500,000 Sites Use 'Social Login'... Inadequate Data Deletion for Withdrawn Users
Personal Information Commission Recommends Improvements in Data Deletion
Targeting Five Major Social Login Service Providers
Kakao, Naver (NAVER) ID, and other linked accounts used for logging into other sites, known as 'social login services,' were found to have inadequate measures for deleting information of users who have withdrawn.
The Personal Information Protection Commission conducted a preliminary inspection last year on five social login service providers including Google, Naver, Kakao, Apple, and Meta, and held a plenary session on the 12th to issue improvement recommendations regarding some concerns about personal information infringement.
Social login is a method that allows users to easily log in by linking social account membership information from portals, social networking services (SNS), and other platforms to other websites or applications (apps), currently used by about 500,000 domestic sites. The Commission conducted a preliminary inspection from April to November last year due to security issues and concerns about personal information provision and deletion related to social login, and resolved to recommend improvements for some concerns.
First, no particular issues were found in the process where social accounts provide user personal information to other sites for social login. When a site requests information by category, the social login provider operates a procedure to review the appropriateness and accept the request. Subsequently, consent for third-party provision is obtained at the time the user actually registers on the site through social login.
However, the deletion of personal information after social account withdrawal was found to be inadequately performed. When a user withdraws from a social account, the social login provider should notify all linked user sites to ensure withdrawal processing, but Meta did not provide a bulk notification function.
When a user withdraws from a site, social login providers offer a token (authentication information) deletion function and disclose it through developer documentation. However, the information in the developer documents is extensive, and it is difficult to find details about the token deletion function, resulting in limited use.
Therefore, the Commission recommended expanding guidance measures to make the token deletion function easier to find. If tokens for withdrawn users are not deleted, social login providers cannot recognize the user's withdrawal from the site, which may lead to continued transmission of the withdrawn user's information.
Hot Picks Today
"Could I Also Receive 370 Billion Won?"... No Limit on 'Stock Manipulation Whistleblower Rewards' Starting the 26th
- Samsung Electronics Labor-Management Reach Agreement, General Strike Postponed... "Deficit-Business Unit Allocation Deferred for One Year"
- "From a 70 Million Won Loss to a 350 Million Won Profit with Samsung and SK hynix"... 'Stock Jackpot' Grandfather Gains Attention
- "Stocks Are Not Taxed, but Annual Crypto Gains Over 2.5 Million Won to Be Taxed Next Year... Investors Push Back"
- "Who Is Visiting Japan These Days?" The Once-Crowded Tourist Spots Empty Out... What's Happening?
The Commission stated, "We plan to discuss effective implementation measures of the improvement recommendations with social login providers and strengthen the environment where users can safely use social login services."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
