Android apps have been secretly sharing usage data with Facebook, even when users are logged out of the social network – or don’t have an account at all.
Advocacy group Privacy International announced the findings in a presentation at the 35th Chaos Computer Congress late last month. The organization tested 34 apps and documented the results, as part of a downloadable report.
The investigators found that 61% of the apps tested automatically tell Facebook that a user has opened them. This accompanies other basic event data such as an app being closed, along with information about their device and suspected location based on language and time settings. Apps have been doing this even when users don’t have a Facebook account, the report said.
Some apps went far beyond basic event information, sending highly detailed data. For example, the travel app Kayak routinely sends search information including departure and arrival dates and cities, and numbers of tickets (including tickets for children).
Language learning app Duolingo was among several apps that the report called out for sharing extra data, including “how the app is used, which menus the user has visited, and other interaction information”.
The occasional message telling someone that you’ve opened a language learning app and decided to brush up on your German may seem harmless enough, but it still has Privacy International worried. The report said:
If combined, data from different apps can paint a fine-grained and intimate picture of people’s activities, interests, behaviors and routines.
Moreover, the report says that this basic SDK data could cross over into a special category of user data specially protected under GDPR. If you open a medical or religious app and that data is sent to Facebook, it could include data about the user’s health or religious beliefs, it says.
This is more likely when apps send this information with a unique Google advertising ID (AAID), which according to the report they often do. Many advertising technology companies sync AAIDs across different devices so that they can build a better profile of a user’s activities across mobile and desktop.
What could Facebook use such information for? Some possible uses highlighted by the report include matching contacts and building targetable audiences. The social network has also been known to track application usage in the past to gain market intelligence about which apps people are using, as it did with the Onavo VPN product that it purchased and subsequently removed from Apple’s app store.
Facebook provides opt-out mechanisms that are supposed to allow people without Facebook accounts to control the ads they see. However, using those opt-outs don’t stop the apps sharing the users’ usage data, the report alleged. Neither do enhanced controls to govern how apps collect data, which Google included in Android 6.0 and up.
Apps share this event data via a software development kit (SDK) that developers must use if they want their apps to interact with the social network. The report says that while developers have been able to restrict the event data that they send for a while, the SDK still sent the basic data about opening apps as part of an initialization process that developers couldn’t control.
The default data collection could put Facebook in violation of Europe’s General Data Protection Regulation (GDPR), according to Privacy International. The inability to stop their own apps sending data to Facebook led several developers to contact Facebook raising concerns about compliance.
The report warns that automatically giving up user event data via the SDK may contravene GDPR’s consent rules, adding that even if the user agreed to blanket terms and conditions when installing an app, they couldn’t easily revoke that consent later. It said:
…under the default implementation of the SDK, personal data is transmitted to Facebook before an individual has had the opportunity to be provided with further information or to consent to such data sharing.
Facebook released version 4.34 of the SDK on 28 June, which it said allowed developers to delay sending SDK initialization data until the developer had gained the user’s consent. However, that SDK release came 35 days after GDPR came into effect. Even now, developers must still opt to delay the SDK sending that data.
The report suggests that the SDK as it stands may well violate GDPR’s principle of data protection by design and by default, which requires companies to gather only the data they need for specific purposes:
…the design of the Facebook SDK together with the default Facebook SDK implementation does exactly the opposite, namely automatically (by default) transferring personal data to Facebook for unspecified purposes.
Should Facebook be responsible for how third-party developers pass on user data? Privacy International thinks so, asserting that they share responsibility:
Facebook cannot simply shirk responsibility for the data transmitted to it via Facebook’s SDK by imposing contractual terms on others such as App developers or providers.
Some developers have already responded to the Privacy International report. Skyscanner, which was using a pre-June version of the SDK, said that it had updated its app to use a newer version and would audit its consent tracking.
Privacy International’s research project couldn’t have come at a more sensitive time for Facebook. The Irish Data Protection Commissioner is already investigating the company’s data breach last year, which saw up to 50 million accounts compromised, to see if it violated the GDPR:
Data Protection Commission Ireland (@DPCIreland) October 03, 2018