Home > Articles > Authentication

Social logins have a privacy problem

Social logins beg the question, why? Why would a social network or advertising company invest in social sign in development and offer it for free?

Well, to coin a phrase, there ain’t no such thing as a free lunch. If the lunch is free, you are the lunch. The business models of companies like Facebook, Google and others are to learn as much about you, their product, as possible. This is no great mystery and we accept it, generally speaking, because personalised ads are more useful to us and the companies serving them.

But there are issues. We forget who knows what, where our data is, what we’ve said.

These issues are amplified when we start using social logins to create and access user accounts around the web. An app download here, a purchase there and suddenly we’ve ‘been logging in with Facebook’ all over the place. Facebook knows what sites we’re visiting and how often. The site you just signed into can also access your social data and so the profile that companies have on you is becoming scarily detailed.

In the third quarter of 2019 Facebook’s revenue amounted to $17.65 billion with over 7 million active advertisers. Everything the free social networks do is about giving their advertisers well-defined audience profiles. Social logins are just another part of that strategy.

But if users don’t mind being advertised to, and presumably they don’t, then what’s the problem? Social logins are secure right?

Right.

Social logins are convenient but users need to make sure the password to their social account is really good. If your social account is compromised, so are all the sites you used it to sign in with.

We already know password reuse is rife and even if the user has a totally unique password for their social account, it needs to be long and strong. You're still on the back foot because the social network now becomes a very juicy target for hackers:

It’s important to note that you can manage your privacy settings in your social accounts to restrict what the social network can and can’t share about you with other sites. You can also now see all of the information the social network has about you. These features have been accelerated to an extent by legislation such as GDPR in Europe and the California Consumer Privacy Act.

This presents possible issues for website owners and their developers using social logins. On the face of it, implementing a social login is easy but are there ramifications for your website’s privacy policy?

Not everyone minds the way our data is used, some do. A consumer report in 2008 that polled 2000 people found that 72% of people wanted the right to opt out of online tracking.

How about an alternative for web developers that respects the user’s privacy and creates no privacy conditions for website owners to inform their users about?