According to Freedom to Tinker researchers, a small percentage of the most popular 1 million websites have third-party scripts that collect data and track users via the function to log in with Facebook. It would involve seven parties.
Facebook Login makes it possible to log in to a site without to create a new account. In the first case, in the collection of data, according to the researchers, in most cases it concerns user IDs. These are unique to each site, but give access to the more general Facebook ID, which in turn provides information about the public profile of the user. In other cases, the parties also collect the e-mail address and in one case the gender. The researchers state that they are not sure how the data will be used by the parties, but on the basis of marketing material it would appear that most monetization offer users.
The researchers also describe details of their second finding, which is about tracking users. They call the example of the site Bandsintown.com, which allows users to follow specific artists, provided they log in with Facebook. The site has its own advertising service, which can also be found on other music websites in the form of an iframe. The login function gives Bandsintown access to visitors’ Facebook authentication tokens, which the other websites with the advertising service can then use to retrieve the Facebook ID of visitors and track them that way. Bandsintown has now taken measures.
Facebook could counteract this kind of practice by preventing the search of user profiles on the basis of site-specific IDs, according to the researchers. In addition, the company could look more closely at its API to find out in which ways the login details are used. Another option is to enter anonymous logins, which the company announced in in 2014 but would not yet have made it available. Facebook tells to TechCrunch that it is looking at the claims of the researchers. The researchers published a overview of the aforementioned sites on GitHub.