In parts one and two of this series we reviewed Facebook's history and explored the serious implications that flow from having your company’s website permit users to login using their Facebook credentials. In this article, we focus on the confusion arising from the fact that Facebook offers two methods for allowing a visitor to use his Facebook credentials to sign into a third-party website.
How much information does Facebook actually collect about visitors who access your site using a Facebook login? For instance, does Facebook merely know that Steve Feingold is a member of Match.com? Or do they know all the details about me, including not only my age, height and weight, but the activities I enjoy, who I have contacted and been contacted by, and, perhaps, even what I have said in those emails?
The answer is, surprisingly, we do not know. In its explanation to individual users, Facebook says that it collects “information” from users who use Social Plugins and maintains such information for 90 days before it is aggregated and stored indefinitely.1 Nowhere, however, does Facebook ever disclose exactly what data this “information” includes. Clearly, however, the statistics disseminated by Facebook to tout its Social Plugin Login suggests that Facebook is collecting vast amounts of information about its members when they are on a third-party site based on the Social Plugin Login. These statistics included how long someone stayed on a site compared to someone not using their Facebook credentials and whether they watched any videos and made more repeat purchases than those not using this credential. What is most interesting is the comparative nature of these statistics suggesting that Facebook is somehow tracking data about users on third-party websites that did not access that site with their Facebook credential.2 The nature of this information alone might give any prudent business person pause.
As explained in part one of this article, Facebook first offered a login feature branded Facebook Connect. Facebook announced it was discontinuing this service when it launched the Open Graph initiative that introduced Facebook’s Social Plugins. One of these Social Plugins is Login, which on the surface appears to operate as the equivalent to the Login Tool (i.e., the old Facebook Connect).
While Facebook announced it was discontinuing Facebook Connect back in 2010, in fact this feature remains operational for websites that had adopted it prior to the introduction of the Social Plugins. Moreover, it appears that this feature, stripped of its Facebook Connect branding, continued to be available for use even after the roll-out of the Social Plugin Login. In its most recent terms of use posted in December of 2012, Facebook for the first time acknowledges that the Facebook Login Tool and the Facebook Social Plugin Login coexist. While it never explicitly details the difference between the two on its Developer pages, in an FAQ for consumers Facebook explains that the Facebook Login tool is not a Social Plugin because the Login Tool does not share data back to Facebook.3 In contrast, the whole purpose of Social Plugins is to provide data to Facebook about a user’s activities on other sites. Some privacy advocates cite this reason as the basis for their advice to avoid adoption of the Like button or any other Social Plugin.4
Even among developers there is a surprising lack of understanding about the differences between using the Social Plugin Login and the Login Tool. For instance, in one posting from December 2011, a developer who sought an explanation of the differences between these two features was advised that the Facebook Connect tool was antiquated and encouraged to use the Social Plugin Login.5 In April of 2012, another developer asked for an explanation about which logo was most effective for use in connection with the Facebook Login feature, noting that he had seen six different formats used to invite a user to enter their Facebook credentials to access a site.
These formats include one with the words “Connect with Facebook” without the Facebook “f” icon and not within a blue button often used by Facebook for its various brands; one with the words “Connect with Facebook” together with the “f” icon within the blue button, and two variations of that presentation; a blue button containing the “f” icon and the words “Log In”; and, finally, the use of the “f” icon followed by a list of friends and their photos and the words “are using XYZ Site.” Again, none of the responses recognized any substantive differences between the Facebook Connect and the Social Plugin Login and treated the question as a mere branding issue.6
Facebook does not seem motivated to clarify the issues surrounding these two different services. Facebook’s help section provides the following explanation, which is targeted at individual users about how to identify a website that is using social plugins. “You’ll recognize social plugins by the branding in the footer that looks like similar features on Facebook, or by the "f" icon next to the button itself.”7 However, the Developer’s tools explaining the Facebook Login Tool suggests using an invitation that includes the “f” icon together with words “Log In with Facebook” within the blue button:8 Obviously, by suggesting that a social plugin can be recognized by the use of the “f’” icon and then suggesting that websites using the Login Tool use the “f” icon within a blue button, Facebook is making it impossible for users to identify which of the two Login methods Facebook provides is actually being used on a particular website.
Certainly, Facebook could provide an easier way for users to distinguish between when they are signing into a website using the Login Tool as opposed to the Social Plugin Login. Facebook could also be more transparent in its Developer Section and explicitly explain the ramifications of using the unbranded Login Tool and the Social Plugin Login. At present, the only place where Facebook represents that the Login Tool is not a Social Plugin is in an FAQ section in the help center geared to answer questions of individual users.9 Facebook’s commitment to transparency suggests that there ought to be a full disclosure about these issues on the web page introducing these products (or at least a link to a web page with this information).
What You Should Do Now
If your company is allowing users to access your website using their Facebook credentials, the first question is whether your website is using the Social Plugin Tool or the Login Tool. Unfortunately, as discussed above, even developers seem to be confused about the differences between the two. The safest course of action may be to remove any Facebook Login option currently in use and replace it with the Facebook Login Tool that is clearly not a Social Plugin. Of course, your company still faces the first four risks outlined at the top of this article, but it will have at least removed the fifth and perhaps most dangerous privacy-related risk associated with the use of the Facebook Login.
The second question you should consider is whether your website’s terms of use and privacy policy properly disclose that Facebook is collecting data when a visitor uses her Facebook credentials to access your site. Many websites using some form of Facebook login do not explain the privacy implications in their privacy policy. For instance, a website using the Facebook Social Plugin Login should not say that it does not share any personal data with third parties or that it does so for fulfillment purposes only and those third parties are contractually bound to not make any other use of a visitor’s personal data. One way to address this issue is to have a special section in your company’s privacy policy about the Facebook Social Plugin Login and to reference the provisions in Facebook’s own terms and conditions where it describes how this information is used. Of course, as we have seen, these disclosures are not particularly enlightening, but at least it demonstrates an effort by your company to provide meaningful disclosure.
The most important question, and undoubtedly the most controversial, is whether in light of the risks outlined in this article your company wants to offer a Facebook login option at all. If the justification for permitting this feature is concern that not offering this option will drive away customers, perhaps this situation should be viewed as an opportunity to distinguish your company from its competitors. A company could create a brief post under the headline “Why We Don’t Offer Third-Party Social Media Login Tools?” that would explain that the company believes that Facebook’s login options present too many risks both to the individual and the company.
This post could acknowledge that most users want to limit the number of sites for which they need to recall login information, but emphasize that the decision to not offer this convenience was driven by the desire to protect customers from having their privacy compromised. While Facebook’s Login Tool and Social Plugin Login may be the most popular social logins, Facebook’s relationship with its members is very much a love/hate relationship. Even the most loyal Facebook fans, in this author’s opinion, will appreciate the reasoning offered in such a posting. Of course, a company that does not have a strict policy against sharing data with third parties would probably be wise to avoid this approach.
There is one other option companies should consider. There are many other social media sites that provide a social media login service. We are not aware of any social media company that clearly addresses the issues raised in this article. However, perhaps as this issue comes to light one of these competing social media sites will see an opportunity to distinguish itself by providing the type of transparency that will make the adoption of a social media login option truly a “no lose” situation for websites seeking to make their site more accessible to users. In the meantime, companies should proceed with great caution before continuing to take advantage of or implementing a social media login on their website.
Previously published in Law360, New York (January, 2013).
Footnotes
[1] Data Use Policy: Other Websites and Applications, Facebook Inc., https://www.facebook.com/about/privacy/your-info-on-other (last visited December 31, 2012).
[2] The question of how much information Facebook collects from non-members continues to be the subject of much speculation. In August 2011 a complaint was filed in the EU including allegations that Facebook was secretly collecting and hoarding such information. See Complaint Against Facebook Ireland filed with the Office of the Data Protection Commissioner in Ireland, August 18, 2011, http://europe-v-facebook.org/Compalint_02_Shadow_Profiles.pdf (last visited January 7, 2013). See also J Fieweger, The FTC Reins in Facebook, December 5, 2011. http://europe-vfacebook.org/Compalint_02_Shadow_Profiles.pdf DriToday (last Visited January 7, 2013).
[3] See Login With Facebook, Is This Instant Personalization? Is This a Social Plugin?, https://www.facebook.com/help/search/?q=facebook+login+social+plugin#!/help/405977429438260/. (last Visited December 31, 2012).
[4] Like Button, Wikipedia, http://en.wikipedia.org/wiki/Like_button (last visited January 3, 2013).
[5] Facebook Login vs Facebook Connect, Stackoverflow.com, http://stackoverflow.com/questions/4722344/facebook-login-vs-facebook-connect (last visited January 3, 2013).
[6] Which Facebook Connect or Facebook Login Buttons Are Most Effective? (Data Wanted), Stackexchange.com, http://ux.stackexchange.com/questions/20094/which-facebook-connect-orfacebook-login-buttons-are-most-effective-data-w (last Visited December 31, 2012).
[7] About Social Plugins, https://www.facebook.com/help/search/?q=social+plugins#!/help/443483272359009/. (last visited December 31, 2012).
[8] Best Practices: Inviting People To Login With Facebook, https://developers.facebook.com/docs/technical-guides/login/invite-people-to-login-with-facebook/. (last visited December 31, 2012).
[9] See supra note 35.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
