February 26, 2019
Many smartphone users provide personal data to apps, from intimate health information to shopping habits. What the users don’t know is that Facebook culls the data seconds after they enter it, even if they have no connection to Facebook. Eleven popular apps, which have been downloaded millions of times, have been sharing data with Facebook — without any obvious disclosure to users providing that sensitive data. The revelation of that information has created a shakeup at Facebook and the involved apps.
The results were the work of testing done by The Wall Street Journal, which reports “that Facebook software collects data from many apps even if no Facebook account is used to log in and if the end user isn’t a Facebook member.” That’s due to a Facebook analytics tool, dubbed App Events, built into apps “that allows developers to record their users’ activity and report it back to Facebook, regardless of whether users log in via Facebook, or even have a profile.”
WSJ reports that Apple and Google, “which operate the two dominant app stores, don’t require apps to disclose all the partners with whom data is shared.” Although apps do ask users if they want to give permission to provide contacts or locations, “these permissions generally don’t apply to the information users supply directly to apps, which is sometimes the most personal.”
Instant Heart Rate: HR Monitor and Flo Health’s Flo Period & Ovulation Tracker are just two of the apps with millions of users that send data to Facebook immediately after recorded, as well as appRealtor.com, owned by a subsidiary of WSJ parent News Corp. None of the apps provided a way to opt out of the information sharing.
Facebook said it tells app developers not to send “health, financial information or other categories of sensitive information,” and Apple said “its guidelines require apps to seek ‘prior user consent’ for collecting user data and take steps to prevent unauthorized access by third parties.” Google would only say that app handling sensitive information “disclose the type of parties to which any personal or sensitive user data is shared.”
Facebook added that the company automatically deletes Social Security numbers and other sensitive data. The Federal Trade Commission “has taken an interest in cases in which data sharing deviates widely from what users might expect, particularly if any explanation was hard for users to find,” according to Northeastern University law professor Woodrow Hartzog.
Elsewhere, WSJ reports that, after it revealed the findings of its test, “popular health and fitness apps scrambled to stop sending sensitive personal information to Facebook.”
It reports that, “Facebook itself contacted some large advertisers and developers in response to the Journal’s reporting, telling them it prohibits partners from sending Facebook any sensitive information about users.” New York Governor Andrew Cuomo also “ordered state agencies to investigate apps’ transmission of personal information to Facebook … and urged regulators in Washington to look into the matter as well.”