Collection without notice: Developers respond to Facebook Privacy Concerns

We reported yesterday on an investigation by Privacy International which found that a large percentage of Android apps were sending personal data to Facebook without ever logging into Facebook and without giving consent to this.

The number of big name apps doing this was scary and appalling. Many of these companies have now responded to the report by Privacy International, with some dealing with it better than others. Those who notably have not responded to the controversy include Duolingo, Shazam and Yelp so we recommend caution using these at all if privacy is a concern of yours. We have listed those who have responded below along with their response.

Spotify

Spotify responded to Privacy International on the 27th December and although the company has  a Facebook privacy setting in its online settings, it appears Spotify was unaware of the Facebook data collection. Although Spotify made no commitment to fix it or alter the Facebook integration, the company is evaluating “whether changes should be made”.

Spotify is committed to transparency and fairness in how it processes personal data in connection with the Spotify app and service. We are currently working to evaluate Privacy International’s technical findings (the details of which shared by Privacy International are quite brief) and to understand the context of data being transmitted to graph.facebook.com. If necessary, we will also evaluate whether changes should be made as part of this Facebook integration.

TripAdvisor

TripAdvisor have also responded to Privacy International, albeit less positively saying that they respect data protection rights but think that the view Privacy International have taken to be “somewhat oversimplified”. Watch this space — for such a big player in the travel market to be that non-commital to fixing this leakage of user data is a serious issue.

we are committed to engaging with Privacy International. Respecting the data protection rights of our users is of utmost importance to TripAdvisor. […] Given the complexity of the technical issues you raise, we respectfully consider the statements you have made to be somewhat oversimplified. […]

Calorie Counter – MyFitnessPal

Owned by Under Armour, Calorie Counter – MyFitnessPal is an extremely popular fitness app with over 50 million installs and nearly two million reviews. Unfortunately their response to Privacy International left us less than impressed or convinced that they are taking or protecting their users’ data privacy seriously.

The SDK identified is a common analytics tool. It provides information that allow apps, like MyFitnessPal, to improve the services provided to their user communities (i.e., it serves to provide an aggregative view of app installs, app open, and in app purchase activity – information that is then used to enhance the app experience). MyFitnessPal specifically outlines this to users in its Privacy Policy as analytics processed for a legitimate interest as permitted under Art. 6 (1) (f) of the General Data Protection Regulation (GDPR), namely “… to enhance … [user] experience and to develop and improve our Services.”

Skyscanner

Privacy International tested out the Skyscanner app with ad personalisation turned off and turned on and in both instances data was sent to Facebook as soon as the app was opened. Skyscanner must have been unaware of this because since receiving the letter from Privacy International they have updated their app so that it no longer does that. Most likely, this is done by using the newer Facebook SDK and turning off the send to Facebook option (or not using the Facebook SDK at all).

Skyscanner’s response was equally impressive and should applauded for getting onto the front foot with this issue.

Our goal is to be as transparent and upfront as possible with travellers regarding what information is collected from them and who it is shared with. Since receiving your letter, we released an update to our app as a priority which will stop the transmission of data via the Facebook SDK. As a further result of this we will audit all our consent tracking and are committed to making any changes necessary to ensure that travellers privacy rights are fully respected.

The Weather Channel

The Weather Channel app has over 100 million downloads and although it’s presences isn’t very big in Australia it’s inclusion in the apps that failed the privacy test is worrying. As it turns out, The Weather Channel actually updated their app BEFORE receiving the letter from Privacy International showing their commitment to user privacy and should be commended for doing so.

The Weather Channel (TWC) is committed to protecting user privacy, which includes empowering the user to choose whether to receive personalized advertising. The current version of the TWC Android app — released globally on December 10 — does not utilize the Facebook Login SDK referenced in your December 19, 2018, letter. TWC encourages its users to use the most up-to-date version of the app in order to maximize their user experience and privacy protections.

My Talking Tom / My Talking Hank etc by Outfit7

My kids loved My Talking Tom when they were younger and I’m told that it is still a hit with the younger kids. It is thus concerning that they also failed the user privacy test, especially considering that a vast majority of users would be kids.

Outfit7’s response to Privacy International was long and detailed but said all the things you want to hear from any app developer, let alone those working on apps for kids. Outfit7 began working on using the newer Facebook SDK in September and because of the nature of their app they have more considerations such as what to do for users under the age of 16.

In the end , Outfit7 entirely disabled the transmission of data to graph.facebook.com regardless of the age of the user. A small snippet of their response can be seen below:

To demonstrate our commitment to the privacy of our users, we’ve undergone the robust certification process for compliance with the GDPR and we’re also members of the ePrivacyApp certification program (the “Program”). ePrivacy is an independent, third-party organization specializing in digital data protection. As part of the Program, Outfit7’s Talking Tom and Friends and other characters applications are subject to a comprehensive inspection and certification of the applications with respect to ensure that the applications live up to the high demands in the field of data protection and can provide a high level of security of end user data.

For the EEA territory, which includes UK, the internal instructions were, that all app events, together with the advertising ID, sent to graph.facebook.com must be disabled for users that are below 16 or do not pass the localized age gate.

For users that are above 16 or pass the localized age gate, Facebook login SDK must be added to our consent tool and no app event data (including advertising ID), should be sent to graph.facebook.com unless user gives consent. On October 17, 2018, we have decided to entirely disable transmission of app events data (including advertising ID) to graph.facebook.com regardless of the fact whether user passed the age gate or not.

The first app that was updated with the updated Facebook SDK was Talking Tom Gold Run (November 20, 2018). My Talking Tom and My Talking Angela apps were updated on December 20, 2018. All the other apps, including My Talking Hank, will get updated by the end of February 2019.

While this is a very small sample size it is worth noting those that passed which includes Candy Crush Saga, Dropbox, Opera Browser, Period Tracker – My Calendar, Skater Boy, Speedtest by Ookla and WeChat.

It is worth remembering that Privacy International ONLY tested 34 of the most popular Android apps. That means there are a hell of a lot more that they did not test so we suspect this small list is but the tip of the iceberg. Imagine all the smaller apps out there without the resources of these bigger companies and how many of them would use the older Facebook SDK.

At this stage there is no easy way to test your apps for this leakage of personal information to Facebook but you can bet your bottom dollar someone will come up with an app to do so very soon.

Facebook have faced a lot of issues with their footloose and fancy-free ways with their users’ private data in recent times and given the small sample size here we expect the list of those apps affected (and thus the number of people affected) to grow exponentially in the coming days as more and more developers become aware of how this affects their apps.

It remains to be seen whether Facebook will be held accountable to this use of personalised data without permission but we can only hope so. It also remains to be seen how many others sink with the Facebook ship or will they all jump off before it is no longer tenable.