Facebook JavaScript SDK is often illegal under GDPR

CVS Pharmacy definitely includes the facebook scripts and hooks into every damn button you click on.<p>Not sure what is &quot;illegal&quot; about the scripts themselves. I would tend, however, suggest that the sites using these scripts may be using them in ways that are illegal (as in HIPAA for instance in the US). Under HIPAA the violator would NOT be facebook, because they didn&#x27;t install the script on other companies&#x27; sensitive sites, nor are they aware of such usages and they didn&#x27;t sign BAAs with them. The ones that would be doing something illegal are the ones that sign BAAs or otherwise are directly responsible for keeping health information secure.

Read the post and saw Facebook like button at the bottom. Was pretty amused

<p><pre><code> If a website loads third party JavaScript into a page using a &lt;script&gt; tag then by default it loads with a security context of same-origin – this means that it often it can do whatever JavaScript hosted from the websites’ server can do, so likely: Read any content on the page it is loaded Read your user details and often session cookies Modify (add&#x2F;change&#x2F;remove) any content on the page Add a username and password field, capture the values </code></pre> I always* wondered why there isn&#x27;t more data breaches out there. Most websites have trackers and shady scripts that can do a lot of harm... Even on banks websites or payment pages !<p>Thing is, I don&#x27;t see why technically it&#x27;s the company providing the website &#x27;s fault. They are sending a webpage, and it&#x27;s the user&#x27;s browser who is sending it&#x27;s own data to facebook.com &#x2F; google &#x2F; twitter &#x2F; metrics scripts &#x2F; shady stuff... What would be illegal would be for company to make direct connection from their servers with your data.<p>* i.e. since I learned web development

There&#x27;s a very simple fix to this: <a href="https:&#x2F;&#x2F;raw.githubusercontent.com&#x2F;jmdugan&#x2F;blocklists&#x2F;master&#x2F;corporations&#x2F;facebook&#x2F;all" rel="nofollow">https:&#x2F;&#x2F;raw.githubusercontent.com&#x2F;jmdugan&#x2F;blocklists&#x2F;master&#x2F;...</a>

This has always worried me. My company works a lot with healthcare organisations and as a developer often my first task is to add google analytics to a page. But of course, this is dangerous and in the case of healthcare, should be avoided. Google could, if it so chose, scrape the data of every user whenever they wanted to.

Good number of websites put random third party javascript on pages that they shouldn&#x27;t. My favorite are pages where I&#x27;m entering my payment details.<p>Some, upon closer look, even send my payment total and what I bought to GA as extra data with a tracking request. (when I cancel the payment)<p>Some of these tracking solutions even let you see what the user is seeing on the website in real time, including his&#x2F;her mouse cursor, etc.

Tangential: Does anybody know or have a reference about whether the opt-out-or-can&#x27;t-even-opt-out tracking in Android, Windows 10 and possibly iOS are GDPR compliant? My reading is that it isn&#x27;t, but I&#x27;m not well versed on the subject.

There are days when I wish all JavaScript was illegal... Step 1: Go to media website with Firefox on my mobile phone. Step 2: Mobile phone hangs, gets hot, jerky scrolling, delayed scrolling, unprompted scrolling (as ads load and get inserted and reflow everything), combinations of all of these. Step 3: Give up and use Firefox Focus for the same g.d. site, and it just works.<p>Some sites won&#x27;t load at all though if you block JavaScript. They&#x27;ve ruined the internet.

That&#x27;s funny, I had to do this for the first time this week.<p>But I went with <a href="https:&#x2F;&#x2F;developers.facebook.com&#x2F;docs&#x2F;facebook-login&#x2F;manually-build-a-login-flow" rel="nofollow">https:&#x2F;&#x2F;developers.facebook.com&#x2F;docs&#x2F;facebook-login&#x2F;manually...</a><p>I guess since I don&#x27;t load any external js, this is fine, right ?

If you want to respect your users, use self-hosted shariff.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;heiseonline&#x2F;shariff" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;heiseonline&#x2F;shariff</a>

Firefox + uMatrix should take care of this if I am not mistaken

I don&#x27;t see how this has anything to do with Facebook specifically as any 3rd party JS script can do this. Clickbaity title.

So, ability to commit a crime is illegal? Did I miss something in this article?

From what I can tell, GDPR did not have any impact at all. It was supposed to end tracking without explicit consent. But did even a single big website end their tracking? Not that I know.

If you need to let load external JS, you have failed as a webdeveloper.<p>Just from a performance aspect: An additional DNS resolve, additional TCP handshake, additional TLS, just to deliver a .js file that you could have easily served from the original website.<p>Not to mention the security aspect.