How Facebook tracks non- users through Android applications

Facebook CEO

Facebook tracks users of Android through apps, even if they are not users of Facebook.

LEIPZIG, GERMANY– If you quit or never joined Facebook because of its data collection practices, the odds are good – despite your protest – the social network is still tracking you.

Facebook collects data from non – users of its social network through dozens of Android mainstream apps that send tracking and personal data back to the social network. Some of the dozens of apps that share Facebook data include Kayak, Yelp and Shazam, according to a report presented here on Saturday by Privacy International at 35C3.

“Facebook routinely tracks out of its platform users, non-users and logged out users through Facebook Business Tools,” the report says.” App developers share data with Facebook through the Facebook Software Development Kit (SDK).”

Privacy International examined 34 Android apps, each with a 10 to 500 million installation base, and found that data was transmitted to Facebook via the SDK. Facebook data shared varies by app. For example, Kayak sends Facebook all the search data, according to researchers, via its app. The passage and verse seen by the app user was shared by a King James Bible.

According to researchers, the majority of apps share data such as the fact that the app is used when the app is opened and closed, the Android device is used and the location of the user is determined by language and time zone settings. The use of the app itself is part of the sensitive data shared with Facebook. For example, apps that share data include a tracker for women’s lives, prayer apps, job search apps and apps suitable for young children. Other data that apps share through the Facebook SDK are “user ratings, ” session IDs and additional data variables.

Facebook, notes Privacy International, is just one of hundreds of so-called tracking companies that collect data from online marketing companies that collect user information to create massive digital dossiers for users.

Facebook is Google’s second largest tracking company on the Internet. “The reason we’ve focused on Facebook, not Google or any other tracking company, is that the very fact that apps share data with Facebook –such as a period tracker or an LED flashlight [app] –will surprise many people. And especially for those who have made a conscious decision not to be on Facebook, “said Frederike Kaltheuner, Privacy International researcher, during her Saturday speech. Key findings in the Privacy Internationals review of the 34 apps are that 61 percent of apps automatically transfer data to Facebook when the app is opened by the user.

Some apps routinely send Facebook data that is unbelievably detailed and sometimes sensitive to people who are logged out of Facebook or have no Facebook account. Analyzes of individual applications can be found on the International Privacy Website.

“Obviously, we focused only on data transmitted by apps. What we cannot say, however, is definitely how the data is used, “Kaltheuner said. Christopher Weatherhead, a researcher at Privacy International, said that his research was not aimed at blaming app developers.

“We’re not here to criticize developers for their way of making applications. This concerns SDK and how it transmits data with or without the consent of the user, “he said. The Android Facebook SDK serves many purposes.

App developers can integrate their applications with the Facebook platform. It also contains a number of useful components for app developers, such as user analysis, the ability to display ads and the ability to log in to a Facebook ID service. When Privacy International asked Facebook about the use of its SDK, the social network pointed out that developers are responsible for setting up apps for data sharing or not.

“Facebook places a legal and contractual obligation on the developer who considers him to be the data controller to obtain the consent of the users before the SDK shares data with Facebook, ” Kaltheuner said. When Threatpost asked for comment on this report, a spokesman responded with a statement: “The SDK tool of Facebook means that developers can choose to automatically collect app events, not collect them at all or delay their collection until consent is obtained, depending on their specific circumstances. We also require developers to ensure that they have a legal basis for collecting and processing information from users.

Finally, we provide developers with guidance on how to meet our requirements in this regard. ” However, Facebook acknowledged to Privacy International that most developers used the default settings of the SDK, which means that the data is shared the second time an app is launched. This behavior has led developers to hackles since May when they were forced to comply with the new General Data Protection Regulation law requiring explicit and unambiguous permission before collecting user data. In response, Facebook released a new feature in its SDK in June, which delays what it calls “automatic event logging, ” giving developers more flexibility to deactivate the feature or ask users to collect data. However, even with the changes made by Facebook, the SDK still sends a signal that the SDK was initialized when individual apps were opened–even if the SDK data sharing is disabled.

“The signal that the SDK was initialized is data that gives[ Facebook] a strong indication of what kind of apps someone uses and when they use it–all in combination with a user ID, ” said Kaltheuner. According to Privacy International, whether this data collection complies with GDPR and other privacy laws is an open question. Privacy International advocates further changes on Facebook and a greater awareness among developers of transmitting the least amount of data required and giving people more choices about what data they collect.

“The question [ for developers] is, you really need to integrate the SDK and you can do it selectively if you integrate, ” said Kaltheuner. ” You shouldn’t assume compliance with the default implementation. And when you implement it, it is very fair and transparent for users how exactly you collect data. “The answers of app developers who react to Privacy Internationals studies varied.”

Some of us had the impression that the SDK and what the SDK does not fully understand. Others interpreted what they should legally do very differently. Others didn’t realize that this was going on and promised to update their app, ” said Kaltheuner. When notified, two apps–Skyscanner and IBM ‘s The Weather Channel –agreed to change their use of the Facebook SDK immediately.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.