A new study by the UK advocacy group Privacy International, published on December 29, has highlighted the Android apps that share sensitive personal data with Facebook.
It's well known that Facebook shares vast amounts of personal data with advertisers in order to create revenue streams. What many people might not realize is that Facebook is covertly handling huge amounts of personal data gained from third-party apps and websites.
Many people are now cautious about their online privacy and are choosing to delete their Facebook accounts or be extra-vigilant about what they share on the platform. In fact, if you take extreme care, it is possible to give Facebook vastly less data than the majority of users willingly hand over.
Free app concerns
In its report, Privacy International (PI) explains that in the aftermath of the Cambridge Analytica scandal it is vital for consumers to understand what data is being shared with Facebook. Until now, this has meant US Data Protection Authorities have focused their attention on how websites share data with Facebook. Now, PI feels it is necessary to raise consumer awareness about how data may end up in Facebook’s hands - even when consumers don’t have a Facebook account themselves.
The new PI report reveals that a whopping 42.55% of the free apps it tested on the Google Play store are sharing data with Facebook. In fact, 61% of the apps it tested share data with the social media giant the moment they are downloaded and opened. The same is believed to be true of many other free Android apps. According to PI that makes Facebook “the second most prevalent third-party tracker after Google’s parent company Alphabet.”
PI performed tests on 34 popular apps on the Android platform between August and December of 2018, each app was chosen because it had been installed between 10 and 500 million times. During its research, PI used the free open source software tool mitmproxy to check what data the apps were sharing with Facebook.
PI discovered that many of the apps it tested were automatically transmitting data back to Facebook because of Facebook's Software Development Kit (SDK). According to many app developers, Facebook's SDK may actually be sending data back to the social media giant against their wishes. This is hugely problematic because it appears that Facebook's SDK may actually be forcing third-party apps to break the EU's GDPR rules:
"Facebook places the sole responsibility on app developers to ensure that they have the lawful right to collect, use and share people’s data before providing Facebook with any data. However, the default implementation of the Facebook SDK is designed to automatically transmit event data to Facebook.
Since May 25, 2018 – the day that the EU General Data Protection Regulation (GDPR) entered into force - developers have been filing bug reports on Facebook’s developer platform, raising concerns that the Facebook SDK automatically shares data before apps are able to ask users to agree or consent."
How it works
Facebook SDK is freely available to any developer that wants to produce an app for Android. SDK makes it easier for developers to create apps, which is why the tool is popular. Facebook’s SDK also permits app developers to embed code that automatically shares data with Facebook. This is useful because it allows both Facebook and those third-party developers to create a revenue stream from an otherwise free-to-use app. PI explains why data is shared:
“In our analysis, apps that automatically transmit data to Facebook share this data together with a unique identifier, the Google advertising ID (AAID). The primary purpose of advertising IDs, such as the Google advertising ID (or Apple’s equivalent, the IDFA) is to allow advertisers to link data about user behavior from different apps and web browsing into a comprehensive profile.”
Unfortunately, the report reveals that some of the data being shared with Facebook paints an “intimate picture of people’s activities, interests, behaviors and routines, some of which can reveal special category data.”
Some of the popular apps - King James Bible Free, Qibla Connect, or Muslim Pro prayer times app - instantly reveal people’s religious beliefs. Others such as Period Tracker Clue or Instant Heart Rate Monitor can reveal sensitive health information. According to PI, other apps that were tested revealed whether a person is likely to be female, a job seeker, or a parent.
The immensely popular travel app KAYAK tells Facebook about people's vacation plans. This includes data pertaining to their departure city and destination, which airports they intend to use, when they intend to travel, and how many people they intend to travel with. It also sends Facebook information about the seating class they prefer - giving Facebook vital clues about their spending power.
Data treasure trove
For Facebook; a platform that is always looking for application use trend data in order to produce new apps and services of its own - the data is extremely useful:
“If combined, event data such as "App installed”, "SDK Initialized" and “Deactivate app” from different apps also offer a detailed insight into the app usage behavior of hundreds of millions of people.”
What’s more, PI found that despite offering people ways to opt out of how they are tracked using cookies, those options had “no discernible impact on the data sharing” described in the report. This adds to previously raised concerns about Facebook's Onavo VPN - which is believed to be an invasive data honeypot rather than a privacy-friendly service.
Apps to stay away from
The first thing to remember is that when apps are free they usually attempt to produce a revenue stream using people’s data. For this reason, it is important to always check app permissions when you install new apps. If those permissions seem overly invasive - you may want to think twice about installing them.
What’s more, it would appear that at least some of the apps that have been developed using Facebook’s SDK do not specifically get users agreement to share data with Facebook. This is in direct breach of the EU’s new GDPR legislation.
Anybody concerned that their data is being shared with Facebook is advised to seriously consider deleting the apps below following this report:
Calorie Counter - MyFitnessPal
Duolingo - Learn Languages Free
Family locator - GPS tracker
Indeed Job Search
Instant Heart Rate - HR Monitor and Pulse Checker
KAYAK Flights, Hotels and Cars
King James Bible (KJV) Free
Muslim Pro - Prayer Times, Azan, Quran & Qibla
My Talking Tom / My Talking Hank etc
Period Tracker Clue: Period & Ovulation Calculator
Qibla Connect® Find Direction- Prayer, Azan, Quran
Skyscanner - Cheap Flights, Hotels and Car Rental (App sends Facebook data even when Ad Personalisation is set to Off)
Super-Bright LED Flashlight
The Weather Channel: Local Forecast & Weather Maps
TripAdvisor Hotels Flights Restaurants Attractions
صلاتك Salatuk (Prayer time)
If this story has made you reconsider your own online security, why not take a look at our best VPN services page for more information on how you can improve your digital privacy.
Image credits: Allmy/Shutterstock.com, Bloomicon/Shutterstock.com,