Many of the most popular Android apps are still illegally sending data to Facebook

[William Gayde]

Why it matters: Facebook is still tracking what apps a user opens even if they don't have a Facebook account. This affects at least 61% of apps tested and is likely illegal under new GDPR laws.

Despite heavy scrutiny and new privacy laws, a new study reveals that many of the most popular Android apps are still sending user data to Facebook. This data is sent regardless of whether or not a user is logged in or even has a Facebook account. The data is sent immediately when the app is opened and before the user has the option to opt out or enable privacy settings.

Privacy International conducted the study and found that at least 61% of apps they tested send this data to Facebook. The data in question contains details about what app was opened, when it was opened, who opened it, and how long they used the app. Since the unique Google Advertising ID (AAID) is sent with the data, Facebook can profile users even if they don't have a Facebook account.

For example, if someone opened the "Indeed" app, they are likely looking for a job. If someone opened the "Qibla Connect" app, they are likely Muslim. Other apps tested include Duolingo, Kayak, Shazam, Spotify, TripAdvisor, Yelp, and more. The full list is available here.

Facebook's Cookies Policy lists two methods that non-Facebook users can use to opt-out, but Privacy International determined they don't actually change what data is sent to Facebook.

While data on what apps are opened by a user may seem innocuous, Facebook can then combine it with data collected through other means to create a very detailed personal advertising profile. The issue is not with the apps themselves, but with Facebook's Android SDK which is used by the developers to make the apps.

On June 28, Facebook claimed that they updated their Android SDK to add a delay to this event logging which would only send data once users had consented. However, this update came well after GDPR laws took effect and only works on certain versions of the SDK. Many of the most popular apps are using older versions of the SDK which do not have this privacy feature. The update also does not even disable the SDK initialization message in question and the apps are still sending data.

Privacy International was not able to determine for sure how Facebook uses this data since they aren't very transparent with these matters. Regardless, Facebook still has a lot of explaining to do.

Second image courtesy AngieYeoh via Shutterstock

Permalink to story.

https://www.techspot.com/news/78062-many-most-popular-android-apps-illegally-sending-data.html

 

[OutlawCecil]

"This data is sent regardless of whether or not a user is logged in or even has a Facebook account."

First off, let me point this out. Facebook then knows that user # 472309245 uses A, B, and C apps. How exactly is this a privacy issue if they don't have information about that user? This is a non-issue for people without Facebook accounts.

Secondly, worst case scenario here is that you have an account on Facebook, are signed into it, and use the Facebook app which leaks a TON of data back to Facebook already. This is called analytical data which isn't supposed to be identifying in any way. If it is, they're in major violation of laws. If it isn't, then again this is a non-issue because it's only tally's on a board, not geared toward you specifically.

 

[Evernessince]

"This data is sent regardless of whether or not a user is logged in or even has a Facebook account."

First off, let me point this out. Facebook then knows that user # 472309245 uses A, B, and C apps. How exactly is this a privacy issue if they don't have information about that user? This is a non-issue for people without Facebook accounts.

Secondly, worst case scenario here is that you have an account on Facebook, are signed into it, and use the Facebook app which leaks a TON of data back to Facebook already. This is called analytical data which isn't supposed to be identifying in any way. If it is, they're in major violation of laws. If it isn't, then again this is a non-issue because it's only tally's on a board, not geared toward you specifically.

What laws? There are zero laws saying that any company has to anonymize data before sharing or storing it. Any company claiming to do so is doing so on their word only and there is zero law or guarantee that they actually do it (or properly at that).

Companies have and will continue to abuse user data with impunity until laws are put into place. 2018 was ample proof alone that some are needed.

 

[OutlawCecil]

"This data is sent regardless of whether or not a user is logged in or even has a Facebook account."

First off, let me point this out. Facebook then knows that user # 472309245 uses A, B, and C apps. How exactly is this a privacy issue if they don't have information about that user? This is a non-issue for people without Facebook accounts.

Secondly, worst case scenario here is that you have an account on Facebook, are signed into it, and use the Facebook app which leaks a TON of data back to Facebook already. This is called analytical data which isn't supposed to be identifying in any way. If it is, they're in major violation of laws. If it isn't, then again this is a non-issue because it's only tally's on a board, not geared toward you specifically.

What laws? There are zero laws saying that any company has to anonymize data before sharing or storing it. Any company claiming to do so is doing so on their word only and there is zero law or guarantee that they actually do it (or properly at that).

Companies have and will continue to abuse user data with impunity until laws are put into place. 2018 was ample proof alone that some are needed.

I completely agree we need stronger laws but we do currently have (somewhat vague) laws about stealing people's personal information. "personal" basically being anything identifying, basically the same as HIPPA protected information. You can share the color of my coat, but steal my social security number and yes, it is against the law.

 

[MilwaukeeMike]

"This data is sent regardless of whether or not a user is logged in or even has a Facebook account."

First off, let me point this out. Facebook then knows that user # 472309245 uses A, B, and C apps. How exactly is this a privacy issue if they don't have information about that user? This is a non-issue for people without Facebook accounts.

Secondly, worst case scenario here is that you have an account on Facebook, are signed into it, and use the Facebook app which leaks a TON of data back to Facebook already. This is called analytical data which isn't supposed to be identifying in any way. If it is, they're in major violation of laws. If it isn't, then again this is a non-issue because it's only tally's on a board, not geared toward you specifically.

What laws? There are zero laws saying that any company has to anonymize data before sharing or storing it. Any company claiming to do so is doing so on their word only and there is zero law or guarantee that they actually do it (or properly at that).

Companies have and will continue to abuse user data with impunity until laws are put into place. 2018 was ample proof alone that some are needed.

I completely agree we need stronger laws but we do currently have (somewhat vague) laws about stealing people's personal information. "personal" basically being anything identifying, basically the same as HIPPA protected information. You can share the color of my coat, but steal my social security number and yes, it is against the law.

The outrage over having our data 'stolen' is my favorite example of how Americans are completely out of things to worry about.

You know who should be tracking my personal data? CVS! Then I wouldn't get 50 coupons for stuff I'd never buy! Maybe just 2 coupons for something useful. I don't use baby diapers or mascara, so save your paper CVS!

 

[Evernessince]

I completely agree we need stronger laws but we do currently have (somewhat vague) laws about stealing people's personal information. "personal" basically being anything identifying, basically the same as HIPPA protected information. You can share the color of my coat, but steal my social security number and yes, it is against the law.

HIPAA only applies to medical information. I know the owner of a company the provides HIPAA assessments.

In addition only the government is required to follow basic guidelines based on the 1974 privacy act, which even itself does not provide enough protection.

https://www.aclu.org/other/privacy-america-social-security-numbers

It's not theft of your social security number if you gave that number to Amazon to verify your bank account and they share that number with someone else. In fact they likely tell you they share that number in their TOS and because there are zero laws regarding who or what they can share (as they don't fall under medical or government) it is not illegal. It only becomes illegal when that 3rd party takes that information and uses it for things that are crimes, like fraud or identify theft.

If I were a smart identity thief, I'd simply buy and sell personal information. Oh wait, that's what Google and Facebook do. When was the last time a big company was punished for enabling the misuse of personal information? Equifax had a huge breach that will cost Americans billions of dollars and they didn't even get a slap on the wrist.

 

[Evernessince]

The outrage over having our data 'stolen' is my favorite example of how Americans are completely out of things to worry about.

You know who should be tracking my personal data? CVS! Then I wouldn't get 50 coupons for stuff I'd never buy! Maybe just 2 coupons for something useful. I don't use baby diapers or mascara, so save your paper CVS!

Americans have lost almost double to identity theft then the yearly education budget

https://www.forbes.com/sites/forbes...-hidden-costs-of-identity-theft/#475e4ade357b

Clearly something to worry about. Anyone stating otherwise did not notice all the major data breaches in 2018 alone, not counting the ripple affect on all the people who had their information stolen and used for criminal activity.

 

[Uncle Al]

The value of Personal Data should be up to the plaintiff to determine with no cap on damages. This should be put in place and kept there until Fakebook and the other thieves are forced into submission. After all, if they get wealthy off of our data, we should get wealthy off their abusive conduct.

 

[HugsNotDrugs]

"This data is sent regardless of whether or not a user is logged in or even has a Facebook account."

First off, let me point this out. Facebook then knows that user # 472309245 uses A, B, and C apps. How exactly is this a privacy issue if they don't have information about that user? This is a non-issue for people without Facebook accounts.

Secondly, worst case scenario here is that you have an account on Facebook, are signed into it, and use the Facebook app which leaks a TON of data back to Facebook already. This is called analytical data which isn't supposed to be identifying in any way. If it is, they're in major violation of laws. If it isn't, then again this is a non-issue because it's only tally's on a board, not geared toward you specifically.

Don't forget that FB captures the contents of your SMS messages, separate and apart from any messages you might send/receive in FB. Oh, and takes all of your contacts, too. You're wrong to think you're just some anonymous userID when your name, telephone and addresses are captured either through you or contact lists of people who know you.

You're foolish to think they don't connect ALL of the dots.

 

[JaredTheDragon]

The value of Personal Data should be up to the plaintiff to determine with no cap on damages. This should be put in place and kept there until Fakebook and the other thieves are forced into submission. After all, if they get wealthy off of our data, we should get wealthy off their abusive conduct.

Straight. Up.

Well said, Uncle.

 

[MilwaukeeMike]

Americans have lost almost double to identity theft then the yearly education budget

https://www.forbes.com/sites/forbes...-hidden-costs-of-identity-theft/#475e4ade357b

Clearly something to worry about. Anyone stating otherwise did not notice all the major data breaches in 2018 alone, not counting the ripple affect on all the people who had their information stolen and used for criminal activity.

How did you go from search habits to identity theft?!!!

Those data breaches involved stolen credit cards! Your search results on TripAdvisor aren't even close!

Honestly, I have to give you the benefit of the doubt that you are trolling right now because there's no way someone who can understand the scope of HIPAA data can't recognize the difference in a search for a T-Shirt and your social security number.
So cut it out.

 

[Evernessince]

How did you go from search habits to identity theft?!!!

Those data breaches involved stolen credit cards! Your search results on TripAdvisor aren't even close!

Honestly, I have to give you the benefit of the doubt that you are trolling right now because there's no way someone who can understand the scope of HIPAA data can't recognize the difference in a search for a T-Shirt and your social security number.
So cut it out.

This is a nice example of a straw man argument. Regardless, you aren't on topic, you are misconstruing what I said, and you are blatantly baiting. No thanks.

 

[MilwaukeeMike]

This is a nice example of a straw man argument. Regardless, you aren't on topic, you are misconstruing what I said, and you are blatantly baiting. No thanks.

I didn't make an argument. That was a question. How did you go from search results to PII (personally identifiable information)? That's like the difference between someone stealing your garbage when you put it out to be collected and breaking into your house.

If you understood what a straw man argument was you'd know that's exactly what I just said you did!

 

[Evernessince]

I didn't make an argument. That was a question. How did you go from search results to PII (personally identifiable information)? That's like the difference between someone stealing your garbage when you put it out to be collected and breaking into your house.

If you understood what a straw man argument was you'd know that's exactly what I just said you did!

This is a nice example of a straw man argument. Regardless, you aren't on topic, you are misconstruing what I said, and you are blatantly baiting. No thanks.

 

[MilwaukeeMike]

This is a nice example of a straw man argument. Regardless, you aren't on topic, you are misconstruing what I said, and you are blatantly baiting. No thanks.

Not baiting... there is a big difference between data that is simply comes from you like your internet history, apps you have installed, etc and Personally Identifiable Information (PII which is information that can be linked directly back to you personally and no one else. PII is things like your credit card, SSN etc. and your birthday or name even though other people share them. Your data collected for advertising is not PII.

A single person's PII is very valuable.
A single person's non PII is worthless.

It's like the difference between your cash and your used beer cans. The cans are only worth something if you can collect them from many many people.

This story is about non-PII. Bringing up identity theft it is off-topic because the data being collected by these apps can't be used to steal your identity. Using something off-topic to refute the original argument is the exact definition of a Straw man argument.

 

[Evernessince]

No u. I had nothing productive to add to the argument I just wanted to shitpost.
On topic
"The data in question contains details about what app was opened, when it was opened, who opened it, and how long they used the app. Since the unique Google Advertising ID (AAID) is sent with the data, Facebook can profile users even if they don't have a Facebook account."
So technically Evernessince is correct in implying identifying information was. But no credit card information or social security cards were sent. Only When said app was opened, who opened it, how long, and AAID. No 'compromising information' was sent.
Oh wait I did have something productive to say. Welp sorry for lying.

I wasn't referencing this article when I mentioned that information FYI. Go and read the comment thread before making assumptions and jumping in. Not at any point will you find me referencing it. That's exactly why it's called a strawman argument. You took his bait.

 

[Evernessince]

Not baiting... there is a big difference between data that is simply comes from you like your internet history, apps you have installed, etc and Personally Identifiable Information (PII which is information that can be linked directly back to you personally and no one else. PII is things like your credit card, SSN etc. and your birthday or name even though other people share them. Your data collected for advertising is not PII.

A single person's PII is very valuable.
A single person's non PII is worthless.

It's like the difference between your cash and your used beer cans. The cans are only worth something if you can collect them from many many people.

This story is about non-PII. Bringing up identity theft it is off-topic because the data being collected by these apps can't be used to steal your identity. Using something off-topic to refute the original argument is the exact definition of a Straw man argument.

FYI data brokers collate items like search history (and the time) and any other details. In fact even with "anonymized" data you can easily piece together a profile using only secondary information.

If anyone is to blame for going off topic, you are with your first comment

"MilwaukeeMike said: ↑
The outrage over having our data 'stolen' is my favorite example of how Americans are completely out of things to worry about.

You know who should be tracking my personal data? CVS! Then I wouldn't get 50 coupons for stuff I'd never buy! Maybe just 2 coupons for something useful. I don't use baby diapers or mascara, so save your paper CVS!"

I merely pointed out the incorrectness of this statement. You are only making excusing about your off topic statement now because you've been proven wrong. Perhaps next time you should stipulate specifics instead of making an overarching statement.

In either case, both sensitive personal information like SSN and search history should be protected and you are simply naive if you think collecting either is ok without consent.

 

[MilwaukeeMike]

FYI data brokers collate items like search history (and the time) and any other details. In fact even with "anonymized" data you can easily piece together a profile using only secondary information.

If anyone is to blame for going off topic, you are with your first comment

"MilwaukeeMike said: ↑
The outrage over having our data 'stolen' is my favorite example of how Americans are completely out of things to worry about.

You know who should be tracking my personal data? CVS! Then I wouldn't get 50 coupons for stuff I'd never buy! Maybe just 2 coupons for something useful. I don't use baby diapers or mascara, so save your paper CVS!"

I merely pointed out the incorrectness of this statement. You are only making excusing about your off topic statement now because you've been proven wrong. Perhaps next time you should stipulate specifics instead of making an overarching statement.

In either case, both sensitive personal information like SSN and search history should be protected and you are simply naive if you think collecting either is ok without consent.

You're right, I don't think the collection of non PII data that can't be connected back to me is a big deal. this isn't 'wrong' it's just a different opinion than yours.

My CVS comment was a joke. Perhaps you've seen the meme ... (Google CVS receipt meme..)

 

[Bats Dude]

"Illegally"? Really? Phone zombies seriously need to read the security issues, oh hell. The SAFETY issues about walking around the streets with headphones on, and their faces buried in ***** phones! Smart phones? LOL! Not hardly! Go look up Mrs Smiths kittens in Phoenix. That will seriously change your life for the whatever!