At least 20 popular Android apps are still sending user data to Facebook without consent, study finds
In the wake of the Cambridge Analytica scandal, the landscape of online privacy has drastically changed. Users have been made more aware of exactly how they’re being tracked by companies like Google and Facebook, and lawmakers have tried to combat invasive tracking with efforts like GDPR. Despite all these efforts to curtail companies’ surreptitiously keeping tabs on their user base (and even non-users), it doesn’t seem that the big players in personal data care. Case in point: a recent report by Privacy International (PI) found that at least 20 popular applications have been sending user data to Facebook without user content or knowledge.
PI tested 34 Android apps with an install base greater than 10 million users and found that 20 send user data to Facebook within the first second of the app opening. This data is sent regardless of whether or not the user has a Facebook account and occurs immediately without notifying the user or asking for consent to send the data.
For the most part, this data is simply a trigger that the app has been opened and Facebook’s Software Development Kit (SDK) has been initialized. However, some apps also send personal data, such as user location, family size, whether or not the user has children, gender, and more. All of this data is tied to a specific Google advertising ID (AAID). This can potentially create a profile of the user based on their app usage.
PI gave an example of a user that installs a few apps (Qibla Connect, Period Tracker Clue, Indeed, and My Talking Tom). The data sent from these apps could tell Facebook that the user is likely a Muslim woman with children looking for a job.
One of the worst offenders is KAYAK, a travel and flight tracking app. KAYAK sends a fairly detailed report to Facebook every time it’s opened, including departure and arrival cities, the number of tickets purchased (including children’s tickets), ticket class, and departure and arrival dates.
Worse still, PI found that even using Facebook’s own opt-out options for non-users made no difference in the data sent by apps.
The culprit appears to be Facebook’s SDK. Apparently, developers must proactively set a flag to delay the data transfer until consent is given by the user. This option is only available in SDK version 4.34 or later, meaning that app developers must actively update their applications to use the new SDK. It’s obvious that the developers of the apps in question either haven’t set the appropriate flag or haven’t upgraded their Facebook SDK to a current version.
This report raises several legal questions. Facebook was already raked over the coals for failing to comply with GDPR for a month after the law’s implementation. The feature described above wasn’t included in Facebook’s SDK until 35 days after GDPR took effect. At this point, the primary question is not whether or not these data transfers are legal (they’re not); it remains to be determined who exactly is at fault.
Facebook is placing the blame squarely at the feet of app developers. In an email to PI, Facebook said that developers have long had the option to fully disable the automatic transmission of event logging and that the update (made in June of this year) gives developers better control over implementing event logging in a way that complies with GDPR. In responses sent to PI, many app developers stated they were unaware of the problems and will work to update their applications to better comply with privacy law. It’s possible that these app developers were ignorant of how the Facebook SDK was tracking users automatically and instantaneously without consent. It’s also possible that these app developers are simply playing dumb now that they’ve been caught.
In reality, it’s likely that both Facebook and the app developers should share responsibility. On the one hand, Facebook has a reputation for tracking users and non-users in any way possible and may not have encouraged app developers of the updates to their SDK (or made the updates obvious). On the other, app developers are responsible for complying with user data protection laws in every region in which their apps are distributed. All said, the legality of the matter is up to courts to decide, as is blame.
It should be noted that the iOS versions send similar datasets to Facebook, but due to the way that Apple’s advertising IDs work, user consent must first be given. In that vein, iOS apps still track user data but are unable to send it on to Facebook without notifying the user and asking for consent.
The full report and recommendations for steps Android and iOS users can take to protect their privacy can be found here.
Here is a full list of the apps tested. The ones in bold are the 20 found to immediately send data to Facebook upon opening:
- BMI Calculator and weight tracker
- Calorie Counter - MyFitnessPal
- Candy Crush
- Clean Master
- Family Locator GPS Tracker
- HP ePrint
- Indeed Job Search
- Instant Heart Rate: Heart Rate & Pulse Monitor
- King James Bible
- Muslim Pro - Prayer Times, Azan, Quran, & Qibla
- My Talking Tom
- Period Tracker - Period Calendar Ovulation Tracker
- Period Tracker Clue
- Phone Tracker By Number
- Qibla Connect
- Salatuk (Prayer Time)
- Security Master
- Skater Boy
- Super-Bright LED Flashlight
- Turbo Cleaner