A new investigative report from The Wall Street Journal claimed popular third-party iOS and Android apps send very personal user data to Facebook.
Most of the time we sign-in in any new app using our Facebook or Google credentials. And we are propped with a message that we will not post on your behalf and we will take care of your sensitive data. And we got no choice but to believe in it. But the WSJ report says otherwise.
Immediately after an app records new data, it uses it in any way possible. Even if the user isn’t logged into Facebook or isn’t a Facebook user at all. The report also highlights that Apple and Google don’t require apps to divulge all the partners that user data is shared with.
Millions of smartphone users confess their most intimate secrets to apps, including workouts or the price of the house they checked out last weekend. Their body weight, blood pressure, menstrual cycles or pregnancy status. The investigative report discovered that Facebook purchases this personal data from apps, and in many cases have access to it as soon as new data is recorded. Further, this happens even when users aren’t logged in to Facebook or don’t even have an account.
These apps often send data without any prominent or specific disclosure, the testing showed.
WSJ notes that many of Facebook’s controversial user-tracking strategies have been uncovered over the last couple of years, but this investigation uncovered even more concerning details, like what in-app data that 11 popular apps are sharing with Facebook.
“It is already known that many smartphone apps send information to Facebook about when users open them, and sometimes what they do inside. Previously unreported is how at least 11 popular apps, totaling tens of millions of downloads, have also been sharing sensitive data entered by users. The findings alarmed some privacy experts who reviewed the Journal’s testing.”
The tricky part for users is that iOS and Android apps aren’t required by Apple and Google to disclose all of the partners that have access to your data. What’s more, with the apps tested, there is no clear way to prevent them from sending data to Facebook.
Some of the examples include heart rate app, Instant Heart Rate: HR Monitor, Flo, a period and ovulation tracker, and Realtor.com.
“In the Journal’s testing, Instant Heart Rate: HR Monitor, the most popular heart-rate app on Apple’s iOS, made by California-based Azumio Inc., sent a user’s heart rate to Facebook immediately after it was recorded.
“Flo Health Inc.’s Flo Period & Ovulation Tracker, which claims 25 million active users, told Facebook when a user was having her period or informed the app of an intention to get pregnant, the tests showed.
“Real-estate app Realtor.com, owned by Move Inc., a subsidiary of Wall Street Journal parent News Corp, sent the location and price of listings that a user viewed, noting which ones were marked as favorites, the tests showed.”
Even when users aren’t logged into Facebook, the company can often match up personal data from third-party apps to users once it receives the data.
Here’s how this process works:
As for Facebook, it says it uses this data to “personalize ads and content on Facebook and to conduct market research, among other things.”
Apple told the WSJ it requires user consent to collect data, but as the report points out, users don’t know where the data is going.
“Apple said its guidelines require apps to seek “prior user consent” for collecting user data and take steps to prevent unauthorized access by third parties. “When we hear of any developer violating these strict privacy terms and guidelines, we quickly investigate and, if necessary, take immediate action,” the company said.”
Google gave a more vague statement:
“A Google spokesman declined to comment beyond pointing to the company’s policy requiring apps that handle sensitive data to “disclose the type of parties to which any personal or sensitive user data is shared,” and in some cases to do so prominently.”
Wondering what really happens to your stolen data:
Read the full investigative report here.
By Michael Potuck, 9to5mac.com