It’s not just dating and health apps that might be violating your privacy when they send data to Facebook.
A Privacy International study has determined that “at least” 20 out of 34 popular Mobile Android apps are transmitting sensitive information to Facebook without asking permission, including Kayak, MyFitnessPal, Skyscanner and TripAdvisor.
This typically includes analytics data that sends on launch, including your unique Android ID, but can also include data that sends later. The travel search engine Kayak, for instance, apparently sends destination and flight search data, travel dates and whether or not kids might come along.
While the data might not immediately identify you, it could theoretically be used to recognize someone through roundabout means, such as the mobile apps they have installed or whether they travel with the same person. This could eventually lead to phishing activities and other malware-induced identity-theft.
The concern isn’t just that apps are oversharing data, but that they may be violating the EU’s GDPR privacy rules by both collecting info without consent and potentially identifying users. You can’t lay the blame solely at the feet of Facebook or developers, though.
Facebook’s relevant developer kit didn’t provide the option to ask for permission until after GDPR took effect. The social network did develop a fix, but it’s not clear that it works or that developers are implementing it properly. Let’s hope the fix includes anti-malware or anti-fraud kits.
Numerous apps were still using older versions of the developer kit, according to the study. Skyscanner noted that it was “not aware” it was sending data without permission. It’s like unattended phishing altogether, don’t you think?
Facebook was sympathetic to Privacy International’s concerns in a response, stating that it was crucial for people to both know when an app send data and to “have control” over whether or not that data is linked to them.
Future changes like Clear History will also help, Facebook said. The company also stressed to the Financial Times that developers could turn off automatic data gathering and could delay sending app analytics.
Still, it’s evident that app creators either aren’t paying attention to these changes or bothering to adopt them — they may need a nudge if they’re going to avoid controversies and EU fines.