Popular Android Apps Found Sending Data to Facebook without Permission

The report echoes the findings of a previous report on health and dating apps.

In short, the apps identified in this report, which include prayer apps, MyFitnessPal, DuoLingo, Kayak, Indeed, Shazam, Skyscanner, Spotify, Trip Advisor, and Yelp, send certain data to Facebook the second they are opened on a phone.

The information includes the app's name and the user's unique ID with Google. This information is sent whether or not the user has a Facebook account, but if they do, the info can be tied to a profile, essentially de-anonymizing them. If you consider the fact that multiple apps are contributing to your profile, that means Facebook can create a pretty accurate profile, Android Police reported.

The report from Privacy International points out that a person with a Muslim prayer app, period tracker, Indeed and a children's app could be identified as likely a female, Muslim, job-seeking parent - even if they had never identified themselves as any of those things on Facebook. What's more, some apps were giving Facebook even more detailed information, and not just when the app was first opened. According to the report, Kayak told Facebook about flight searches, travel dates, and whether the user had children. It's also important to note. 

Aside from being extremely unethical, this practice also infringes on rules from Europe's new General Data Protection Regulation, which were introduced in May. The apps in question could be on the hook for up to four percent of revenues or 20 million Euro, whichever is greater - but Facebook might be in trouble, too. Privacy International found that Facebook's developer kit did not give the option of waiting for a user's permission before sending some data until at least four weeks after the introduction of GDPR. Even after the company rolled out an upgrade in early summer, there have still been ongoing bug reports, and it's clear from this report that many apps have yet to implement the fix.

In response to this report, Facebook was conciliatory and noted that it is working on a "suite of changes," including a new tool called "Clear History" that it says might help address the blowback from this current issue. Meanwhile, many of the Android apps in question are not responding to requests for comment, apart from Skyscanner, which says it wasn't aware it was sending data to Facebook.

Looking on the bright side, there are some apps tested by Privacy International that didn't transmit information to Facebook the moment they were opened - shout out to Candy Crush Saga, Opera Browser, and Speedtest by Ookla. Here's hoping more apps will follow their lead in the year ahead, and here's also hoping that Facebook can manage to be just a little bit better in 2019.