Social API breaks EU Data Protection rules

RESOLVED INVALID

Status

()

Firefox
Untriaged
RESOLVED INVALID
5 years ago
5 years ago

People

(Reporter: Nigel, Unassigned)

Tracking

17 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0
Build ID: 20121119183901

Steps to reproduce:

The EU Data Protection rules are explicit about a users rights for Privacy and I believe that users must agree to data moving outside the EU - and most Social Media sites are there - and additionally must opt in to having data used in manners that they have not agreed.



Actual results:

The new Social API needs to be switchable via the Firefox options pages like DO NOT TRACK and be defaulted to DISABLED.
Group: core-security → mozilla-corporation-confidential
Cc'ing some Legal folks.

Thanks for reporting this issue.  I believe that the API was specifically designed taking into consideration EU and other privacy regimes, so I think it would be good to have specific details.

In particular, last I checked, no data is sent from Firefox to any third-party social API provider without the explicit opt-in of the user.

What specific data exchange are you worried about?
The Social API is disabled by default. After having been activated, you can easily disable it entirely by selecting "Remove from Firefox" from the toolbar button dropdown menu.

Activating the feature results in us loading web pages from the providers just as we would if you loaded them in a browser tab. There's no substantial difference between activating the Social API and navigating to Facebook.com (and indeed navigating to Facebook.com and being logged in is a prerequisite for activating the feature).
(Reporter)

Comment 3

5 years ago
Gavin - a few questions

a) If the social API is activated - does it then automatically send data or enable Facebook to get data without you being logged into the Facebook site?

b) Does enabling the API give a message to the user about what data may be sent using the API?

To the rules

Facebook has been shown as an organisation to break principals 2, 5 and 7 in the past. 

On that basis - the API must be allowed to be allowed to be disabled and while you have done this via an "extension" I believe that you should have done this via the same page as the DO NOT TRACK - which by the way Facebook it appears does not honour!!
(In reply to Nigel from comment #3)
> Gavin - a few questions
> 
> a) If the social API is activated - does it then automatically send data or
> enable Facebook to get data without you being logged into the Facebook site?

The content loaded in the social frames are the facebook website.  No data is sent to facebook other than what would normally be sent if you loaded the site in a browser tab.

> b) Does enabling the API give a message to the user about what data may be
> sent using the API?

No data is sent via the api.

> To the rules
> 
> Facebook has been shown as an organisation to break principals 2, 5 and 7 in
> the past. 
> 
> On that basis - the API must be allowed to be allowed to be disabled and
> while you have done this via an "extension" I believe that you should have
> done this via the same page as the DO NOT TRACK - which by the way Facebook
> it appears does not honour!!

The feature can be disabled.
I think we are safe to close this bug and open it up, there should not be a privacy concern here given the responses above.
Group: mozilla-corporation-confidential
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.