Recently, Privacy International analyzed 34 apps on Android, each with downloads from 10 to 500 million, and found that at least 61 percent of those apps automatically transfer data to Facebook the moment a user opens the app. This happens whether people have a Facebook account or not, or whether they are logged into Facebook or not.
What exactly is happening?
Facebook routinely tracks users, non-users, and logged-out users outside Facebook through Facebook Business Tools. App developers share user data with Facebook through the Facebook Software Development Kit (SDK), a set of software development tools that help developers build apps. For example, app developers can use Facebook’s SDK to let users log in to the app with their Facebook account.
Some of the apps that automatically transmit data to Facebook share this data with a unique identifier called the Google advertising ID. This ID allows advertisers to link data about user behavior from different apps and web browsing into a comprehensive profile for that particular user. Using that, an advertiser can see a person’s activities, interests, behavior, and routines. Some of that data can also reveal a special category of data like a person’s health or religion.
An example is a travel search and price comparison app “Kayak.” It sends detailed information about people’s flight searches to Facebook like the departure city, departure airport, departure date, arrival city, arrival airport, arrival date, number of tickets (including the number of children), and even the class of tickets (economy, business, or first class).
Which apps do this?
When Privacy International analyzed the 34 apps, they made two observations:
- Apps automatically transfer data to Facebook the moment a user opens the app.
- The data that Facebook receives is linked to the Google ad ID.
Here’s a list of a few apps which Privacy International analyzed:
| App name | Observation 1 | Observation 2 |
| Super-Bright LED Flashlight | Yes | No |
| My Talking Tom | Yes | No |
| Tripadvisor | Yes | No |
| Shazam | Yes | No |
| Spotify | Yes | No |
| Skyscanner | Yes | Yes |
| Yelp | Yes | No |
| Kayak | Yes | Yes |
| MyFitnessPal | Yes | No |
| CleanMaster | Yes | No |
Whose fault is it?
To be fair, it’s not exactly Facebook’s fault. It’s the app developer’s responsibility to ensure that they have the lawful right to collect, use, and share people’s data before providing Facebook with any data. However, the default implementation of Facebook’s SDK was designed to automatically transmit event data to Facebook.
After the European Union’s privacy law, GDPR, went into effect, developers raised concerns that the Facebook SDK automatically shares data before apps are able to ask users to agree or consent. Facebook released an SDK update with a voluntary feature that allowed developers to delay collecting automatically logged events until after they acquire user consent. However, many popular apps are still not using the updated SDK, and some developers are complaining that it continues to happen even when using the new SDK.
Conclusion
This is almost certainly in breach of Europe’s privacy law, GDPR. The law requires that users should be asked for their consent before they collect any personal data. Also, it’s not just users affected by the problem: application developers are potentially left liable to a maximum fine of 4% of their annual turnover.
Facebook has been not been transparent about the ways in which it uses data of non-Facebook users. It is impossible to know how the data is being used.
Source: Privacy International
