Facebook is once again coming under public scrutiny over its data privacy policies, this time after a comprehensive report from Privacy International showed how many popular Android apps are sharing personal user data with Facebook. This data sharing usually starts as soon as a user opens up the app, and can occur without even asking for user consent. Even more troubling, this data sharing can happen even if a person does not have a Facebook account, or is logged out of their current Facebook account.
Findings from the Privacy International report
The biggest finding from Privacy International is that 61% of apps automatically transfer data to Facebook the moment a user opens the mobile app. Privacy International looked at 34 different apps on Android, all of them popular apps such as Trip Advisor or Kayak that are readily available on the Google Play store. The install base for each of these apps ranged from 10 to 500 million. Of these 34 apps, 20 of them transmitted personal data to Facebook without user consent.
The issue, says Privacy International, involves the Facebook Software Development Kit (SDK). For app developers, the SDK is the technology framework that they use to integrate their apps with Facebook, making it also the framework for transmitting data to Facebook. According to developers, the SDK is the reason why apps were automatically sharing data before they could obtain consent. In many bug reports, developers specifically told Facebook that this problem existed. And it is only recently that Facebook has changed the SDK to account for this problem.
Personal data being transmitted to Facebook
There are several different types of data that apps are transmitting to Facebook without consent from users. The first type of data is known as “events data,” and simply lets Facebook know that a certain app has been opened, and that functionality for this app has been engaged via the SDK. This happens every single time a user opens an app.
However, there is a second type of data that is transmitted – and that is data related to usage. This is where Facebook will likely come under even more intense scrutiny. That’s because apps that transmit data also share a unique identifier (known as the Google advertising ID, or AAID) with other apps. This unique identifier by itself is not enough to establish a person’s identity – but when combined with data from several apps, can be used to establish a complete profile of a user.
The report from Privacy International specifically notes, “If combined, data from different apps can paint a fine-grained and intimate picture of people’s activities, interests, behaviors and routines…” Thus, the more apps that are downloaded, the more data that is shared, and thus, the more comprehensive the profile of the user. It would be relatively easy, for example, to tell if a user was a male or female, whether or not they were married with kids, and if they were looking for a job. Access to user data, in turn, could be used for targeted advertising purposes, including both personalized and non-personalized ads.
Moreover, apps like the travel search app Kayak transmit even more data to Facebook. Every time you search for a travel deal on Kayak, for example, the app has the potential to transmit information about your departure city, the dates of your trip, what type of ticket you are purchasing (e.g. economy or business class), and even whether or not you will be traveling with kids. That is exactly what Privacy International has in mind when it talks about the “intimate” and “sensitive” nature of the data transmitted – all of it occurring without user consent on a mobile device.