Some popular Android apps have been sharing data with Facebook without users’ permission, a new study has found.
Privacy International, a UK-based campaign group, found that TripAdvisor, Kayak, MyFitnessPal and Skyscanner are just a few of the many Android apps that are sending sensitive user data to Facebook.
In some cases, the apps were sharing private data with the social media giant even if users didn’t have a Facebook account.
Scroll down for video
Some popular Android apps, like Skyscanner, MyFitnessPal and TripAdvisor, have been sharing data with Facebook without users’ knowledge, a new study has found
Privacy International conducted a review of 34 popular Android apps and found that at least 21, or 61 percent, of them began collecting data from users as soon as they opened the app – and before users gave permission to do so.
‘This happens whether people have a Facebook account or not, or whether they are logged into Facebook or not,’ the firm explained.
When an app is opened, the data that is initially sent typically includes things like the fact that a Facebook SDK (Software Developer Kit) is running.
‘This data reveals the fact that a user is using a specific app, every single time that user opens an app,’ Privacy International said.
It also reveals information like what kind of device a user is using, the software version running on the device, as well as the screen resolution.
Facebook’s SDK is a platform that the firm offers to developers and lets users login to other services with their Facebook account.
Popular calorie-tracking app MyFitnessPal was among several apps discovered to be sharing user data with Facebook as soon as users open the application, likely without user permission
Other data that is sent to Facebook includes the user’s unique ID with Google, which helps advertisers build a ‘comprehensive profile’ around a user, such as their gender, religion, interests, activities and other detailed information.
‘For example, an individual who has installed the following apps that we have tested, Qibla Connect (a Muslim prayer app), Period Tracker Clue (a period tracker), Indeed (a job search app), My Talking Tom (a children’s app), could be potentially profiled as likely female, likely Muslim, likely jobseeker, likely parent,’ the report stated.
Privacy International said some apps sent particularly sensitive and detailed data to Facebook, such as the travel booking app Kayak.
Kayak was found to be sharing detailed information about a person’s flight searches with Facebook, like their departure city, airport and date, as well as their arrival city, airport and date, the number of tickets they purchased, whether the tickets purchased were for children and which class of tickets were purchased.
The report’s findings have raised concerns that the apps could be violating the EU’s General Data Protection Regulation privacy rules, which went into effect on May 25, 2018.
WHAT IS THE EU’S GENERAL DATA PROTECTION REGULATION?
The European Union’s General Data Protection Regulation (GDPR) is a new data protection law that entered into force on May 25, 2018.
It aims to strengthen and unify data protection for all individuals within the European Union (EU).
This means cracking down on how companies like Google and Facebook use and sell the data they collect on their users.
The law will mark the biggest overhaul of personal data privacy rules since the birth of the internet.
Under GDPR, companies are required to report data breaches within 72 hours, as well as to allow customers to export their data and delete it.
The European Union’s General Data Protection Regulation (GDPR) is a new data protection law that entered into force on May 25
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
Further, the controller must provide a copy of the personal data, free of charge, in an electronic format.
This change is a dramatic shift to data transparency and empowerment of data subjects.
Under the right to be forgotten, also known as Data Erasure, are entitled to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subject withdrawing their consent.
This right requires controllers to compare the subjects’ rights to ‘the public interest in the availability of the data’ when considering such requests.
Under GDPR rules, apps are required to obtain explicit consent from users before they begin collecting their data.
After GDPR was enacted, Facebook released an updated version of its SDK that gave developers the ability to delay automatic data collection when the app is opened.
However, it’s unclear if all developers have downloaded the updated SDK version or if it’s being implemented.
A Facebook spokesperson told Privacy International that it’s working on a ‘suite of changes’ that will hopefully address the issues outlined in the report.
‘We agree that, as you point out, it’s important for people to have access when we receive information about them when they’re not using our services, and to have control over whether we associate this information with them,’ the firm said, according to Privacy International.
‘Recognizing the value of improvements in this area, we’re currently working on a suite of changes, including developing a new tool called Clear History, that we hope will address your feedback.’