A study has revealed that close to 20 Android apps on Play Store automatically send the user’s data to Facebook without their consent, raising privacy concerns. These include popular travel apps such as Kayak, TripAdvisor as well as job search app, Indeed.
Privacy International analysed 34 apps on Android, out of which 61 per cent were found to automatically transfer data to Facebook as soon as the user opened them. The apps reportedly include Facebook Software Development Kit (SDK), designed to automatically transmit event data to Facebook.
In some cases like Kayak, the app was reportedly sending detailed and sensitive information to Facebook such as flight searches of its users, departure city, number of tickets, arrival city, etc, which pose a threat to the user’s privacy.
“If combined, data from different apps can paint a fine-grained and intimate picture of people’s activities, interests, behaviors and routines, some of which can reveal special category data, including information about people’s health or religion,” the report reads.
Among the first set of data that apps reportedly send to Facebook is that Facebook SDK has been initialised and that app has been installed. More data including each time the user opens the specific app is also sent to the company. The data shared with Facebook is shared with a Google advertising ID (AAID).
This is in violation with privacy guidelines in several places, including Europe where the EU data protection, GDPR (General Data Protection Regulation) came into effect on May 25, 2018. It is unclear at this point how the data shared by apps with Facebook is being used.
Facebook said in an email statement to Privacy International that it introduced a change to its SDK on June 28 last year, which is around a month after GDPR came into effect, that removed signal that the SDK was initialised. This disabled automatic event logging.