Privacy International investigation finds a huge number of Android apps share data with Facebook -- whether you have an account or not

Facebook's track record with privacy is a rocky one, but the idea of giving up some personal data is seen by many users as an acceptable price to pay for using the social network. But an investigation by Privacy International has found that many Android apps are sharing data with Facebook about people regardless of whether they are logged into their Facebook account... or even have a Facebook account at all.

The findings of the investigation raise questions about Facebook's transparency when it comes to handling user (and non-user) data, and the privacy implications of profiling by the social networking behemoth -- particularly in the wake of the Cambridge Analytica scandal.

See also:

• Facebook gave dozens of companies access to user data such as friends lists and private messages
• Facebook addresses controversy over third-party access to private messages
• Facebook API bug may have exposed 6.8 million users' private photos

The privacy group tested a total of 34 popular Android apps between August and December 2018. It found that nearly two thirds of apps sent data to Facebook as soon as they were launched -- and it made no difference whether a user had a Facebook account, or was logged out of a Facebook account. The data sent makes it possible for Facebook to tell exactly how often individuals use particular apps as well as gathering other data that enables the company to build up detailed profiles about.

Summarizing its findings, Privacy International says:

• We found that at least 61 percent of apps we tested automatically transfer data to Facebook the moment a user opens the app. This happens whether people have a Facebook account or not, or whether they are logged into Facebook or not.
• Typically, the data that is automatically transmitted first is events data that communicates to Facebook that the Facebook SDK has been initialized by transmitting data such as "App installed” and "SDK Initialized". This data reveals the fact that a user is using a specific app, every single time that user opens an app.
• In our analysis, apps that automatically transmit data to Facebook share this data together with a unique identifier, the Google advertising ID (AAID). The primary purpose of advertising IDs, such as the Google advertising ID (or Apple’s equivalent, the IDFA) is to allow advertisers to link data about user behavior from different apps and web browsing into a comprehensive profile. If combined, data from different apps can paint a fine-grained and intimate picture of people's activities, interests, behaviors and routines, some of which can reveal special category data, including information about people’s health or religion. For example, an individual who has installed the following apps that we have tested, "Qibla Connect" (a Muslim prayer app), "Period Tracker Clue" (a period tracker), "Indeed" (a job search app), "My Talking Tom" (a children's app), could be potentially profiled as likely female, likely Muslim, likely job seeker, likely parent.
• If combined, event data such as "App installed", "SDK Initialized" and "Deactivate app" from different apps also offer a detailed insight into the app usage behavior of hundreds of millions of people.
• We also found that some apps routinely send Facebook data that is incredibly detailed and sometimes sensitive. Again, this concerns data of people who are either logged out of Facebook or who do not have a Facebook account. A prime example is the travel search and price comparison app "KAYAK", which sends detailed information about people’s flight searches to Facebook, including: departure city, departure airport, departure date, arrival city, arrival airport, arrival date, number of tickets (including number of children), class of tickets (economy, business or first class).
• Facebook's Cookies Policy describes two ways in which people who do not have a Facebook account can control Facebook's use of cookies to show them ads. Privacy International has tested both opt-outs and found that they had no discernible impact on the data sharing that we have described in this report.

What is perhaps most worrying is that there is no way to tell just how Facebook is using the data that is collected in this rather underhand manner.

You can check out the full report -- entitled How Apps on Android Share Data with Facebook (even if you don't have a Facebook account) -- on the Privacy International website.

Image credit: CHAINFOTO24 / Shutterstock