Android users: Popular apps still send data to Facebook without your consent

Group pushes privacy regulators to investigate third-party tracking in mobile apps.
Written by Liam Tung, Contributing Writer

Rights group Privacy International (PI) is once again drawing attention to popular apps like Yelp and Duolingo sending data to Facebook as soon as they are launched and before users can consent to it.   

The group in December called out 21 popular Android apps for sending data to Facebook as soon as the user opens an app, among them Spotify, Skyscanner, Kayak, Yelp, and Duolingo. It also highlighted that two Muslim prayer apps, Qibla Connect and Muslim Pro, displayed the same behavior. 

It found the apps automatically send so-called 'events data', such as the fact the app is installed, to Facebook's servers before users can give their consent, which PI argues is required under Europe's GDPR. 

The common thread between the apps is they use the Facebook mobile software developer kit (SDK), a popular mobile analytics platform that provides data about how people are using a mobile app so that developers can target ads. 'App Events' is one feature of the Facebook iOS and Android SDK.   

In an update today, Privacy International said two-thirds of the 21 reviewed apps no longer contact Facebook when the user opens the app. These include Spotify, Skyscanner and Kayak. 

However, it also found some of the apps still displayed the same behavior, including Yelp, Duolingo, the Indeed job search app, the King James Bible app, as well as Qibla Connect and Muslim Pro. It notes that Duolingo has said it would remove the Facebook SDK App Events component from its iOS and Android apps in upcoming releases. 

SEE: IT pro's guide to GDPR compliance (free PDF)

The group's concerns are different to those raised in a Wall Street Journal article in February about the Facebook SDK, which highlighted that 11 apps were sending sensitive events data to Facebook, including information about heartbeat rates, blood pressure, menstrual cycles, and pregnancy status.    

At the time, former Facebook product manager Antonio García Martínez defended the company, pointing out that the Facebook SDK is merely the mobile-app equivalent of Google Analytics and that the events data is not stored in a usable form. 

He also argued that developers, rather than Facebook, are responsible for what gets sent to its servers via the SDK.     

Privacy International on the other hand is focusing on the issue of consent and the way these apps send data to Facebook before users can give it. The data transmitted to Facebook's servers include 'App installed' and 'SDK Initialized'. 

"This data reveals the fact that a user is using a specific app, every single time that user opens an app," it noted in December

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

It's also concerned about what can be told about a person through their use of multiple apps and that apps send data to Facebook with a unique advertising identifier. 

"If combined, data from different apps can paint a fine-grained and intimate picture of people's activities, interests, behaviors, and routines, some of which can reveal special-category data, including information about people's health or religion," it explained. 

In today's post, Privacy International also highlight a problem for competition, pointing to Facebook's use of the Onavo app to collect intelligence about rivals

"This is hugely problematic, not just for privacy, but also for competition. The data that apps send to Facebook typically includes information such as the fact that a specific app, such as a Muslim prayer app, was opened or closed. This sounds fairly basic, but it really isn't," the group wrote. 

"Since the data is sent with a unique identifier, a user's Google advertising ID, it would be easy to link this data into a profile and paint a fine-grained picture of someone's interests, identities, and daily routines. And since so many apps still send this kind of data to Facebook, this could give the company an extraordinary insight into a large share of the app ecosystem."

Previous and related coverage

Facebook's worst privacy scandals and data disasters

Time and time again, Facebook has been slammed for privacy practices and data handling. Here are some of the most prominent, recent scandals of note.

Another Facebook privacy scandal, this time involving its mobile analytics SDK

Don't be too quick to blame Facebook on this one. The company may not actually be so guilty this time.

How to choose the VPN that's right for you

You'll find a lot of VPN guides out there, but how relevant are their recommendations to your personal needs? Here's a better way to think about your VPN decision, and what matters most to you, your usage, and your location.

Privacy International hits out at unconsented Facebook tracking within apps

Popular apps like Kayak and Duolingo are firing off users' Google ad IDs to Facebook the moment apps are launched.

Facebook's new location controls on Android will let users disable background collection

The social network released new location controls for Android that lets users limit background data collection when the Facebook app isn't in use.

Key takeaways from damning UK report on Facebook's world of "digital gangsters" 

The committee report on fake news and data misuse says Facebook maximizes revenue "at all costs" -- even when the cost is user privacy and trust.

Facebook data privacy scandal: A cheat sheet TechRepublic

Read about the saga of Facebook's failures in ensuring privacy for user data, including how it relates to Cambridge Analytica, the GDPR, the Brexit campaign, and the 2016 US presidential election.

Facebook's two-factor authentication puts security and privacy at odds CNET

Stop using your phone number for two-factor authentication on Facebook.

Editorial standards