Facebook is not shy about admitting that its service is powered by advertising. Facebook is free simply because the company packages your information and sells it for targeted ads. It’s not hard to understand how its business model works.
But in the pursuit of revenue and even more data, is Facebook overstepping its bounds more often than not? With the Cambridge Analytica fiasco and the third-party Facebook app data breaches that have hounded the social media giant the past few years, are Facebook’s data practices too aggressive?
One privacy advocacy group sought to find out. Are some of the most popular apps unwitting enablers of Facebook’s huge data appetite?
Is app data automatically transmitted to Facebook?
New research from Privacy International, an advocacy group based in London, revealed that some Android apps are sending data to Facebook even if the user is logged out of Facebook or if they have opted out of receiving Facebook cookies, or even if they don’t have a Facebook account at all.
For the study, the firm analyzed the data transmitted by 34 apps on Android through Facebook’s Software Development Kit (SDK). It found that at least 20 of them automatically send data to Facebook as soon as a user opens the app.
Note: Pre-built SDKs are used by developers to help them quickly build apps for specific operating systems.
The apps included the study are not obscure services either. The list included popular apps like Spotify, Kayak, Yelp, Shazam, Instant Heart Rate, Duolingo, TripAdvisor and The Weather Channel.
According to Privacy International, each of these 34 apps may have an install base of between 10 million and 500 million.
“We found that at least 61 percent of apps we tested automatically transfer data to Facebook the moment a user opens the app. This happens whether people have a Facebook account or not, or whether they are logged into Facebook or not, ” the report stated.
On by default
Normally, most of the data that is automatically transmitted to Facebook merely reveals that a user has started using the specific app and for how long. This is standard practice and it’s not a major cause for concern.
However, Privacy International discovered that some of the apps automatically transmit this data with a Google advertising ID that can be used as a unique identifier. The primary use of these identifiers, of course, is for targeted advertising. They allow advertisers to gather data about a user from different apps, websites and services to create an advertising profile.
But the firm warns that when this data from various apps is combined, it can reveal sensitive and personal details about an individual.
“If combined, data from different apps can paint a fine-grained and intimate picture of people’s activities, interests, behaviors and routines, some of which can reveal special category data, including information about people’s health or religion,” the report explained.
The report also found some apps that routinely transmit “detailed and sometimes sensitive” data to Facebook.
The report cited the travel app Kayak as the main example. The Kayak app apparently sends detailed information about a user to Facebook including “flight searches, departure city, departure airport, departure date, arrival city, arrival airport, arrival date, number of tickets (including number of children), class of tickets (economy, business or first class).”
Although Facebook places the onus on app developers to ensure that they have the right to collect and share people’s data before transmitting to Facebook, Privacy International said that the default behavior of the Facebook SDK was to automatically send data to Facebook.
But because of the European Union’s new General Data Protection Regulation (GPDR) rules, developers began raising concerns about Facebook’s SDK automatic event data transmission behavior. The issue was that the developers simply did not have the option to stop their apps from transmitting SDK event data to Facebook even if they wanted to.
Due to these GPDR complaints, Facebook introduced a feature in June 2018 that allows developers to delay the collection and transmission of event data until after user consent is given.
Additionally, in response to the Privacy International report, the SDK initialization signal will also be removed for developers that disabled their app’s automatic event logging.