KCC investigation finds issues with social logins
Social logins use existing information from a social media service such as Facebook, Google or Naver to sign into a third-party website instead of creating a new login for that website.
The Korea Communications Commission (KCC) investigated how personal data was handled by Naver, Kakao, Facebook and Google’s social login services for two months from April. It found that some of the companies were transferring too much personal data to third-party websites, while others did not provide a sufficient agreement process to consumers before transferring their personal data.
Currently, Naver offers social logins for more than 16,000 mobile apps and websites. Kakao offers them for 8,400, and Facebook offers them for roughly 285,000, according to the KCC. Google declined to give a number.
Naver offered up to seven different pieces of personal information, including a users’ profile picture, birthday and sex but did not clearly separate mandatory and optional information, according to the KCC.
It also designed its customer agreement page so that both mandatory and optional information was transferred unless users removed the optional information. The KCC said this was unfair since users might agree to deliver optional information without being aware of it.
Kakao did not have a screening process to select which apps and websites could use its social login feature, according to the KCC.
The KCC asked Korean companies Naver and Kakao to improve their social login systems. Naver agreed to redesign its customer agreement page, while Kakao said it would strengthen its management of apps and websites that use its social login feature by the end of September and implement a pre-screening system by June of next year.
Facebook was found to offer as many as 70 datasets depending on what information is saved on users’ profiles. Since it wasn’t clearly disclosing a list of information that it was transferring to other apps, the KCC demanded that the company inform users of what information is delivered and for how long and to ultimately reduce the number of datasets transferred to third parties.
The company, however, declined to respond to the KCC.
Google was found to only offer users’ names, profile pictures and email addresses to third-party companies but did not say how long the data is used by the apps and websites. It also did not have a pre-screening or post-login management process.
After the KCC pointed out the issues, Google said it had no plans to revise its current policies on social logins. It did say it would offer a link so that customers can check where their personal data is used and for how long.
The KCC’s investigation started after a Facebook app was found earlier this year to have used social login services as a tool for data breaches.
BY KIM JEE-HEE [firstname.lastname@example.org]