The majority of Android apps are automatically sharing user data with Facebook without permission, potentially in breach of the law.

According to a new report by Privacy International, Android apps are sharing data with Facebook through the social network giant’s software development kit (SDK).

Their investigation found that more than 60 percent of the 1,000 tested apps were automatically transferring user data to Facebook as soon as it is opened, even if the user doesn’t have a Facebook profile, or is logged out of their account.

It also found that many apps are handing over highly sensitive data to Facebook without permission from the user.

“Privacy International is greatly concerned about the manifold ways in which people’s data is exploited in these hidden backend systems,” the report said.

“Both Google and Facebook are like other ad companies that try to collect a lot of data about what you do online. The crucial difference, however, is that their purview is especially broad.”

Guilty

The report found that 61 percent of the 34 tested apps automatically transferred data to Facebook including when it was opened and closed, information about the type of device the user owns, and the user’s location based on the language and timezone.

Among the tested apps that did share information with Facebook were Spotify, Duolingo, Shazam and TripAdvisor.

This data could potentially be combined by Facebook to form an accurate picture of the user’s personal details, Privacy International said.

“If combined, data from different apps can paint a fine-grained and intimate picture of people’s activities, interests, behaviours and routines, some of which can reveal special category data, including information about people’s health or region,” it said.

“For example, an individual who has installed the following apps that we have tested, ‘Qibla Connect’, ‘Period Tracker Clue’, ‘Indeed’, ‘My Talking Tom’, could be potentially profiled as likely female, likely Muslim, likely job seeker, likely parent.”

The investigation also concluded that many Android apps are routinely providing more detailed, sensitive data to Facebook. Travel app KAYAK was picked out for providing data on flight departure dates, departure city, number of children and the class of the plane ticket to Facebook automatically without the user’s permission.

Apps that did not share information with Facebook included Dropbox, Candy Crush, WeChat, Speedtest.net and the Opera browser.

Sharing by default

Part of the issue is that Facebook’s SDK default option is to transmit some of this data to the social network.

“Facebook places the sole responsibility on app developers to ensure that they have the lawful right to collect, use and share people’s data before providing Facebook with any data,” the report said.
“However, the default implementation of the Facebook SDK is designed to automatically transmit event data to Facebook.”

In response to the report, Facebook said a number of changes have been made to the SDK that help to prevent these issues.

“Today, an app developer can either choose to use a pre-installed mechanism for obtaining an end user’s prior informed consent (as they could in the past), or use the SDK delay feature,” the company said in a statement.

Falling foul of GDPR

Privacy International also raised concerns that the data sharing practices could be in violation of the General Data Protection Regulation (GDPR) in the European Union.

It should be up to the big tech companies to protect users’ information, the organisation said.

“Unfortunately, it is difficult to protect yourself from the kind of data sharing that we have described in this report,” Privacy International said.

“We have sought to emphasise throughout this report the burden should not be on the individual. That systemic criticism aside, there are some concrete steps that Facebook, Google, app developers, as well as users can take to address some of the concerns we have raised in this report.”

Some things Android users can do to protect their information include resetting advertising IDs regularly, limiting ad personalisation and regularly reviewing the permissions given to apps.