Sometimes, Facebook isn’t the one you should blame for privacy violations involving Facebook. For example, an investigation by the Wall Street Journal found 11 popular apps that routinely transmit potentially sensitive personal data like body weight and menstrual cycles to Facebook—sometimes in violation of the social network’s own guidelines.
At issue is an analytics tool that Facebook offers to developers called App Events. It’s a plug-and-play SDK that helps developers setup custom trackers of user activity that can translate into ad targeting data. Facebook isn’t the only company offering this kind of tool but according to the Wall Street Journal, it’s been implemented in “thousands” of apps.
In order to get an idea of how this SDK is being used, the Journal used software to analyze the internet communications of over 70 apps. “The tests found at least 11 apps sent Facebook potentially sensitive information about how users behaved or actual data they entered,” the report says. For some reason, the paper decided to only identify five of the apps by name. They are:
- Instant Heart Rate: HR Monitor - Transmitted heart rate data.
- Flo Period & Ovulation Tracker - Shared when a user was having their period.
- Realtor.com - Transmitted the location and price of listings that a user viewed.
- BetterMe: Weight Loss Workouts - Shared users’ weights and heights.
- Meditation app Breethe - Shared the email address users used to log in to the app and the name of the meditations the user completed.
Flo seems to be the most obviously personal example of sharing information that users’ may not be aware of and the company’s response to questions did not inspire confidence that they’re taking the issue seriously. From the report:
Flo initially said in a written statement that it doesn’t send “critical user data” and that the data it does send Facebook is “depersonalized” to keep it private and secure.
The Journal’s testing, however, showed sensitive information was sent with a unique advertising identifier that can be matched to a device or profile. A Flo spokeswoman subsequently said the company will “substantially limit” its use of external analytics systems while it conducts a privacy audit.
Facebook did not respond to Gizmodo’s request for comment but told the Journal that it tells developers not to share “health, financial information or other categories of sensitive information.” The Journal tested the top 10 finance apps in Apple’s U.S. app store and found that none appeared to be sharing sensitive information with Facebook. But health information like period cycles, heart rates, and body weight fluctuations were all being shared in apps that were reviewed. Facebook said that it would inform the offending apps’ developers to stop transmitting prohibited information and if they continue to violate its rules, “it may take additional action.”
Some of the developers quickly changed their policies after being contacted by the Journal, others didn’t respond.
In the world of Facebook-related scandals, this one ranks pretty low on the outrage meter. But it does, once again, illustrate that you don’t even have to be a Facebook user to find out you’ve been unwittingly handing over data to the tech giant. It’s also an important reminder that users should be careful when it comes to sharing health information—especially at a time when insurance companies are looking to social media and data analytics to determine premiums.
We also may find out that abuse of Facebook’s SDK is more widespread than we realized. The office of New York Governor Andrew Cuomo announced this afternoon that it is directing the Department of Financial Services and other state agencies to immediately open an investigation into Facebook’s practices with third parties.