Millions of smartphone users confess their most intimate secrets to apps, including when they want to work on their belly fat or the price of the house they checked out last weekend. Other apps know users’ body weight, blood pressure, menstrual cycles or pregnancy status.
Unbeknown to most people, in many cases that data is being shared with someone else: Facebook.
The social-media giant collects intensely personal information from many popular smartphone apps just seconds after users enter it, even if the user has no connection to Facebook, according to testing done by The Wall Street Journal. The apps often send the data without any prominent or specific disclosure, the testing showed.
It is already known that many smartphone apps send information to Facebook about when users open them, and sometimes what they do inside. Previously unreported is how at least 11 popular apps, totaling tens of millions of downloads, have also been sharing sensitive data entered by users. The findings alarmed some privacy experts who reviewed the Journal’s testing.
Facebook is under scrutiny from Washington and European regulators for how it treats information of users and nonusers alike. It has been fined for allowing now defunct political-data firm Cambridge Analytica illicit access to users’ data and has drawn criticism for giving companies special access to user records well after it said it had walled off that information.
In the case of apps, the Journal’s testing showed that Facebook software collects data from many apps even if no Facebook account is used to log in and if the end user isn’t a Facebook member. Apple and Alphabet’s Google, which operate the two dominant app stores, don’t require apps to disclose all the partners with whom data is shared. Users can decide not to grant permission for an app to access certain types of information, such as their contacts or locations. But these permissions generally don’t apply to the information users supply directly to apps, which is sometimes the most personal.
In the Journal’s testing, Instant Heart Rate: HR Monitor, the most popular heart-rate app on Apple’s iOS, made by California-based Azumio Inc., sent a user’s heart rate to Facebook immediately after it was recorded.
Flo Health’s Flo Period & Ovulation Tracker, which claims 25 million active users, told Facebook when a user was having her period or informed the app of an intention to get pregnant.
Real-estate app Realtor.com, owned by Move, a subsidiary of Wall Street Journal parent News Corp, sent the social network the location and price of listings that a user viewed, noting which were marked as favorites.
None of those apps provided users any apparent way to stop that information from being sent to Facebook.
Facebook said some of the data sharing uncovered by the Journal’s testing appeared to violate its business terms, which instruct app developers not to send it “health, financial information or other categories of sensitive information.” Facebook said it is telling apps flagged by the Journal to stop sending information its users might regard as sensitive. The company said it may take additional action if the apps don’t comply.
“We require app developers to be clear with their users about the information they are sharing with us,” a Facebook spokeswoman said.
At the heart of the issue is an analytics tool Facebook offers developers, which allows them to see statistics about their users’ activities — and to target those users with Facebook ads. Although Facebook’s terms give it latitude to use the data uncovered by the Journal for other purposes, the spokeswoman said it doesn’t do so.
Facebook tells its business partners it uses customer data collected from apps to personalize ads and content on Facebook and to conduct market research, among other things. A patent the company applied for in 2015, which was approved last year, describes how data from apps would be stored on Facebook servers where it could be used to help the company’s algorithms target ads and select content to show users.
Apple said its guidelines require apps to seek “prior user consent” for collecting user data and take steps to prevent unauthorized access by third parties.
A Google spokesman declined to comment beyond pointing to the company’s policy requiring apps that handle sensitive data to “disclose the type of parties to which any personal or sensitive user data is shared,” and in some cases to do so prominently.
Before Alice Berg began using Flo to track her periods last June, she checked the app’s terms of service. The 25-year-old student in Oslo says she had grown more cautious about sharing data with apps and wanted to ensure that only a limited amount of her data would be shared with third-parties like Facebook.
Now Berg said she may delete the app. “I think it’s incredibly dishonest of them that they’re just lying to their users especially when it comes to something so sensitive.”
Flo initially said in a written statement that it doesn’t send “critical user data” and that the data it does send Facebook is “depersonalized” to keep it private and secure.
The Journal’s testing, however, showed sensitive information was sent with a unique advertising identifier that can be matched to a device or profile. A Flo spokeswoman subsequently said the company will “substantially limit” its use of external analytics systems while it conducts a privacy audit.
The Journal tested more than 70 apps that are among the most popular in Apple’s iOS store in categories that handle sensitive user information. The Journal used software to monitor the internet communications triggered by using an app, including the information being sent to Facebook and other third parties. The tests found at least 11 apps sent Facebook potentially sensitive information about how users behaved or actual data they entered. Among the top 10 finance apps in Apple’s U.S. app store as of Thursday, none appeared to send sensitive information to Facebook, and only two sent any information at all. But at least six of the top 15 health and fitness apps sent potentially sensitive information immediately after it was collected.
Disconnect, a software company that makes tools for people to manage their online privacy, was commissioned by the Journal to retest some of the apps. The company confirmed the Journal’s findings, and said Facebook’s terms allowing it to use the data it collected were unusual.
“This is a big mess,” said Patrick Jackson, Disconnect’s chief technology officer. “This is completely independent of the functionality of the app.”
The software the Journal used in its tests wasn’t able to decipher contents of traffic from Android apps. Esther Onfroy, co-founder of cybersecurity firm Defensive Lab Agency, conducted a separate test showing at least one app flagged by Journal testing, BetterMe: Weight Loss Workouts, in its Android version was sharing users’ weights and heights with Facebook as soon as they were entered.
Apps often integrate code known as software-development kits, or SDKs, that help developers integrate certain features or functions. Any information shared with an app may also be shared with the maker of the embedded SDK. There are an array of SDKs, including Facebook’s, that allow apps to better understand their users’ behavior or to collect data to sell targeted advertising.
Facebook’s SDK, which is contained in thousands of apps, includes an analytics service called “App Events” that allows developers to look at trends among their users. Apps can tell the SDK to record a set of standardized actions taken by users, such as when a user completes a purchase. App developers also can define “custom app events” for Facebook to capture — and that is how the sensitive information the Journal detected was sent.
Facebook says on its website it uses customer data from its SDK, combined with other data it collects, to personalize ads and content, as well as to “improve other experiences on Facebook, including News Feed and Search content ranking capabilities.”
Privacy lawyers say the collection of health data by non-health entities is legal in most U.S. states, provided there is sufficient disclosure in an app’s and Facebook’s terms of service. The Federal Trade Commission has taken an interest in cases in which data sharing deviates widely from what users might expect, said Woodrow Hartzog, a law and computer science professor at Northeastern University.
After being contacted by the Journal, Breethe, maker of a meditation app of the same name, stopped sending Facebook the email address each user used to log in to the app, as well as the full name of each meditation completed.
Facebook allows users to turn off the company’s ability to use the data it collects from third-party apps and websites for targeted ads. There is currently no way to stop the company from collecting the information in the first place, or using it for other purposes, such as detecting fake accounts. Germany’s top antitrust enforcer earlier this month ordered Facebook to stop using that data at all without permission, a ruling Facebook is appealing.
Under pressure over its data collection, Facebook Chief Executive Mark Zuckerberg said last year that the company would create a feature called “Clear History” to allow users to see what data Facebook had collected about them from applications and websites, and to delete it from Facebook.
The company says it is still building the technology needed to make the feature possible.
Data drawn from mobile apps can be valuable. Advertising buyers say that because of Facebook’s insights into users’ behavior, it can offer marketers better return on their investment than most other companies when they seek users who are, say, exercise nuts, or in the market for a new sports car. Such ads fetch a higher cost per click.
That is partly why Facebook’s revenue is soaring.
“This is a big mess. This is completely independent of the functionality of the app.” Patrick Jackson, chief technology officer for Disconnect