In 2015 Facebook learned that Dr. Aleksandr Kogan, a psychology professor at the University of Cambridge, illegally passed Facebook data that he collected with his app, “thisisyourdigitallife,” to the political and military strategy firm SCL/Cambridge Analytica.

Kogan billed “thisisyourdigitallife” as a research app used by psychologists and achieved 270,000 downloads. Each user consented for Kogan to access their personal information, including location, Facebook content they had liked, and friends and connections.

Cambridge Analytica also obtained data without users' consent from an additional ~87 million accounts and sold their findings to political campaigns, including those of Ted Cruz, Ben Carson, and Donald Trump.

Cambridge Analytica data breach internal email discussion

Source

This data leak is one of the largest and most upsetting for users to date, given the strong evidence of how Cambridge Analytica used their information to influence divisive elections.

For the millions of companies that use Facebook Login to authenticate their users, this investigation poses new business and ethical challenges. This article will help teams grapple with how the scandal could affect their operations and offer solutions for moving forward.

Should You Stop Using Facebook Login with Your Apps?

Shortly following news of the breach, Facebook launched an apology ad campaign aimed at helping users steer clear of dishonest accounts on its platform that could be attempting to steal their information.

Facebook post-data-breach apology ad campaign

Source

While the campaign provided some good insights, it also highlighted staggering issues within Facebook — particularly how the company has scaled without paying close enough attention to certain user behaviors.

From fake accounts to clickbait, spam, and more, it appears like Facebook could be a messy platform to continue to authenticate with — at least in the near-term.

Moreover, it could be a challenge to explain to your users why you are continuing to collect their Facebook data.

Solution 1: Use Other Forms of Social Login

You have a series of other options for authenticating your users.

Auth0 Social Connections dashboard

Auth0 supports 30+ social providers, including Twitter, Google, Yahoo, and LinkedIn. You can also just add any OAuth2 Authorization Server you need. Despite differences among each provider, Auth0 simplifies the process by unifying the way to call providers and the information you retrieve from them.

It's simple to switch providers in the Auth0 dashboard. If you haven't already, you can sign up for a free Auth0 account here. Then, simply click Connections, then Social. To enable a new provider, just flip the switch next to their icon. You can then select the desired attributes and permissions you want to get from the provider in the configuration popup.

Solution 2: Incorporate Simpler and More Visible Means of Obtaining User Information

Progressive profiling is another technique for gradually building up a profile of your customers. Each time they interact with your product, you display a short questionnaire. It can begin with something as simple as requesting a first and last name:

Auth0 registration signup with expanded first and last name fields

From there, you can continue to get more specific — but in small increments:

Auth0 progressive profiling form

Progressive profiling allows you to keep these forms short and to the point and collect data in a clear and transparent way. You will slowly build up a robust customer profile that affords you the same power as a Facebook profile does to send better, more targeted offerings to your customers.

Employ Good Privacy Policy UX

Whichever authentication method you go with, make sure you clearly explain your process to your users. While this is critical for complying with GDPR and related measures, it is also an opportunity to highlight the benefits of why you are doing so. Are you helping deliver to customers the content they actually want to receive? Avoiding showing them products or hyping services that are irrelevant? There is a lot of information you can incorporate alongside legal jargon that shines a light on how thoughtful your team is with its operations.

Starting gradually will help assure your users of your expertise at the outset without overwhelming them with technical information.

Microsoft form explaining usage of birthdate

Source

Adding an automatic text window, like Microsoft does, that appears when requesting data points enhances the user experience in a clear and simple way. From there, you can prompt viewers to click through to a larger policy statement. If they continue to be curious, place links for them to dig even deeper:

Microsoft privacy policy sample

Source

If you're daunted by crafting all of this text yourself — ensuring it is both accurate and digestible — there are many privacy policy templates online. If you're an e-commerce company, for example, Shopify offers a series of tips and tricks.

Remember: investing in current customers can actually produce better results than attracting new ones. Taking the time to open up to those currently engaged will spur them to create more value for you in the long run.

Just Because You Rely on Facebook Login, Doesn't Mean There Isn't a Way Forward

Although Facebook has frustrated many companies with its lack of oversight in the wake of the Cambridge Analytica data breach, it still has enormous resources at its fingertips to (hopefully) help it improve. While we wait for the tech titan to rebuild user trust (and perhaps become a beloved tool for business partners once more), the above solutions will help you continue to research, protect, and delight your users.

About Auth0

Auth0, a global leader in Identity-as-a-Service (IDaaS), provides thousands of enterprise customers with a Universal Identity Platform for their web, mobile, IoT, and internal applications. Its extensible platform seamlessly authenticates and secures more than 1.5B logins per month, making it loved by developers and trusted by global enterprises. The company's U.S. headquarters in Bellevue, WA, and additional offices in Buenos Aires, London, Tokyo, and Sydney, support its customers that are located in 70+ countries.

For more information, visit https://auth0.com or follow @auth0 on Twitter.