A study of 34 of the most popular Android apps found that at least 20 of them are sending user data to Facebook without consent.
The data transmitted ranges from the innocuous to the sensitive – such as whether the user has children – and is likely to be illegal in the case of European citizens …
Apps found to be doing this include Kayak, MyFitnessPal, Skyscanner and TripAdvisor.
The Financial Times reports that the data is transmitted as soon as the app is opened.
The Privacy International campaign group found that at least 20 [apps] send certain data to Facebook in the second that they open in a phone, before [users] can be asked for permission.
The information sent instantly included the name of the application, the unique identification of the user with Google and the number of times the application was opened and closed since it was downloaded. Some, such as Kayak, the travel site, then sent detailed information about people’s flight searches to Facebook, including travel dates, if the user had children and what flights and destinations they had searched for.
This is almost certainly in breach of Europe’s privacy law, the General Data Protection Regulation (GDPR). This requires that users be asked for their consent before any personal data is collected.
It’s not just users affected by the problem: application developers are potentially left liable to a maximum fine of 4% of their annual turnover by a Facebook SDK.
Frederike Kaltheuner, who conducted the research, added that while Facebook assigns responsibility for complying with regulations to application developers, the developer kit of the US company did not give the option of waiting for permission from a developer. user before transmitting some types of data.
“At least four weeks after GDPR, it was not even possible to ask for consent, due to the default configuration of the Facebook SDK [software development kit] which means that the data is automatically shared at the moment the application is opened” , He said.
Several application developers have complained about the problem to Facebook since May, reporting bug reports on Facebook’s developer platform that they said they could not comply with the law.
Although Facebook subsequently claimed an SDK update would solve the problem, many popular apps are still not using it, and some developers are complaining that it continues to happen even when using the new SDK.
There is a particular risk to privacy when data is gathered from multiple apps, says the report.
For example, a person who has installed the following applications that we have tried, Qibla Connect (a Muslim prayer application), Period Tracker Clue (a period tracker), Indeed (a job search application), My Talking Tom (an application for children), could be outlined as probable woman, probably Muslim, probable job applicant, probable mother.
In addition to the data being available to Facebook, any data collection runs the risk that it could be vulnerable to hackers. Facebook admitted back in October that hackers had been able to access data from 30 million users of the social network.
The issue does not appear to arise with the iOS versions of the apps.