Android apps have been secretly sharing usage data with Facebook, even when users are logged out of the social network – or don’t have an account at all.
Advocacy group Privacy International announced the findings in a presentation at the 35th Chaos Computer Congress late last month. The organization tested 34 apps and documented the results, as part of a downloadable report.
The investigators found that 61% of the apps tested automatically tell Facebook that a user has opened them. This accompanies other basic event data such as an app being closed, along with information about their device and suspected location based on language and time settings. Apps have been doing this even when users don’t have a Facebook account, the report said.
Some apps went far beyond basic event information, sending highly detailed data. For example, the travel app Kayak routinely sends search information including departure and arrival dates and cities, and numbers of tickets (including tickets for children).
Language learning app Duolingo was among several apps that the report called out for sharing extra data, including “how the app is used, which menus the user has visited, and other interaction information”.
The occasional message telling someone that you’ve opened a language learning app and decided to brush up on your German may seem harmless enough, but it still has Privacy International worried. The report said:
If combined, data from different apps can paint a fine-grained and intimate picture of people’s activities, interests, behaviors and routines.
Moreover, the report says that this basic SDK data could cross over into a special category of user data specially protected under GDPR. If you open a medical or religious app and that data is sent to Facebook, it could include data about the user’s health or religious beliefs, it says.
This is more likely when apps send this information with a unique Google advertising ID (AAID), which according to the report they often do. Many advertising technology companies sync AAIDs across different devices so that they can build a better profile of a user’s activities across mobile and desktop.
What could Facebook use such information for? Some possible uses highlighted by the report include matching contacts and building targetable audiences. The social network has also been known to track application usage in the past to gain market intelligence about which apps people are using, as it did with the Onavo VPN product that it purchased and subsequently removed from Apple’s app store.
Facebook provides opt-out mechanisms that are supposed to allow people without Facebook accounts to control the ads they see. However, using those opt-outs don’t stop the apps sharing the users’ usage data, the report alleged. Neither do enhanced controls to govern how apps collect data, which Google included in Android 6.0 and up.
Apps share this event data via a software development kit (SDK) that developers must use if they want their apps to interact with the social network. The report says that while developers have been able to restrict the event data that they send for a while, the SDK still sent the basic data about opening apps as part of an initialization process that developers couldn’t control.
The default data collection could put Facebook in violation of Europe’s General Data Protection Regulation (GDPR), according to Privacy International. The inability to stop their own apps sending data to Facebook led several developers to contact Facebook raising concerns about compliance.
The report warns that automatically giving up user event data via the SDK may contravene GDPR’s consent rules, adding that even if the user agreed to blanket terms and conditions when installing an app, they couldn’t easily revoke that consent later. It said:
…under the default implementation of the SDK, personal data is transmitted to Facebook before an individual has had the opportunity to be provided with further information or to consent to such data sharing.
Facebook released version 4.34 of the SDK on 28 June, which it said allowed developers to delay sending SDK initialization data until the developer had gained the user’s consent. However, that SDK release came 35 days after GDPR came into effect. Even now, developers must still opt to delay the SDK sending that data.
The report suggests that the SDK as it stands may well violate GDPR’s principle of data protection by design and by default, which requires companies to gather only the data they need for specific purposes:
…the design of the Facebook SDK together with the default Facebook SDK implementation does exactly the opposite, namely automatically (by default) transferring personal data to Facebook for unspecified purposes.
Should Facebook be responsible for how third-party developers pass on user data? Privacy International thinks so, asserting that they share responsibility:
Facebook cannot simply shirk responsibility for the data transmitted to it via Facebook’s SDK by imposing contractual terms on others such as App developers or providers.
Some developers have already responded to the Privacy International report. Skyscanner, which was using a pre-June version of the SDK, said that it had updated its app to use a newer version and would audit its consent tracking.
Privacy International’s research project couldn’t have come at a more sensitive time for Facebook. The Irish Data Protection Commissioner is already investigating the company’s data breach last year, which saw up to 50 million accounts compromised, to see if it violated the GDPR:
Investigation commenced into Facebook data breach. @DPCIreland statement beneath. #dataprotection #GDPR #eudatap pic.twitter.com/7eHKUigTq5— Data Protection Commission Ireland (@DPCIreland) October 3, 2018
6 comments on “Some Android apps are secretly sharing your data with Facebook”
How has this gotten so out of hand!? As few as 20 years ago no one would have believed that a few companies would be able to follow my movements so closely. They say it’s just for advertising, but as the article mentions, there could be religious and medical implications as well. This isn’t good by any means or standards. Unfortunately, this is one of those bells that cannot be on unrung, no matter how many laws are put in place. As I’ve always said, you make a rule, I’ll find a way around it….. unfortunately.
If Facebook shares data about your travel plans with a third party – say a company that is part of an international burglar ring that makes it a point to rob houses while people are on vacation, can Facebook be sued for contributing to the burglary? Or will they be exempt like Agency xxx is for creating exploits used in international crimes?
I know, not really a question, more of a statement. It’s just so frustrating to see these Data Leaks generate fees/fines/taxes for companies, while individuals get jail time. It sends a clear message to companies that they can do anything and only have to share a small portion of the profits to cover the fine.
Thank you for reporting on this abusive trend, and noting some of the companies that are being responsive to privacy concerns.
The best way to protect your privacy is not to share any personal data at first with companies like Google. I am using /e/ on my Galaxy S9 instead of Google Android. It is Android based mobile OS designed with privacy in mind. Does not send any private data like contacts, emails or location to Google. Instead of Google apps it uses open source android apps. So far it works great.
Why was the name and url removed? Im interested in anything other than google..
The name of the product is right there in your comment. Easy enough for anyone who is interested to find.
For safety’s sake we don’t allow off-site links in comments.
Hi, thanks for reporting this important issue. Please note, that iOS-Apps are also affected. A smaller study from the German consumer information platform mobilsicher.de has published a very similar study some weeks prior to Privacy International (disclaimer: I am the author) with the same results. The iOS-Versions from this study were subsequently tested and all of them had the Facebook-SDK too. Would be great if you update this in your blogpost.