Facebook apps secretly sending sensitive data back to the mothership

A trio of privacy earthquakes shook Facebooklandia on Friday.

TL;DR: It turns out that…

  1. Eleven third-party apps are sharing our sensitive data with Facebook. Don’t want the network to know when you menstruate? The purchase price for that house you ogled? Tough. News about the oversharing came from the Wall Street Journal [paywalled] on Friday, and as a result…
  2. New York’s governor called on two state agencies to investigate this “secret” sharing of health and financial data, which apparently violates Facebook’s own policies, and which is reportedly done to both non-Facebook users and non-logged-in users, without much by way of explicit user consent. Meanwhile…
  3. 60 pages of un-redacted legal documents from a lawsuit between Facebook and app developer Six4Three were anonymously posted on GitHub. The documents haven’t been independently confirmed, The Guardian reports, but Facebook hasn’t denied their authenticity. The internal emails reveal that Facebook planned to spy on Android users and that Facebook itself had what it called a near-fatal brush with a data privacy breach when a third-party app came close to disclosing its financial results ahead of schedule.

To get to the bottom of the WSJ’s findings about the blabby apps, New York Governor Andrew Cuomo said that he’s putting multiple agencies to work on the matter.

If the WSJ’s investigation proves to be accurate, and if those freshly leaked internal emails from Six4Three prove authentic, it’s going to paint an even uglier picture of Facebook post-Cambridge Analytica, governmental investigations and fines

… when one might have reasonably assumed that the company would have been backed up its protestations about data-bumbling third-party apps breaching its policies with at least a semblance of reining them in.

In the meantime, a few more details about this batch of fresh Facebook news:

You told Facebook WHAT??!

On Friday, the WSJ reported that iOS and Android apps are disgorging some of the personal health- and finance-related data of millions of users. From its report:

Millions of smartphone users confess their most intimate secrets to apps, including when they want to work on their belly fat or the price of the house they checked out last weekend. Other apps know users’ body weight, blood pressure, menstrual cycles or pregnancy status.

In other words, personal data that users wouldn’t necessarily want to share with Facebook.

Nonetheless, the WSJ said, tests showed that Facebook’s software collects data from numerous apps within seconds of it being entered by the user, with no sign of a prominent or specific disclosure by the app. This is the case even when a user hadn’t logged into Facebook for authentication, or even if a user didn’t have a Facebook account to begin with.

That includes popular apps that have been downloaded by millions of users, including:

  • Instant Heart Rate: HR Monitor by Azumio, the most popular heart-rate app in Apple’s App Store. It sends users’ heart rates immediately after a reading is taken.
  • The Flo Period and Ovulation Tracker: its developers claim that the iOS and Android app has been downloaded by over 70 million users worldwide. The app tracks when users get their periods and when they want to get pregnant: information it was, or may still be, reportedly passing on to Facebook.
  • Realtor.com sends Facebook the location and price of listings viewed by a user, as well as those marked as favorites, according to the WSJ’s tests.

I’ve asked those three companies for comment and will update the story if I hear back. As far as NY State Governor Cuomo is concerned, the conclusions reached by the WSJ’s investigation display what he called…

Facebook’s “outrageous abuse of privacy”

Cuomo said that the WSJ report represents “an invasion of privacy and breach of consumer trust” and that Facebook’s actions are an “outrageous abuse of privacy”.

Cuomo is asking for a probe from the New York Department of State and the Department of Financial Services, among others. He’s also called on relevant federal regulators to “step up and help us put an end to this practice and protect the rights of consumers.”

New Yorkers deserve to know that their personal information is safe, and we must hold internet companies – no matter how big – responsible for upholding the law and protecting the information of smartphone users.

Reuters reports that Facebook said in a statement that it would assist New York officials in their probe, but that the WSJ’s report focused on how other apps use people’s data to create ads. From Facebook’s statement:

As [the WSJ] reported, we require the other app developers to be clear with their users about the information they are sharing with us, and we prohibit app developers from sending us sensitive data. We also take steps to detect and remove data that should not be shared with us.

Third-party app violated Zuck’s privacy

Speaking of inappropriately sharing data, the GitHub-doxed documents include internal emails between Facebook execs that show that one of its own – as in, head honcho Mark Zuckerberg – almost fell victim to a near-catastrophic privacy breach brought about by a third-party app.

As The Guardian reports, in one email thread, former Facebook vice president Michael Vernal refers to some type of issue with an app that came close to disclosing the company’s financial results ahead of schedule.

From the email discussion:

Listen guys/gals – DO NOT REPEAT THIS STORY OFF OF THIS THREAD… I’m super, super serious here. I want us to follow-up on this and respond urgently here, but I also do not want this story spreading inside of Facebook or off of this thread at all. I can’t tell you how terrible this would have been for all of us had this not been caught quickly.

Another of the documents looks to be an 8-page July 2012 memo – one marked “highly confidential” – from Marne Levine, formerly Facebook’s vice president of global public policy.

At one point, Levine talks about plans for data collection on Android devices, writing:

We’ll be collecting users’ location data and matching it with cell site IDs. This information will be stored in anonymous form but will allow us to roll out location-aware ‘feature phone’ products in the future. Second the growth team wants to begin collecting certain limited information about whether users have a non-Google app store enabled and which default applications they are using for certain Facebook functions (camera, messages, etc) for competitive analysis and product improvement purposes.

Six4Three: The gift that keeps giving

These emails are just the latest documents to come out of a lawsuit brought against Facebook by the tiny, your-Facebook-friends-in-bikinis developer Six4Three. Six4Three has been wrangling with Facebook in US court since 2015 over allegations that Facebook turned off the Friends Data API spigot as a way of forcing developers to buy advertising, transfer intellectual property or even sell themselves to Facebook at bargain basement prices.

In December, the UK Parliament’s inquiry into fake news got its fingers into the legal Six4Three pie and came out with a fistful of Facebook staff’s private emails, which it then published.

Six4Three has alleged that the correspondence shows that Facebook was not only aware of the implications of its privacy policy, but actively exploited them. Damian Collins MP and his committee were particularly interested in the app company’s assertions that Facebook intentionally created and effectively flagged up the loophole that Cambridge Analytica used to collect user data.

The UK Parliament drew on the Six4Three documents as it prepared its recently released report on disinformation and fake news. One of its conclusions: that companies like Facebook shouldn’t be allowed to behave like “digital gangsters” in the online world, considering themselves to be ahead of and beyond the law.

Are these internal emails for real?

Although the Guardian noted that it doesn’t have independent verification of the internal emails, Facebook itself didn’t deny that they’re legit. Rather, it stuck to its “these don’t tell the whole story” line in this statement:

Like the other documents that were cherrypicked and released in violation of a court order last year, these by design tell one side of a story and omit important context. As we’ve said, these selective leaks came from a lawsuit where Six4Three, the creators of an app known as Pikinis, hoped to force Facebook to share information on friends of the app’s users. These documents have been sealed by a Californian court so we’re not able to discuss them in detail.