It’s time for another Facebook privacy fail. Earlier this week, it was revealed that 11 popular apps with tens of millions of users were sending heart rate data, data from a period tracker, and other extremely personal information to Facebook.
The findings were published in a report from The Wall Street Journal which discovered that these apps often sent specific personal data to Facebook within seconds of it being entered into the app. According to the report, this data was sent to Facebook regardless of whether users were logged in to Facebook or had a Facebook account. Many of the apps also sent the data to Facebook without clearly disclosing this to users and didn’t provide a clear way to opt out of this data collection.
The report doesn’t disclose all the apps that were tested or the entire spectrum of data that was sent to Facebook. However, it provides some detailed information about three of the tested apps:
- Instant Heart Rate: HR Monitor: This app is the most popular heart-rate app on Apple’s iOS App Store and claims to have over 35 million users. According to The Wall Street Journal’s report, it sent heart rate data to Facebook immediately after users recorded their heart rate in the app.
- Flo Period & Ovulation Tracker: This is another popular app which claims to have over 25 million active users. The Wall Street Journal’s tests found that it told Facebook when app users were having their period and when they intended to get pregnant.
- Realtor.com: Real Estate: Homes for Sale and Rent: This real estate app has over 10 million downloads and when tested by The Wall Street Journal, it told Facebook the location and price of listings that users viewed in the app. It also told Facebook which listings had been marked as favorites.
The report also reveals that BetterMe: Weight Loss Workouts (which has over 5 million installs) and Breethe: Sleep & Meditation sent data to Facebook but it doesn’t disclose the specific data that was sent.
Facebook has responded to the report by claiming that some or all of the apps may be sending data that isn’t required and that they may be in violation of Facebook’s data policies.
Many companies use Facebook’s SDK (software development kit) to track “custom app events” (specific user actions in their apps) in order to gain insights on how users interact with their apps. So, it’s possible that some or all of these app developers are using the Facebook SDK as an internal analytics tool and inadvertently passing the data to Facebook.
Regardless of why this data is being passed to Facebook, it still shows that Facebook isn’t actively monitoring how its SDK is being used or proactively ensuring that these violations don’t occur. At the end of 2018, a similar study by Privacy International revealed that many popular Android apps were sending highly personal data to Facebook through its SDK. It seems like little has changed since that Privacy International Study was published.
Some of the app developers have responded to The Wall Street Journal’s report and vowed to review the way their app shares data with Facebook.
In a statement to CNBC, a spokesperson for the Flo Period & Ovulation Tracker app said that the company had started auditing its data privacy practices and its external analytics tool. The spokesperson added that Facebook’s SDK was only being used for internal analytics purposes and that iOS and Android app updates are now available which will stop data being shared with any external analytics systems, including Facebook’s analytics.
The co-founder of the Breethe: Sleep & Meditation app also gave the following statement to The Wall Street Journal:
Ultimately, regardless of what these app developers say and any changes that Facebook promises to make, this report once again highlights that you need to be extremely vigilant if you want to protect yourself from Facebook’s pervasive tracking.
We have a comprehensive guide that goes through all the steps you can take to stop Facebook tracking you on both iOS and Android devices, so make sure you check it out if you want to protect yourself from its data mining.