Android apps are secretly sharing your data with Facebook

Some Android apps are secretly sharing your data with Facebook even when the user is logged out of the social network. Or, if you don't have an account at all!

The advocacy group Privacy International announced these findings in their 35th Chaos Computer Congress presentation last year. They tested in a total of 34 apps and documented the results that proved that Android apps are secretly sharing your data with Facebook. The report is also downloadable right here. 

People whose Facebook information have been improperly shared to Cambridge Analytica
People whose Facebook information have been improperly shared to Cambridge Analytica

The investigation found that 61% of the apps that were tested automatically sent the data to Facebook. Data such as what the user opened and liked. This accompanies a lot of other basic event data like the app being closed. And along with that information, it reported about their device and suspected location. This was all done based on language and time settings.

The report also claimed that the apps have been doing so even if the user didn't have a Facebook account at all.

Some apps are more detailed

Some of the apps that were tested proved that they did send even more detailed data.

A good example is the travel app Kayak. It routinely sent search information that included departures, arrival dates, cities, and the number of tickets. 

Also, the learning app Duolingo was among the several apps that the report called out for sharing extra data. This included the data such as how the app is used, which menus the user visited, and other interaction information. 

Duolingo was among the several apps that the report called out for sharing extra data
Duolingo was among the several apps that the report called out for sharing extra data

The occasional message that tells someone that you have opened a language learning app seems harmless at first. So what if you're trying to learn Spanish, right? Well, it had the Privacy International worried.

The report clearly stated that:

If combined, data from different apps can paint a fine-grained and intimate picture of people’s activities, interests, behaviors and routines.

Moreover, the report claimed that this basic SDK data could cross over into a very special category protected under GDPR. It claimed that if you open a medical or religious app, Facebook could get a grip on the user's health and religious belief data.

But this is more likely when apps send this kind of information with a unique Google advertising id, which they do. A lot of ads technology companies sync this Id across various devices so they can build a better profile of the user's activities. This covers mobile and desktop usage.

What could Facebook possibly do with this data?

A lot of possible uses stated in the report included matching contacts, and building specific target audiences. Facebook has also been known to track app usage in the past in order to gain market intelligence about which apps people are using more. It did so with the Onavo VPN product that was purchased by them and subsequently removed from Apple's app store. Oops.

Facebook also provides opt-out mechanisms that are originally supposed to allow people without account to control the ads they see. However, using them doesn't really stop the app from sharing the user's usage data, the report claimed. Neither do the enhanced controls to govern how the app collects the data.

Apps do share this event data using a software development kit that devs must use if they want their apps to interact with social networks. The report claimed that, while developers have been able to restrict some data, the SDK still sends the basic data about opening apps as a part of the initialization process that the developers can not control.

This particular data collection put Facebook in violation of Europe's GDPR, according to Privacy International. The failure to stop the apps to send data to Facebook led a lot of developers to contact Facebook and complain.

The report also warns that automatically giving up user data via the SDK contravenes the GDPR's consent rules. It stated that even if the user agreed to blanked terms and conditions, they can't easily revoke the consent later.

It stated:

…under the default implementation of the SDK, personal data is transmitted to Facebook before an individual has had the opportunity to be provided with further information or to consent to such data sharing.

Facebook 4.34

Facebook released the 4.34 version in June 2019, which allowed developers to delay sending the SDK initialization without the user's content. However, that particular SDK came 35 days after the GDPR came into effect. And even to this day, developers must still delay the SDK sending the data.

The report stated that the SDK as it stands may be violating GDPR's principle of data protection by design. It requires the companies to gather only the data they need for specific purposes. 

How people view Facebook after the data breach
How people view Facebook after the data breach

It stated that:

…the design of the Facebook SDK together with the default Facebook SDK implementation does exactly the opposite, namely automatically (by default) transferring personal data to Facebook for unspecified purposes.

Should Facebook really be responsible for how third-party developers pass on the user's data? Privacy International definitely thinks so, claiming that they should take responsibility:

Facebook cannot simply shirk responsibility for the data transmitted to it via Facebook’s SDK by imposing contractual terms on others such as App developers or providers.

This report couldn't have come to a better time, really. Just as the Irish Data Protection Commissioner is already investigating the company's breach of 2019, which saw 50 million accounts compromised.