Data Protection Stories  , Data Protection Stories

Investigating apps that share personal data to Facebook without consent

Encouraging Android app developers to adopt better data sharing practices

Context

The Issue

Research conducted in late 2018 by Privacy International found that a number of popular Android apps—including Spotify, Duolingo, and TripAdvisor—automatically transferred personal data to Facebook the moment users opened the app, without user consent. They found this occurred even if a user did not have a Facebook account.

The Role of the GDPR

Privacy International conducted a legal analysis of this data-sharing in a report published in December 2018, which outlined how applications fell below an acceptable standard with respect to user consent and privacy under the EU’s General Data Protection Regulation (GDPR) and the ePrivacy directive. Privacy International reached out to applications directly to share their findings. The report also gained attention from the press, and in response, a number of popular apps updated their code in the following months, and no longer automatically share the data in question with Facebook.

Key Takeaways

Filing complaints to data protection authorities can be an effective litigation tool, but it is not always necessary to use the GDPR in this way to push companies to change their data practices. For Privacy international, publishing a legal analysis and reaching out to applications directly—alongside public pressure from the media—proved to be a relatively fast and effective first step for convincing many tech companies to improve their practices around consent, data-sharing and user privacy.

Published July 16, 2019

People are rapidly losing trust in Facebook’s ability to keep their information secure. Over the last several years, the tech giant—which boasts over 2 billion active users around the world—has gained attention over a range of data breaches and privacy vulnerabilities. A number of users have left the platform, some as part of a wider campaign to #DeleteFacebook. Of course, as some have pointed out, deleting Facebook is a huge privilege and not a practical option for many who rely on the platform for connecting with people from shared backgrounds, community organizing, finding social support or growing small businesses. It also turns out that escaping the platform’s watchful eye is not that straightforward or simple. Recent research from the University of Oxford suggested that Facebook might still track information on individuals who don’t even have Facebook accounts through third party tracking on mobile apps.

Illustration: an individual walking and looking at their phone, which is full of apps that spy on them

Hidden data sharing through Facebook’s Software Development Kit

UK-based charity Privacy International was interested in the extent of this hidden data sharing, and how this third party tracking works in practice. They launched a research project focused on Android smartphone apps that make use of Facebook’s Software Development Kit (SDK).The SDK allows for integration with Facebook’s platform—for instance, it enables users to log into apps using their Facebook account. The SDK is also what allows for data sharing between apps and Facebook itself. Between August and December 2018, Privacy International manually tested 34 Android apps to investigate whether they were sharing data to Facebook, and, if so, what specific data was being shared. They investigated popular apps with a wider user base (e.g. Spotify, Yelp, Duolingo) as well as apps that may reflect sensitive information about a user’s health, lifestyle or demographic (e.g. My Fitness Pal, Muslim Pro). For simplicity, Privacy International focused their research on the Android operating system developed by Google—but this kind of third party tracking occurs on other smartphone operating systems as well.

Even users without Facebook accounts are affected

Privacy International found that over 60% of Android apps in their study shared data with Facebook the moment a user opened the app, regardless of whether the user was logged into Facebook or had a Facebook account. The data shared with Facebook indicated that the specific app had been opened by a user. Culpable apps included Spotify, Duolingo, Yelp, Trip Advisor, Mulsim Pro, and Period Tracker Clue, among various others. The data shared with Facebook also included the user’s unique Google advertising ID, making it hypothetically possible to create a demographic profile of a particular user informed by the apps they are using.

In December 2018, Privacy International published these findings, together with a legal analysis of this kind of data sharing, in a public report. The report assessed the lawfulness of apps sharing data to Facebook on the legal bases of legitimate interest, consent and contract under the EU’s General Data Protection Regulation (GDPR) as well as concerns under the EU’s ePrivacy directive. Privacy International also considered how data transmitted by particular apps, such as health or prayer apps, could reveal special category personal data (e.g. data related to a person’s ethnicity, race, health conditions or sexuality, which is prohibited under the GDPR without consent from users).  The report raised open questions on whether legal responsibility should rest with app developers, Facebook or Android as a platform. Under the GDPR, compliance is required of parties deemed as “data controllers”, and while app developers would often be considered data controllers in cases like this, it’s possible that Facebook could also be considered a data controller given its role in influencing data transmission through their design of the Facebook SDK’s default settings.  Despite ambiguity regarding distribution of responsibility, the report made clear that this behaviour fell below an acceptable legal standard with respect to user consent and privacy.

The report was presented at the Chaos Communication Congress, and in advance of publication Privacy International reached out to Facebook, Google and the tested apps directly to share their findings and analysis. They published some of the email responses received in their report. Facebook’s response included details on an updated feature in the SDK that enables app developers to delay automatic transmission of data until user consent was provided. However, this feature was launched at the end of June 2018, 35 days after the GDPR came into effect. A number of apps tested also responded, many stating a commitment to addressing the privacy issues related to Facebook’s SDK. Privacy International’s research gained attention from the press, and soon, many of the culpable smartphone apps were being contacted by journalists about this data-sharing issue.

A few months after the original report release, Privacy International conducted a re-test of the offending apps to see if anything had changed. Though not all apps had made changes, many of the more popular apps, including Spotify and KAYAK, had updated their code. All told, two thirds of the original apps tested no longer automatically shared user data with Facebook when a user opened the app. It was clear that Privacy International’s investigation and analysis were far from fruitless.

Litigation is not the only way to change data practices

We spoke to Ailidh Callander, a legal officer at Privacy International, to learn more about the decision to use the GDPR as a tool for legal analysis, rather than litigation as their first step to address this issue with Android apps. In other words: why hadn’t they opted to file complaints to data protection authorities (DPAs) around this issue, as many civil society groups have been doing to address privacy concerns in the ad tech industry?

Callander pointed out that using the GDPR to file complaints can be an effective approach to advance privacy rights, and Privacy International used the GDPR to file complaints about the data practices, particularly profiling, of data brokers and ad tech companies. However, it is not always the first port of call and may have its drawbacks. Getting DPAs involved can be a slow process. And while DPAs can have a powerful influence, the process can be constrained by adherence to specific jurisdictions. In this instance, Privacy International was most interested in changing the behaviour of companies and was able to find alternative ways to leverage the GDPR outside of legal action to make this happen.

In March 2019, Privacy International did eventually contact the European Data Protection Board and the European Data Protection Supervisor. However, publishing their legal analysis and reaching out to applications directly—alongside public pressure from the media—still proved to be a relatively fast and effective first step for convincing many tech companies to improve their practices around consent, data-sharing and user privacy.