Facebook is once again coming under public scrutiny over its data privacy policies, this time after a comprehensive report from Privacy International showed how many popular Android apps are sharing personal user data with Facebook. This data sharing usually starts as soon as a user opens up the app, and can occur without even asking for user consent. Even more troubling, this data sharing can happen even if a person does not have a Facebook account, or is logged out of their current Facebook account.
Findings from the Privacy International report
The biggest finding from Privacy International is that 61% of apps automatically transfer data to Facebook the moment a user opens the mobile app. Privacy International looked at 34 different apps on Android, all of them popular apps such as Trip Advisor or Kayak that are readily available on the Google Play store. The install base for each of these apps ranged from 10 to 500 million. Of these 34 apps, 20 of them transmitted personal data to Facebook without user consent.
The issue, says Privacy International, involves the Facebook Software Development Kit (SDK). For app developers, the SDK is the technology framework that they use to integrate their apps with Facebook, making it also the framework for transmitting data to Facebook. According to developers, the SDK is the reason why apps were automatically sharing data before they could obtain consent. In many bug reports, developers specifically told Facebook that this problem existed. And it is only recently that Facebook has changed the SDK to account for this problem.
Personal data being transmitted to Facebook
There are several different types of data that apps are transmitting to Facebook without consent from users. The first type of data is known as “events data,” and simply lets Facebook know that a certain app has been opened, and that functionality for this app has been engaged via the SDK. This happens every single time a user opens an app.
However, there is a second type of data that is transmitted – and that is data related to usage. This is where Facebook will likely come under even more intense scrutiny. That’s because apps that transmit data also share a unique identifier (known as the Google advertising ID, or AAID) with other apps. This unique identifier by itself is not enough to establish a person’s identity – but when combined with data from several apps, can be used to establish a complete profile of a user.
The report from Privacy International specifically notes, “If combined, data from different apps can paint a fine-grained and intimate picture of people’s activities, interests, behaviors and routines…” Thus, the more apps that are downloaded, the more data that is shared, and thus, the more comprehensive the profile of the user. It would be relatively easy, for example, to tell if a user was a male or female, whether or not they were married with kids, and if they were looking for a job. Access to user data, in turn, could be used for targeted advertising purposes, including both personalized and non-personalized ads.
Moreover, apps like the travel search app Kayak transmit even more data to Facebook. Every time you search for a travel deal on Kayak, for example, the app has the potential to transmit information about your departure city, the dates of your trip, what type of ticket you are purchasing (e.g. economy or business class), and even whether or not you will be traveling with kids. That is exactly what Privacy International has in mind when it talks about the “intimate” and “sensitive” nature of the data transmitted – all of it occurring without user consent on a mobile device.
Has Facebook violated user consent rules?
The concern now is that Facebook, together with many of the most popular Android apps in the world, might be violating European privacy law. In May 2018, the European General Data Protection Regulation (GDPR) went into effect, and the law specifically notes that companies cannot collect information on users in the European Union without user consent, and that any information collected cannot be used to identify the user. EU user consent rules, then, are much stricter now than those currently in place in the U.S.
So the question really becomes a legal one that will rest considerably upon the term “user consent.” As spelled out by the European GDPR, user consent “must be freely given, specific, informed and unambiguous.” Thus, the fact that the Facebook SDK was being used to transmit information without first having a chance to ask for user consent is particularly troublesome.
Moreover, one could plausibly argue that user consent is no longer “informed” or “unambiguous.” That’s because Privacy International found that user data was being transmitted to Facebook even when the Android phone user did not have a Facebook account! A person without a Facebook account (and even a person who is logged out of his or her Facebook account) would have a reasonable expectation that no data was being shared with Facebook, right? That was not the case with 20 of the 34 apps tested by Privacy International.
And, complicating matters even further, the Privacy International report suggests that any “opt-out” policy from Facebook is basically worthless. Privacy International tested opt-outs for Facebook’s cookies policy and found “no discernible impact” from opting out. In other words, Facebook is going to track you, whether you like it or not.
Regulatory enforcement actions on the horizon
So what happens next? As might be expected, Facebook has thus far said all the right things, just as it did after the Cambridge Analytica scandal came to light. In comments about the report, Facebook has said that it is working to correct the SDK. And the Silicon Valley social network agrees that users should always have the right to know when apps are transmitting their personal data and when data is collected. In words, at least, Facebook has thrown its support behind the concept of user consent.
But haven’t we heard this story before? Facebook first claims to have fixed all the old problems. Then, when those claims are proven to be false (or, at least, highly inaccurate), Facebook promises to mend its bad habits. Then, when talk starts to build about regulatory enforcement and financial penalties, Facebook begins a public relations offensive, promising that its self-regulation will be better and stronger than any that can be imposed by data protection regulators. The only problem is, regulators may finally tire of this strategy and begin to punish Facebook for its continual – and some might say ubiquitous – efforts to collect personal data from users, often without their knowledge or user consent.