Facebook may know when you're having sex
Few people would argue with the assertion that Facebook knows a lot about its users. The social network is hard to avoid, but could it really know when you have sex?
The answer, it seems, is yes. This is not -- you'll be very pleased to hear -- because Facebook is listening to you or using your webcam to spy on you. Rather it is down to period-tracking apps. A study by Privacy International shows that a number of apps used to track menstrual cycles can share a huge amount of highly personal information with the social media company.
- Massive Facebook leak exposes 419 million users' phone numbers
- Facebook now lets you opt out of automatic facial recognition
- Facebook may hide Like counts
Period-tracking apps are used by large numbers of women. There are many reasons for keeping track of menstruation, but one of the most common is when trying to conceive -- such apps can help to monitor ovulation and home in on days most likely to result in conception.
To help with accuracy, such apps can ask for lots of information from users, and this can include asking them to log when they have sex, in addition to dates of periods, physical and emotional symptoms and more. For couples trying to get pregnant, this is all information that they might previously have logged manually in a diary, but now it is done digitally.
In its investigation, privacy group Privacy International found that numerous popular period-trackers -- Maya by Plackal Tech, MIA by Mobapp Development Limited, My Period Tracker by Linchpin Health, Ovulation Calculator by Pinkbird, and Mi Calendario by Grupo Familia -- shared intimate information with third parties including Facebook. Maya by Plackal Tech has since said that it will change it practices.
Information entered into the apps is shared via Facebook's software development kit (SDK), with the analytics component gathering swathes of data. The purpose of sharing data via the SDK is ad personalization, but it is something many app users will be completely unaware of, and probably highly uncomfortable with.
Privacy International notes quite simply: "If you have unprotected sex, MIA will tell you what to do. And share it with Facebook and others".
In all, millions of users are affected by the data sharing revelations. Privacy International says:
The wide reach of the apps that our research has looked at might mean that intimate details of the private lives of millions of users across the world are shared with Facebook and other third parties without those users' free unambiguous and informed or explicit consent, in the case of sensitive personal data, such as data relating to a user's health or sex life.
It goes on to say:
Our research highlights that the apps we have exposed raise serious concerns when it comes to their compliance with their GDPR obligations, especially around consent and transparency. Indeed, EU data protection laws seeks to ensure that users maintain control over their personal data at all times and that they should be aware of the exact and specific purposes these data might be used for by controllers, namely companies. It equally applies to controllers that process data within the EU/EEA and to controllers that might be based outside the EU/EEA but still target EU users with their services
This raises interesting points. First, even when GDPR applies, for example, in EU/EEA countries, this does not mean that controllers abide by the regulation. As our research illustrates, apps targeting EU users need to comply with, among others, strict consent and transparency obligations regarding the processing of personal data, but they often fail to do so. This should lead to a call for stronger enforcement -- EU data protection laws have always been there, what is needed is effective and fruitful investigations by regulators.
Secondly, while apps that are located in Europe might be failing to meet their GDPR obligations, EU users are still provided with an appropriate right of redress, such as the possibility to raise the issue with the controller directly, or to file a complaint before their national supervisory authority, or even to bring a case against the controller before national courts. However, the case is not the same for users based in countries without proper data protection laws or with data protection laws that lack effective enforcement. The practices highlighted by this research should serve as an example of abuse that should prompt law-makers and regulators to uphold users' rights.
You can read through Privacy International's full report here.