Sports coach, rules date, apartment search … these services sent very private information, even if the users were not on Facebook.
A Wall Street Journal investigation revealed Friday, February 22, that a dozen consumer applications had sent data collected on its users to Facebook, without them being notified. The phenomenon is not new in itself: several researchers have already shown in the past that applications that do not belong to Facebook still sent personal data to the social network.
But the article in the American newspaper gives new concrete examples of applications concerned. In all, of the seventy applications for iOS and Android tested by the Wall Street Journal,eleven have actually sent data to Facebook servers during their operation, even if they have nothing to do with the social network.
Here is the list:
- Flo Period & Ovulation Tracker (“Flo: date of rules” in France)
- Weight Loss Fitness by Verve (“ Fitness Weight Loss by Verv” in France)
- Lose It! (“Lose It! Calorie Counter” in France)
- GetFit: Home Fitness & Workout (“GetFit: Fitness at home” in France)
- Instant Heart Rate: HR Monitor (“ Heart Rate ” in France)
- Breathe: Sleep & Meditation (“Breathe – Mediation & Sleep” in France)
- Trulia Real Estate: Find Homes (same name in France)
- BetterMe: Weight Loss Workouts (same name in France)
- BetterMen: Fitness Trainer (inaccessible in France)
- Realtor.com Real Estate Search (inaccessible in France)
- Glucose Buddy (unavailable in France)
Of these applications, eight were available in France on the App Store, according to our findings Monday, February 25.
A marketing analysis module
These applications downloaded millions of times in some cases, are likely to have collected very private information on users. They allow, among other things, to be able to establish his menstruation calendar (“Flo: date of rules”), to search for an apartment (“Trulia Real Estate”), to meditate (“Breathe”) or to follow a training program sportsman (“GetFit: Fitness at home”).
Since the revelations of the American daily February 22, several publishers of these applications have decided to suspend the sending of some data to Facebook. Among them: “Flo: date of rules” and “Heart rate”. Others, on the other hand, did not react, nor indicated that they stopped sending collected data.
For each of these eleven applications, the Wall Street Journal detailed, in a dedicated article, what information was sent to Facebook (e-mail address, postal code, interactions with certain pages, favorites, weight …). The information sent did not necessarily concern users who have a Facebook profile. And it was not necessary for a Facebook user to be connected to Facebook within the app for the social network to collect information, says the Wall Street Journal.
Too sensitive data is erased according to Facebook
Why, in this context, has Facebook been able, despite everything, to collect personal data? This is thanks to a software layer provided free of charge by Facebook, called “App Event” and which allows, among other things, to obtain analyzes on the activity of the users of applications. Any developer can decide to integrate “App Event” modules into their mobile service: this helps them to better understand the audience and the behavior of their users. In return, Facebook promises developers can help them deliver targeted ads within their app, or provide them with useful data for marketing analysis.
“Sharing information via apps on your iPhone or Android device is the way mobile advertising works, and it’s a common practice in this industry,” said a Facebook spokesperson interviewed by Agence France- Press after the publication of the Wall Street Journal investigation.
She also assured that Facebook had safeguards to control the information collected and erased the sensitive information that Facebook could mistakenly receive from applications. “At Facebook, we require developers to be transparent with their users about the information they share with us and we forbid them to send us sensitive data,” she said.
Unclear conditions of use
The challenge for Facebook is significant, after the year of 2018 marked by scandals over the use of personal data of users of the social network: Facebook practices are now scrutinized by regulators and authorities around the world. After publication of the Wall Street Journal’s investigation, New York Governor Andrew Cuomo called for the opening of a federal inquiry into the subject, denouncing a “scandalous invasion of privacy. “
One of the essential aspects of the case concerns the consent of the users. However, according to the information website The Verge, the conditions of use of the eleven applications pinned did not clearly indicate that collected data could be sent to Facebook.
An example of how hard it is for mobile app users to know how Facebook is nested in our mobile systems and can receive data about our online activities. In general, Facebook’s App Events modules are present in “thousands of applications” on the Apple Store and the Android Play Store notes the Wall Street Journal. This makes complex the real apprehension of the volume of mobile data potentially received every moment by Facebook and their purposes.