Privacy International claims most Android apps share data with Facebook without user consent

The social media giant’s third-party tracking via the Facebook SDK may constitute a GDPR breach

Graphic of individuals being glared at by cameras and having their privacy invaded

Privacy International has found that more than half of Android apps, including big names like Skyscanner and Tripadvisor, automatically transfer data to Facebook when opened without user consent.

In a 51-page report titled 'How Apps on Android Share Data with Facebook', Privacy International revealed 61% of the 34 apps tested transfer data such as "app installed" or "SDK initialised" when the app is opened. The app also sends data about the nature of the device the user owns, and the user's location based on language and time zone settings.

According to researchers, this data is gathered by Facebook regardless of consent, or whether users even have a Facebook account.

The data reveals how often people use these apps, according to Privacy International's analysis, and is often sent with a unique identifier such as Google Advertising ID (AAID), or Apple's IDFA. Together, the data could be used by advertisers to link data about user behaviour and paint a comprehensive profile.

"If combined, data from different apps can paint a fine-grained and intimate picture of people's activities, interests, behaviours and routines, some of which can reveal special category data, including information about people's health or religion," the report warned.

"For example, an individual who has installed the following apps that we have tested, "Qibla Connect" (a Muslim prayer app), "Period Tracker Clue" (a period tracker), "Indeed" (a job search app), "My Talking Tom" (a children's' app), could be potentially profiled as likely female, likely Muslim, likely job seeker, likely parent."

The report also found that some apps routinely send Facebook data that is highly detailed and occasionally sensitive, including data on users who do not have Facebook accounts.

Privacy International highlighted how travel app KAYAK, for example, would send information about flight searches including departure dates, departure city, destination, number of tickets, number of children and class of ticket.

"Facebook places the sole responsibility on app developers to ensure that they have the lawful right to collect, use and share people's data before providing Facebook with any data," the report continued.

"However, the default implementation of the Facebook SDK is designed to automatically transmit event data to Facebook."

The digital rights group suggested this constitutes a breach of the EU's General Data Protection Regulation (GDPR) given the Facebook SDK automatically shares data before apps are able to ask users to agree or consent.

In light of developers filing 'bug reports' last year, Facebook released a voluntary feature that should allow developers to delay collecting automatically logged events, such as "SDK initialised", until after they acquire user consent. This feature was only launched 35 days after GDPR took effect on 25 May, however, and only works with SDK version 4.34 and later.

"Prior to our introduction of the "delay" option, developers had the ability to disable transmission of automatic event logging data, except for a signal that the SDK had been initialised," Facebook said in response to the report.

"Following the June change to our SDK, we also removed the signal that the SDK was initialised for developers that disabled automatic event logging.

"In June we also introduced another option for businesses that want to use our auto-event logging feature in compliance with our Business Tools Terms.

"Today, an app developer can either choose to use a pre-installed mechanism for obtaining an end user's prior informed consent (as they could in the past), or use the SDK delay feature."

Privacy International's report insisted that despite these options for developers, automatic data transmission was still detected for the majority of apps tested.

A number of possible factors could explain this, including the fact that data sharing is the default option, and that many apps run older versions of the Facebook SDK. Skyscanner, for instance, was running version 4.33.0 of the SDK when tested in early December, while Spotify was running version 4.310.

Featured Resources

Five lessons learned from the pivot to a distributed workforce

Delivering continuity and scale with a remote work strategy

Download now

Connected experiences in a digital transformation

Enable businesses to meet the demands of the future

Download now

Simplify to secure

Reduce complexity by integrating your security ecosystem

Download now

Enhance the safety and security of your people, assets and operations

Enable a true vision of security with an engineered solution based on hyperconverged and storage platforms

Download now


'Largest ever' Magecart hack compromises 2,000 online stores

'Largest ever' Magecart hack compromises 2,000 online stores

15 Sep 2020
Infocyte integrates with Palo Alto Networks Cortex XSOAR
cyber security

Infocyte integrates with Palo Alto Networks Cortex XSOAR

19 Aug 2020
Andrew Daniels joins Druva as CIO and CISO

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020

Most Popular

Accenture ploughs $3 billion into cloud migration support group
digital transformation

Accenture ploughs $3 billion into cloud migration support group

17 Sep 2020
16 ways to speed up your laptop

16 ways to speed up your laptop

16 Sep 2020
Google Pixel 4a review: A picture-perfect package
Google Android

Google Pixel 4a review: A picture-perfect package

18 Sep 2020