Apps sending usersâ data to Facebook without their consen…
Some of the most popular apps for Android smartphones, including Skyscanner, TripAdvisor and MyFitnessPal, are transmitting data to Facebook without the consent of users in a potential breach of EU regulations.
In a study of 34 popular Android apps, the campaign group Privacy International found that at least 20 of them send certain data to Facebook the second that they are opened on a phone, before users can be asked for permission.
Information sent instantly included the appâs name, the userâs unique ID with Google, and the number of times the app was opened and closed since being downloaded. Some, such as travel site Kayak, later sent detailed information about peopleâs flight searches to Facebook, including travel dates, whether the user had children and which flights and destinations they had searched for.
European law on data-sharing changed in May with the introduction of General Data Protection Regulation (GDPR) and mobile apps are required to have the explicit consent of users before collecting their personal information. Fines for breaching GDPR can be up to 4 per cent of revenues or â¬20 million, whichever is greater.
The researchers looked at apps with built-in Facebook trackers and intercepted data as it was sent. Many of the apps are free, suggesting that they make money from data-sharing and advertising.
Frederike Kaltheuner, who carried out the research, added that while Facebook places responsibility for complying with regulations on app developers, the US companyâs developer kit did not give the option of waiting for a userâs permission before transmitting some types of data.
âAt least four weeks after GDPR, it wasnât even possible to ask for consent, because of the default setting of Facebookâs SDK [software development kit]. This means data is automatically shared the moment the app opens,â she said.
Several app developers have complained about the issue to Facebook since May, filing bug reports on Facebookâs developer platform saying they were unable to comply with the law.
For instance, on May 29th, four days after GDPR came into effect in the EU, a developer posted: âHi all. We analized [sic] network activity of Facebook SDK for Unity and found that on application start it sends some requests to graph.facebook.com. It seems to be violation of GDPR: we can not send anything about a user until he allows us to do that. Could you please fix that or strongly confirm that these requests donât violate GDPR.â
A few weeks, and several complaints later, Facebook responded to say it had created a fix but that developers would need to download the upgrade to use it. But developers have continued to file bug reports and it is not clear if the fix works.
âSix months after the release of the feature, we are still seeing very little evidence that developers are implementing it. Of all the apps that we have tested, 67.7 per cent automatically transmit data to Facebook the moment the app is launched,â the Privacy International report noted.
A spokesperson for Facebook said that app developers could disable automatic data collection, and that this year it had introduced a new option that allows developers to delay collection of app analytics information.
The researchers also found that many apps were running older versions of the SDK as recently as this month that would not allow them to use the voluntary feature as it was designed.
Facebook can tie an Android ID to a userâs social network profile, instantly identifying them
Another major concern raised by activists is the âde-anonymisationâ of the data â the practice of linking personal data back to a user, which is prohibited by GDPR.
Facebook can tie an Android ID to a userâs social network profile, instantly identifying them and adding any additional information to their personal profile.
âFor example, an individual who has installed the following apps that we have tested, Qibla Connect (a Muslim prayer app), Period Tracker Clue (a period tracker), Indeed (a job search app), My Talking Tom (a childrenâs app), could be potentially profiled as likely female, likely Muslim, likely job seeker, likely parent,â the report said.
Facebook can also use the data to cross-target multiple people â for example, if a married couple use apps on the same wifi, or at the same location, their Android IDs can be tied together to target similar advertising to both of them.
Previous research from Oxford university has shown that 43 per cent of free apps on the Google Play store could share data with Facebook, making the social network the second most prevalent third-party tracker after Googleâs parent company Alphabet.
A Facebook spokesperson wrote to the Privacy International researchers in response to their study, saying: âWe agree that . . . itâs important for people to have access when we receive information about them when theyâre not using our services, and to have control over whether we associate this information with them.
âRecognising the value of improvements in this area, weâre currently working on a suite of changes, including developing a new tool called Clear History, that we hope will address your feedback.â
A Skyscanner spokesperson said: âWe were not aware that data was being sent to Facebook in this way without prior consent from our users, which went against our own internal rules on the integration of third-party technologies. We are still investigating how this happened.
âWeâre currently reviewing our approach, both to this issue and to the use of similar technologies more generally, to ensure weâre doing everything we should be.â
TripAdvisor and Kayak did not respond to requests for comment and MyFitnessPal declined to comment.