Some popular Android apps are sharing your data with Facebook without user consent

Facebook and Privacy scandals. Name a better duo. No seriously, for what seems like the umpteenth time this year, Facebook has been found engaging in behaviour that skirts the creepy line and teeters on kind of illegal — in the EU at least.

Privacy International did some research on Facebook’s data sharing arrangements with developers who incorporated the firm’s SDKs into their apps.

Privacy International’s key findings were as follows:

  • We found that at least 61 percent of apps we tested automatically transfer data to Facebook the moment a user opens the app. This happens whether people have a Facebook account or not, or whether they are logged into Facebook or not.
  • We also found that some apps routinely send Facebook data that is incredibly detailed and sometimes sensitive. Again, this concerns data of people who are either logged out of Facebook or who do not have a Facebook account.
The legal implications of this are that Facebook’s SDK’s default implementation violates the EU’s General Data Protection Regulation, which requires app developers to request consent from users before collecting data. Facebook’s SDK would collect data from devices, with developers being unable to prevent the SDK from collecting data about the user, including how long the use the particular app, when and their device ID. Post-GDPR, Facebook introduced a voluntary option that allowed developers to request consent for data collection – but it only works on newer versions of the SDK. Privacy International also notes Facebook launched it a month after the regulations came into force.
“Prior to our introduction of the “delay” option, developers had the ability to disable transmission of automatic event logging data, except for a signal that the SDK had been initialized.,” Facebook told Privacy International in an emailed statement, “Following the June change to our SDK, we also removed the signal that the SDK was initialized for developers that disabled automatic event logging.”
Privacy International notes that approximately 68% of app developers haven’t implemented this fix and still work with Facebook’s default settings.