Privacy International, British organization, working at the intersection of modern technologies and rights, published the report “How Apps on Android Share Data with Facebook” in late December. It focused on third party tracking on Android. One of its key findings is that at least 61% of the tested applications automatically transfer data to Facebook immediately after the user opens the app. This happens no matter whether people have a Facebook account or not, or if they are logged into Facebook or not.

Privacy International has analyzed the data that 34 Android apps transmit to Facebook through the Facebook Software Development Kit (SDK), using the free and open source software tool called "mitmproxy", an interactive HTTPS proxy. The research process took place between August and December 2018. Experts have captured and decrypted data in transit between users’ devices and Facebook servers. It turns out that some apps routinely send Facebook information about your device and usage patterns – automatically when you open the app. The technical part of their analysis was presented at the 35th Chaos Computer Congress (35C3). You can watch a video from it here.

The report aims to illustrate how mobile apps on the Android operating system share data with large tech companies like Google, Facebook, Microsoft and Twitter. The researchers findings show that 90% of the apps analyzed could share data with Google’s parent company Alphabet, while Facebook could receive data from 42.55% of apps.

Further, at least 61% of all apps tested automatically transfer data to Facebook the moment a user opens the app. It was revealed that 23 out of 34 apps tested communicated the following information to Facebook about users who do not have a Facebook account (or that are logged out of the platform):

  • The fact that a user is using a specific app
  • Every single time that user opens and closes an app
  • Information about the nature of the device the user owns, and the user’s suspected location based on language and time zone settings

Apps that automatically transmit data to Facebook share this data together with a unique identifier, known as the Android Advertising ID (AAID). AAID is a unique, user-specific ID for advertising, provided by Google Play services, that is automatically assigned to each Android user. The primary purpose of advertising IDs, is to allow advertisers to link data about user behavior from different apps and web browsing into a comprehensive profile.

“If combined, data from different apps can paint a fine-grained and intimate picture of people’s activities, interests, behaviors and routines, some of which can reveal special category data, including information about people’s health or religion”, claims the report.

Another observation included in the report is that some apps routinely send Facebook data that is incredibly detailed and sometimes sensitive. As mentioned above, data sharing is possible even if people are logged out of Facebook or do not have a Facebook account.

Тhe report also claims that it is particularly difficult to avoid being tracked by Facebook by apps on Android. There are two ways in which people who do not have a Facebook account can control Facebook's use of cookies to show them ads. А test by Privacy International revealed that both opt-outs had no discernible impact on the data sharing.

Towards the end of the report readers could find a list of recommendations to Google, Facebook, Android developers, app providers and users. Researchers also express their hope that both Facebook and developers will put more efforts in avoiding oversharing, profiling and damaging the privacy of their users.

The findings of this report draw the attention in two directions.

The first is privacy as respected and sought after by end users. Digital products and services grow in complexity to better serve our needs. To know and understand the implications they could have on our lives, we need to keep educating ourselves.

The second direction is a reminder to organizations that “privacy by design and by default”
is an ongoing effort. Our products and services often depend on third-party organizations. It is our responsibility to ensure we do not blindly compromise our compliance with Regulations and Privacy policies.

Photo: Pexels