation damage. Social networks such as Facebook and LinkedIn don’t let users employ a pseudonym; they encourage individuals to use and proliferate real personal information, not just their name but also birthday, relationships and other sensitive data. And often, the user gains no benefit from the proliferation of information because it’s not required for single sign on and the user may have no desire for any feature of the application that uses that information.
A more user-centric approach to personal identity and personal login would, on the other hand, allow the user more granular control of which information is sent to which relying parties. One could choose to pass the social graph to Connect.Me when desiring the reputation service’s social features. One could suppress sending the social graph to Spotify when intending only to listen to music in private.