I don't know if you read it or not, but the article focuses mainly on GDPR. I’m apparently not the only one with this impression. The poster of this story on HN actually titled it “Facebook JavaScript SDK is often illegal under GDPR”.
edit: Loving the downvotes on every comment I make regardless of content guys, keep them coming! You have about 13,000 to go before I get to 0, and you've only taken about 60 this week so far. At that rate it's going to take you a while, but I know you'll get there!
Regarding the downvotes, it may have to do with the fact that the person you're accusing of not having read the article happens to be the author of said article. I think they know what's in the article and are a bit of an authority on its intent.
If you're getting a lot of signals that you're wrong, it's often worthwhile to stop and consider why, rather than dig a deeper hole.
Yes, I've added a focus on GDPR, but the article does state that this would often affect regulated contexts and I didn't intend the wording of that to be specific to the EU.
Finance, healthcare, etc are all likely to include requirements for information security controls that go as specific as demanding access controls and audit logs; which appear completely impossible to achieve with what Facebook offer with their SDK. As an example, ICH GCP applies internationally for pharma. However, these are much smaller areas of regulation than most of us are not exposed to
Whether all countries have more general provisions, like GDPR, that would apply to a very wide audience of businesses I don't know: but I know GDPR is now recognisable internationally and has parallels in many countries outside of the EU, so is hopefully a trigger for those in other areas to check what their privacy laws demand.
The term "illegal" with respect loading of the Facebook Javascript SDK these days is mostly a GDPR-invented issue. Since I doubt that Facebook is actually stealing data from the web pages its libraries reside on, it certainly isn't a HIPAA issue, and in the case of CVS, they aren't likely subject to GDPR at all (the comment I initially responded to was regarding CVS).
Your general sentiment in your comment here is correct, that loading of any third party javascript library may be problematic for some sites depending on what jurisdiction(s) they do business in and what those libraries actually do. Merely having the capability to take data from a given page wouldn't be enough to trigger violations of many privacy laws (at least the in the US) - the library would actually have to be doing it. But the focus of the article is GDPR and Facebook JavaScript SDKs, and that is the context in which my comments should be viewed.
> Since I doubt that Facebook is actually stealing data from the web pages its libraries reside on, it certainly isn't a HIPAA issue
"Stealing" is a loaded term here. I've observed myself that at least some pages with the FB SDK installed send a tracking HTTP request with every page click - FB appears to be hooking into some very high level page event. Depending on what content is on the page, I could see that being a HIPAA violation: even if they aren't deliberately doing it they could well be logging confidential data.
Depending on what content is on the page, I could see that being a HIPAA violation: even if they aren't deliberately doing it they could well be logging confidential data.
There are probably some instances where this is true - for example on a poorly designed site that includes confidential health data in URL query string parameters (e.g. "hasHIV=true" or similar). But if the site is designed in that way, they have much bigger problems than the security risks imposed by Facebook SDKs. Facebook JavaScript SDKs do not scrape and store page content as far as I've ever been able to tell, so it would take egregiously bad design to turn their use into a HIPAA violation.
First, the rule is to not complain about downvotes. Particularly challenging folks to downvote you to oblivion.
Second, while the title mentions GDPR, it also mentions banking, this cannot mean providing an advertising company with unaudited, uncontrolled access to do whatever it likes, you seem to be excluding these cases as you repeat your argument about GDPR.
Likely you are being downvoted as your posts aren't fitting with the guidelines. Oh, and your comment I don't know if you read it or not, is a reply to a comment made by the author. Please stop.
edit: Loving the downvotes on every comment I make regardless of content guys, keep them coming! You have about 13,000 to go before I get to 0, and you've only taken about 60 this week so far. At that rate it's going to take you a while, but I know you'll get there!