Privacy International hits out at unconsented Facebook tracking within apps

Popular apps like Kayak and Duolingo are firing off users' Google ad IDs to Facebook the moment apps are launched.
Written by Chris Duckett, Contributor

UK-based Privacy International revealed on Sunday to the 35th Chaos Communication Congress a glimpse of the extent to which app developers are handing data to Facebook, even if the user is not a Facebook user.

In its report on the subject, based on testing 34 Android apps that have between 10 to 500 million users, the charity said it was "greatly concerned" with how user data is "exploited" in the back-end systems of Facebook and Google.

Privacy International found that 23 of the apps it tested sent data to Facebook -- data which tells the social network that a user has opened or closed a specific app, along with information about the device, and language and time zone settings. The apps also sent along the user's Google advertising ID, which allows tracking companies to easily conduct profile matching.

Coming in for special treatment was the Kayak travel booking app, which passed data to Facebook with each search within the app: time of the search; departure and arrival city, airport, and date; and number and class of tickets. Privacy International pointed out that this behaviour happened regardless of whether the user was logged out of Facebook, or was without an account on the social network.

"Facebook offers analytics and advertising services to app developers, which help them receive aggregated information about how people engage with their apps -- this is a common practice for many companies," Facebook told Privacy International.

"We also wanted to note that many companies offer the types of services you cover in the report and, like Facebook, they also get information from the apps and sites that use them in a similar manner. Amazon, Google and Twitter all offer login features. Likewise, many of these companies, as well as others like Adobe, Flurry, and Mixpanel, provide analytics services for app developers. More generally, most websites and apps send the same information to multiple companies each time you visit them."

Facebook pointed towards its upcoming Clear History feature -- first announced in May during the heights of the Cambridge Analytica scandal -- as a remedy for the report's complaints.

The report also looked at how Facebook's policies compared against the requirements of Europe's GDPR and designing for data minimisation.

See: What is GDPR? Everything you need to know about the new general data protection regulations

With apps handing data to Facebook before the user has had a chance to interact with the app, the charity said there are questions whether a legal basis is met to transfer data.

"The fact that the SDK's default implementation automatically transmits data when an app is opened, and that a voluntary feature to delay this transmission was only provided in July 2018, raises questions about Facebook's responsibility towards developers, as well as its own compliance with key data protection principles such as data protection by design and by default," Privacy International said.

Facebook said it requires app makers to have a legal basis to collect and process user information, but Privacy International was not impressed.

"Facebook cannot simply shirk responsibility for the data transmitted to it via Facebook's SDK by imposing contractual terms on others such as app developers or providers," it said.

Privacy International said it tested both opt-outs recommended in Facebook's Cookies Policy, and found "no discernable impact" on the data shared.

"It is difficult to protect yourself from the kind of data sharing that we have described in this report," Privacy International said.

It wasn't all doom and gloom though, with a couple of apps updating their practices in the wake of being contacted by Privacy International.

"Since receiving your letter, we released an update to our app as a priority which will stop the transmission of data via the Facebook SDK," Skyscanner told Privacy International.

Last month, Facebook was once again in hot water over privacy violations, when it revealed a bug in one of its APIs exposed the private photos of nearly 6.8 million users.

For a period between September 13 to September 25, 2018, apps could access more than just the user's public photos.

In October, the social network said unknown attackers had combined three bugs to gain access to authentication tokens for 30 million accounts.

The attackers made off with the phone number and/or email of 15 million users, with a further 14 million also having information such as username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches being taken as well.

Related Coverage

Is Windows 10 still telling Microsoft what you're doing even if you don't want it to?

Microsoft baffles Windows 10 users by apparently collecting data about recently opened websites and apps when users have opted against sharing that information.

Facebook defends giving tech giants access to extensive user data

In a story which unfortunately just keeps giving, Facebook has yet again awarded us with a privacy scandal worthy of note.

The biggest culprit in the Facebook debacle

As the British government reveals some of Facebook's innards, who comes out worst?

Facebook data privacy scandal: A cheat sheet (TechRepublic)

Read about the saga of Facebook's failures in ensuring privacy for user data, including how it relates to Cambridge Analytica, the GDPR, the Brexit campaign, and the 2016 US presidential election.

Editorial standards