A study of 34 popular Android apps found that at least 20 of the apps are sending user data to Facebook without consent. The transmitted data ranges form easily available info to that of a most sensitive nature. Apps found doing this include Kayak, MyFitnessPal, Skyscanner, TripAdvisor, and other popular apps.
The Financial Times (via 9to5Google):
The Privacy International campaign group found that at least 20 [apps] send certain data to Facebook in the second that they open in a phone, before [users] can be asked for permission.
The information sent instantly included the name of the application, the unique identification of the user with Google and the number of times the application was opened and closed since it was downloaded. Some, such as Kayak, the travel site, then sent detailed information about people’s flight searches to Facebook, including travel dates, if the user had children and what flights and destinations they had searched for.
Transmission of this data is almost certainly a violation of Europe’s General Data Protection Regulation (GDPR) privacy laws. The laws require users be asked for consent before collecting any personal data. The penalties for violation of the laws could lead to a developer being required to turn over 4% of their annual income to the EU. This is all said to be due to a Facebook SDK.
Frederike Kaltheuner, who conducted the research, added that while Facebook assigns responsibility for complying with regulations to application developers, the developer kit of the US company did not give the option of waiting for permission from a developer. user before transmitting some types of data.
“At least four weeks after GDPR, it was not even possible to ask for consent, due to the default configuration of the Facebook SDK [software development kit] which means that the data is automatically shared at the moment the application is opened” , He said.
Several application developers have complained about the problem to Facebook since May, reporting bug reports on Facebook’s developer platform that they said they could not comply with the law.
While a recent Facebook SDK update is said to resolve the issue, many of the popular apps do not as yet use the updated SDK. Some developers claim that even when they make use of the new SDK, it continues to occur.
Sensitive information about a user could be gleaned form multiple apps, creating a profile of the user.
For example, a person who has installed the following applications that we have tried, Qibla Connect (a Muslim prayer application), Period Tracker Clue (a period tracker), Indeed (a job search application), My Talking Tom (an application for children), could be outlined as probable woman, probably Muslim, probable job applicant, probable mother.
iOS users shouldn’t be concerned that their data is being transmitted back to Facebook, as the data collection issue doesn’t appear to extend to iOS versions of the apps.
