Many were under the assumption that Facebook was done gorging on user data and selling it to third parties after the whole Cambridge Analytica fiasco. Turns out that there are still some apps out there which send user’s data to the social networking website without their permission.
According to a study by Privacy International, applications like MyFitnessPal, TripAdvisor and Skyscanner are sending user data to Facebook without asking for permission.
This includes analytics data that automatically is sent when the app is launched and also includes a user’s unique Android ID which is only accessible to the developers.
The study shows that at least 61 percent of apps that were tested, start transferring the data automatically to Facebook, the moment a user opens the app. What’s scary is that, this occurs whether or not people have a Facebook account, or whether they are logged into Facebook or not.
According to the Privacy International research, the prime example is the travel search and price comparison app “KAYAK”, which sends detailed information about people’s flight searches to Facebook, including: departure city, departure airport, departure date, arrival city, arrival airport, arrival date, number of tickets (including number of children), class of tickets (economy, business or first class).
The study also shows that Facebook constantly and in a routinely manner tracks users, non-users and also users that have logged-out outside its platform through something called Facebook Business Tools.
App developers share data with Facebook through the Facebook Software Development Kit (SDK), a set of software development tools that help developers build apps for a specific operating system. In this particular case, Android.
Using the free and open source software tool called "mitmproxy", Privacy International analyzed the data that 34 apps on Android, each with an install base from 10 to 500 million, transmit to Facebook through the Facebook SDK.
This is serious because it’s in violation of the European Union’s GDPR privacy laws which dictates that no user data will be shared without the user’s consent.
Despite this, all of the blame cannot be dumped on Facebook neither the developers. The reason these apps are transferring the data is because Facebook's relevant developer kit didn't provide the option to ask for permission until after GDPR took effect. The SDK kit has been designed to send the event data as a default.
Skyscanner acknowledged that it was "not aware" it was sending data without permission.
It seems that many of the developers are still using the older version of the kit which does not comply with the GDPR norms. Facebook did develop a fix, but there’s still ambiguity whether the fix works or not. It is also not clear whether developers are implementing it properly. There are still numerous apps running the older versions of the developer kit, according to the study.
Following this, Facebook has placed sole responsibility on the developers to ensure that they have the right to procure the user’s data and subsequently share the same with the social networking platform.
It seems that app creators and even Facebook would have to take matters into their own hands and clear up this mess before controversies and heavy penalties come knocking at their door.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)