Facebook is notorious for slurping data from users and non-users alike to feed its advertising business. According to a new study, the social network also gets a lot of data in a steady stream from apps that offer it up of their own accord.
The new study from Privacy International sheds light on a slew of popular Android apps that provide user data to Facebook without the explicit consent of users who don’t necessarily have to be logged into Facebook or even maintain an account to have their data snagged.
Of the 34 apps examined in the study, 20 were found to share data with Facebook, sometimes at the exact point of activating the app. The apps examined, which include the language study guide Duolingo and the travel booking giant Kayak, were built using the open source Facebook Software Development Kit (SDK). Sixty-one percent of the apps tested were found to transmit data back to Facebook “from the moment a user opens the app,” according to the study.
This isn’t simply spying; the communication is necessary if an app allows login through Facebook, for example, or if it uses any of the other advertising or analytics tools offered by Facebook’s SDK for Android. But the relatively innocuous reasons a developer might make use of Facebook’s SDK doesn’t mean the results of the data sharing aren’t concerning.
As the study describes, a handful of seemingly nonsensitive data points can reveal a whole lot of information when grouped together, as Facebook will be uniquely positioned to do.
“If combined, data from different apps can paint a fine-grained and intimate picture of people’s activities, interests, behaviors and routines, some of which can reveal special category data, including information about people’s health or religion.”
What’s more is that some apps share plenty of information you might consider to be quite sensitive. In the example of Kayak, Privacy International found the app shared all sorts of travel and booking details:
“A prime example is the travel search and price comparison app “KAYAK”, which sends detailed information about people’s flight searches to Facebook, including: departure city, departure airport, departure date, arrival city, arrival airport, arrival date, number of tickets (including number of children), class of tickets (economy, business or first class).”
While app makers might have a good reason for handing data over to Facebook, a recurring theme is that they don’t give users any say in the matter. None of the apps cited in the study included gave users the option to opt out of having their data shared with outside sources, which may defy the EUI’s General Data Protection Regulation (GDPR) passed last May.
Developers have reportedly requested that Facebook close the potential hole on its end by refusing to accept any information without the user’s explicit consent. Facebook, meanwhile, claims it instituted a fix last June that gives developers the option to wait for permission before sending off data, ostensibly to put the onus squarely on app makers to solve the problem, or not. And more often “not.” According to Privacy International, the apps in question haven’t properly implemented the fix, which probably suits Facebook just fine. Facebook, for its part, isn’t particularly clear about what happens to that data once its received, but certainly wouldn’t object to continuing to get it.
Though this isn’t tantamount or even approaching a Cambridge Analytica-style meltdown, it’s an illustration of the way Facebook’s general gravity as a gigantic social hub and information broker encourages other apps to send more data its way in exchange for analytics and login support. Only a hegemonic platform like Facebook can offer that. And this is a dynamic that isn’t going to change without outside pressure or regulation.
Source: Privacy International