In the latest privacy blunder involving Facebook, a new study by Privacy International found that a staggering 61 percent of the tested apps were sharing user data with Facebook—as soon as the app is opened.
Yes… you read that right, as soon as the app is opened… the first thing it does is nothing that helps you, the purpose which it intends to be for on your device, but instead updates Facebook.
Let us take a moment here… and recollect.
The past year was a bad one in terms of bad publicity for Facebook that no news seems to tickle that sense of surprise. The New York Times story covering the data sharing deals was bad enough… the results from Privacy International’s study, however, are something on another level entirely.
The crux of it all is that a whole lot of famous apps, having a user base to the tunes of a couple of millions to hundreds of millions, are quite unwittingly helping Facebook collect user data.
These apps included, but were not limited to the following…
- Super-Bright LED Flashlight
- My Talking Tom
- Skater Boy
- Indeed Job Search
- Security Master
- Clean Master
If this is not alarming enough, then get this: The target users don’t have to be logged in to Facebook… they may not even be a user of Facebook at all and still are being tracked.
This is not a result of a small misstep either. As you may have noticed, the tested apps are not the ones made by app factories looking to ride the trend wave. These are big businesses, businesses like Amazon, Apple and Microsoft.
What Exactly Is Happening Here…
In summary, famous apps are sharing data with Facebook.
This happens in either of the following two forms.
- In result of a deal through which user data access is granted between the two partner companies… let’s say Amazon and Facebook.
- When a developing company wants to use Facebook SDK to enhance its app’s functionality.
Here in both cases, the parties use APIs and SDKs to access data.
The New York Times story reveals, as a result of hundreds of documents it analyzed and several interviews, that Facebook was providing user data access to companies like Amazon, Microsoft, Apple, Netflix and more.
The companies claim not to have known the level of access they were granted, meaning that they had the access to data which they shouldn’t have had in the first place, but did not know about it.
This sounds implausible but when you match it to Privacy International’s research, then a common theme emerges.
Privacy International found that…
- The apps sending data to Facebook started to send the data as soon as they were started.
- The data shared did not only belong to users of Facebook.
- The data suggests that it is event-based, triggered by Facebook SDK when it starts.
- This data comes with a tag, which is unique to the app sending data. So Facebook knows who is sending the data.
- These events are not just about starting up the app; they’re also about installation, deactivation and initialization.
- Besides these seemingly benign signals, apps were found to have been sending detailed information about their use—their use which had nothing to do with Facebook.
- And finally, they shared that whether you choose to not be tracked by Facebook through cookies, it won’t stop them.
Now… hold your thought process for just a tiny moment here, let’s go back to that New York Times story.
This story revealed that…
- Amazon, Microsoft and Sony, through their apps, could access Facebook users’ email addresses through their friends.
- Bing could show you the names of Facebook users’ friends without their consent.
- Apple did not have to prompt the user that it could see their calendars, entries and contact numbers… even though they chose to not share it.
- Rotten Tomatoes and Pandora could see friends’ information to customize their own product for better user experience.
- And Netflix, Spotify and Royal Bank of Canada had some sort of a golden ticket to get the access of seeing and deleting users’ private messages along with all the participants in a chat.
The list goes on…
What is astonishing here is the level of maturity the partners have shown to not have messed with the level of access they had, at least that we know of. Future developments may prove this statement null and void.
If you still haven’t figured the common theme here, then let us break it to you… it is the Facebook SDK.
Facebook SDK is used by a LOT of companies… from common app developers to big corporations. The reason for using an SDK is to get to use the functionality the other app provides without re-writing new code for it. It is also a great way to integrate apps with each other.
So… whenever an app requires its user to be identified by a unique identifier—one which has a sort of history behind it so that it seems like it belongs to a living human being—they require you to either:
- Make a new login with your personal information.
- Or use your Facebook, Gmail etc. login to proceed.
And being the lazy human beings that we are, we choose to take the path less traveled of less effort. We choose an already made Facebook or Gmail login.
To integrate that login, developers use the respective company’s SDK. This is where the Facebook SDK enters the game.
This falling back to our lazy human nature is so common that most apps use the SDK just for providing the login facility; they know people would rather click a button to log in through Facebook than to make an entirely new account.
This is not the only reason it is used… Other main reasons include using its Ads platform and user analytics.
So, whether you are logged in or not, have a login for Facebook or not… if the app you are using is utilizing Facebook SDK then guess what… your information, the type we just shared above, might be transferred to Facebook.
Okay now here comes the shocker…
Facebook claims that it legally bounds the developers to ask for consent of the users… before they share their data through the SDK.
Facebook also says that while using the SDK, you can choose to share the data or not. It is not necessary and entirely up to the developer’s needs.
So how is it possible? Are third-party app developers really responsible?
After Privacy International’s report, Facebook further acknowledged that most of the developers use the SDK in its default settings. The default setting of the SDK ensures that the data is shared as soon as the SDK is initialized.
So, ultimately, it is the default settings that have been identified as the ultimate culprit. Never let default settings fool you into a false sense of security. Even if it is a flashlight app, do what you gotta do… and change that setting, cause that is exactly what happened when huge app developers used the Facebook SDK on its default settings, it started leaking privacy data to others.
Okay, let’s be honest… you (being the user) don’t have the access to change the kind of settings required to stop the apps sharing your data. But that habit, that mindset was present in the minds of developers when they started using the said SDK. They could have avoided all of this by first studying the documentation. But who reads that anyways…?
Is Facebook the Scapegoat Here?
If your thought process has led you to this conclusion… whether it is the companies trying to hide behind the default setting mindset or Facebook blaming developers passive aggressively… it needs to be understood that a tool’s capabilities need to be understood by its user and its developer alike to understand the dangers it may cause.
Let’s review some facts here …
It was only after GDPR was passed that developers took notice of the clear consent clause, that before sharing data you must clearly ask for user’s consent, resulting in reported bugs that Facebook SDK did not wait for consent and started sharing data.
Facebook enabled the developers to wait first for consent before sharing the data or choose to not share at all on June 28, 2018. That was 35 days after the legal application of GDPR.
So yes… the developers were at fault… and so was Facebook.
It is also worth noting that this wait facility is only available on some SDK versions and not all. So, any app using older versions is still in deep waters.
And finally… as Facebook provided the facility to opt out of sharing the data, it also said that the developers had always had the ability to stop auto-sharing data even before having the new facility. This doesn’t fully excuse them since even after stopping the auto-sharing, the SDK sent an initializing prompt to Facebook—telling it which user is using the particular app and for how long.
This prompt is disabled after Facebook provided the aforementioned fix.
The Takeaway from All This …
Facebook’s answer to this isn’t them at their best… they are defensive of their behavior and claim to not have done anything wrong.
Not only that, if you read carefully, one of the reasons behind this claim is because they found that the gaping hole of a mistake they left was never exploited. Poor defense… That is exactly why they were being criticized heavily for it, and will be continued in the future as well.
Facebook’s response to Privacy International’s report clears some things up too… there was no way any of Facebook SDK’s users, the developers and the companies, could have stopped the signal prompting Facebook about the apps utilization. It was by design, only to be removed after being reported.
A lot can be assumed (read profiled here) by just knowing which people are using which apps. Taken together, a person using My Talking Tom, Indeed, Qibla Connect and Period Tracking Clue could easily be profiled as probably a Muslim, most likely a woman and a parent looking for a job. This is one of the examples researchers used to demonstrate their findings in the Privacy International study.
Add all this with the promise Facebook made with the U.S. Federal Trade Commission not to share user data without explicit consent, and the picture seems even darker.
The numbers of active monthly users worldwide paint a different picture though…