Just last week, a survey conducted by Toluna and Recode showed that Facebook was the least trustworthy technology company on the planet. More than 40% survey participants said they don’t trust Facebook with their personal data. A sensational study by Privacy International reveals that some of the world’s most popular Android apps share user data with the social networking giant without explicit consent. In short, users have no clue that these apps are sending sensitive data to a company that has become almost synonymous with data breaches.
Which popular Android apps are sharing your data with Facebook?
Privacy International found in its analysis that the issues didn’t affect the iOS versions of the same apps. Between August and December 2018, the UK-based privacy group reviewed 34 popular Android apps and found that at least 21 of them (61% of the tested apps) were sharing data with Facebook the moment users opened that app. This is a startling revelation in the wake of the Cambridge Analytica scandal.
Each of the 21 apps that were found to be sharing data with Facebook without users’ permission had been installed 10 million to 500 million times. These apps include MyFitnessPal, Duolingo, Family Location GPS Tracker, Kayak, Muslim Pro, MyTalkingTom, Shazam, Period Tracker Clue, Spotify, Yelp, TripAdvisor, Qibla Connect, VK, and Turbo Cleaner. An earlier report had shown that 42.5% of free apps on the Google Play Store could share data with Facebook.
When you open one of these apps, they instantly send the signal that Facebook SDK has been initialized. It lets Facebook know that you are using a specific app, how many times you open it, which device you are using, the Android version running on your device, as well as the screen resolution. The social networking giant offers its SDK to developers to let users login to their services using Facebook login.
The apps were also found to be sharing with Facebook your Google Advertising ID, which is a unique identifier that allows advertisers to build a user’s “comprehensive profile” such as gender, interests, religion, health, routines, behaviors, and other information. If a user has installed Period Tracker Clue (a period tracker), Qibla Connect (Muslim prayer app), MyTalkingTom (children’s app), and Indeed (a job search app); they will be profiled as “likely female, likely Muslim, likely job seeker, likely parent.”
Privacy International says the combined data from all the different apps “can paint a fine-grained and intimate picture of people’s activities, interests, behaviors and routines.” Some apps take the data-sharing to a whole new level. For instance, Kayak sends the social networking giant information about your flight searches, departure date and city, arrival date, as well as the number and class of tickets.
Facebook working on a ‘suite of changes’
Since last year, regulators have tried to curb the invasive data tracking efforts of technology companies. The European Union’s General Data Protection Regulation (GDPR) rules went into effect on May 25th, 2018. The GDPR requires apps to obtain explicit permission from users before collecting their data. Privacy International’s findings have raised concerns that these apps might not be complying with the GDPR rules.
When the GDPR went into effect, Facebook updated its SDK to give developers the option to delay automatic data collection. It seems the developers have been reluctant to download or implement the updated Facebook SDK. The study found that popular Android apps share data even when you have logged out of Facebook, opted out of receiving Facebook cookies, or you don’t have a Facebook account.
Before GDPR, Facebook made sure it had the right to collect and share user data through the SDK. It means the developers had no way to stop their apps from sharing the user data with Facebook. The social network added that option after the GDPR came into effect. A Facebook spokesperson told Privacy International that the company was “currently working on a suite of changes, including developing a new tool called Clear History” that should address the concerns raised by the advocacy group.
— Privacy International (@privacyint) December 30, 2018
Facebook has a history of putting user privacy at risk. Its entire business relies on collecting user data, so even if it completely stops collecting data through the SDK, it could find new ways to get its hands on your personal information. Last month, The New York Times the social network had given access to user information to more than 150 companies including Microsoft and Amazon. In 2017, the personal details of more than 50 million Facebook users were compromised.