Facebook apps secretly sending sensitive data back to the mothership

Read Full Article

A trio of privacy earthquakes shook Facebooklandia on Friday.

TL;DR: It turns out that…

  1. Eleven third-party apps are sharing our sensitive data with Facebook. Don’t want the network to know when you menstruate? The purchase price for that house you ogled? Tough. News about the oversharing came from the Wall Street Journal [paywalled] on Friday, and as a result…
  2. New York’s governor called on two state agencies to investigate this “secret” sharing of health and financial data, which apparently violates Facebook’s own policies, and which is reportedly done to both non-Facebook users and non-logged-in users, without much by way of explicit user consent. Meanwhile…
  3. 60 pages of un-redacted legal documents from a lawsuit between Facebook and app developer Six4Three were anonymously posted on GitHub. The documents haven’t been independently confirmed, The Guardian reports, but Facebook hasn’t denied their authenticity. The internal emails reveal that Facebook planned to spy on Android users and that Facebook itself had what it called a near-fatal brush with a data privacy breach when a third-party app came close to disclosing its financial results ahead of schedule.

To get to the bottom of the WSJ’s findings about the blabby apps, New York Governor Andrew Cuomo said that he’s putting multiple agencies to work on the matter.

If the WSJ’s investigation proves to be accurate, and if those freshly leaked internal emails from Six4Three prove authentic, it’s going to paint an even uglier picture of Facebook post-Cambridge Analytica, governmental investigations and fines

… when one might have reasonably assumed that the company would have been backed up its protestations about data-bumbling third-party apps breaching its policies with at least a semblance of reining them in.

In the meantime, a few more details about this batch of fresh Facebook news:

You told Facebook WHAT??!

On Friday, the WSJ reported that iOS and Android apps are disgorging some of the personal health- and finance-related data of millions of users. From its report:

Millions of smartphone users confess their most intimate secrets to apps, including when they want to work on their belly fat or the price of the house they checked out last weekend. Other apps know users’ body weight, blood pressure, menstrual cycles or pregnancy status.

In other words, personal data that users wouldn’t necessarily want to share with Facebook.

Nonetheless, the WSJ said, tests showed that Facebook’s software collects data from numerous apps within seconds of it being entered by the user, with no sign of a prominent or specific disclosure by the app. This is the case even when a user hadn’t logged into Facebook for authentication, or even if a user didn’t have a Facebook account to begin with.

That includes popular apps that have been downloaded by millions of users, including:

  • Instant Heart Rate: HR Monitor by Azumio, the most popular heart-rate app in Apple’s App Store. It sends users’ heart rates immediately after a reading is taken.
  • The Flo Period and Ovulation Tracker: its developers claim that the iOS and Android app has been downloaded by over 70 million users worldwide. The app tracks when users get their periods and when they want to get pregnant: information it was, or may still be, reportedly passing on to Facebook.
  • Realtor.com sends Facebook the location and price of listings viewed by a user, as well as those marked as favorites, according to the WSJ’s tests.

I’ve asked those three companies for comment and will update the story if I hear back. As far as NY State Governor Cuomo is concerned, the conclusions reached by the WSJ’s investigation display what he called…

Facebook’s “outrageous abuse of privacy”

Cuomo said that the WSJ report represents “an invasion of privacy and breach of consumer trust” and that Facebook’s actions are an “outrageous abuse of privacy”.

Cuomo is asking for a probe from the New York Department of State and the Department of Financial Services, among others. He’s also called on relevant federal regulators to “step up and help us put an end to this practice and protect the rights of consumers.”

New Yorkers deserve to know that their personal information is safe, and we must hold internet companies – no matter how big – responsible for upholding the law and protecting the information of smartphone users.

Reuters reports that Facebook said in a statement that it would assist New York officials in their probe, but that the WSJ’s report focused on how other apps use people’s data to create ads. From Facebook’s statement:

As [the WSJ] reported, we require the other app developers to be clear with their users about the information they are sharing with us, and we prohibit app developers from sending us sensitive data. We also take steps to detect and remove data that should not be shared with us.

Read Full Article