Apps makers are sharing sensitive personal information with Facebook but not telling users

By Nick Statt

Illustration by Alex Castro / The Verge

Facebook is getting ahold of sensitive personal information that smartphone owners submit to entirely separate mobile apps, thanks to a software tool that immediately shares that data with the social network to improve ad targeting, according to a report from The Wall Street Journal. It’s long been known that apps outside of Facebook’s ecosystem can and do willingly share data with the company to make it easier to reach existing and new users on the platform through ads. Yet the WSJ report highlights a particularly privacy-violating behavior by health and fitness apps where the information shared can be anything from diet and exercise activities to a user’s ovulation cycle and whether they intend to get pregnant.

According to the report, app makers like ovulation tracker Flo Health and Azumio Inc., the maker of the most popular third-party heart rate tracker on iOS, use what’s known as “App Events,” a Facebook-provided tool that shares sensitive, user-submitted data directly with the social network that, in most cases, a user must manually submit. That data is then used to inform Facebook’s ad-targeting tools, which it provides to those same developers and others so they can reach existing and new users when they’re browsing Facebook. In the case of Flo Health, Facebook is effectively matching information it collects from the software’s ovulation-tracking feature to real profiles, the Journal says, users it can then potentially label as a viable target for ads regarding expecting mothers and new parents.

It’s not clear whether there is any form of financial arrangement in which apps are incentivized to share this data with Facebook. But the Journal reports that out of the 70 apps it monitored, all of which were among the most popular apps on iOS, 11 of them shared such data with Facebook. None of them appear to notify users about this data-sharing tool through privacy policies or terms of service. And because the sharing is happening outside of the limits of standard permissions — like location, voice, and camera access — it appears neither Apple nor Google is aware of when an app on iOS or Android is communicating sensitive information like this to a third-party service.

According to Facebook, many of the most egregious situations the Journal discovered were so-called “custom app events,” with parameters defined by the app makers and not with any input from Facebook. The company said it advises app makers not to share data that it would consider sensitive — like health and financial data — and it claims not to use the data outside of letting the app that collected the information target Facebook users with ads. In some cases, Facebook actively deletes the data when it knows collecting it would be illegal, such as when banking and other financial-related apps are getting ahold of users’ Social Security numbers.

In other words, Facebook says it’s not collecting sensitive health and financial information and using it more broadly, although there is no way to verify that. A patent application granted last year describes using third-party data stored on Facebook servers to improve the company’s ad-targeting algorithms. “We require app developers to be clear with their users about the information they are sharing with us,” a Facebook spokeswoman told The Journal. In the terms of use for its software development kit, in which app events are included, Facebook says it may use the data collected to “improve other experiences on Facebook, including News Feed and Search content ranking capabilities.”

When contacted, Flo Health told the Journal that it would “substantially limit” its use of analytics tools provided by other companies, after initially trying to claim it never sent information that would let a third party identify the user behind the data. That proved untrue, as the Journal had experts examine the app events to discover that a unique ID was being used to track the device type and app profile of the user so it could be matched with a Facebook one. Garner Bornstein, the co-founder of meditation app maker Breethe, admitted fault when it was discovered that his app was sending email addresses to Facebook. “Clearly, Facebook’s business model is unique and, unfortunately, we were not as diligent in aligning our data management with their privacy policy as we should have been,” he told the Journal.

Regardless of Facebook’s role in any one case involving app events, it does provide the tools to developers, and it clearly doesn’t engage in much oversight regarding how it’s used and what data it may be collecting. That’s a particularly bad sign for Facebook. The company is still facing immense regulatory and legislative scrutiny after a disastrous year of privacy scandals, most prominently the Cambridge Analytica situation and upper management catastrophes related to the company’s handling of election interference and other flagrant misuses of its platform. Those misuses include wielding Facebook’s tools as a weapon to stir racial hatred in countries torn apart by ethnic violence and the creation of an international cottage industry around fake news, propaganda, and conspiracy theory peddling.

Most recently, Facebook was found to have been misusing Apple’s enterprise app program to distribute a reskinned version of its banned Onavo VPN app to teenagers, which was siphoning sensitive data, thanks to root access to those users’ iPhones in exchange for $20 a month in gift cards. Facebook took down the app and closed the program, but not before Apple gave it a slap on the wrist by revoking its enterprise certificates and causing a disruption of the company’s ability to use internal iOS software.

Earlier this month, the UK government issued a lengthy and damning report concluding that Facebook was no longer fit to govern itself and that a regulatory body should step in. The report said Facebook CEO Mark Zuckerberg “continually fails to show the levels of leadership and personal responsibility that should be expected from someone who sits at the top of one of the world’s biggest companies.” Facebook is also in talks with the Federal Trade Commission over a potentially multibillion-dollar fine related to its privacy practices.