Facebook will be in the hot seat of controversy once more this New Year, as Privacy International’s keynote presentation in the 35th Chaos Communication Congress has publicly revealed that the social media giant gets hold of user data from 3rd party Android apps. This revelation involves users with specific user installed apps that have nothing to do with Facebook, but shares users info to Facebook servers even if they have no Facebook account and no Facebook app is installed in their devices.
Based-on the study conducted by Privacy International, around 34 popular apps on Android like Kayak, Duolingo, etc. sends data to Facebook. Cross sending Google data is also seen in these apps, as the user’s Google advertising ID also arrives in the Facebook’s servers without any consent.
“Facebook offers analytics and advertising services to app developers, which help them receive aggregated information about how people engage with their apps — this is a common practice for many companies. We also wanted to note that many companies offer the types of services you cover in the report and, like Facebook, they also get information from the apps and sites that use them in a similar manner. Amazon, Google and Twitter all offer login features. Likewise, many of these companies, as well as others like Adobe, Flurry, and Mixpanel, provide analytics services for app developers. More generally, most websites and apps send the same information to multiple companies each time you visit them,” explained Privacy International.
Many apps in Android uses Facebook connector as an alternative to Google Play account to preserve high scores and to serve as a game save system. It is not clear yet if this latest disclosure will make Facebook under the liable under European Commission’s GDPR (General Data Protection Regulation). It is also not yet known if the Terms of Service of Facebook will be able to shield them legally speaking, as the data of a Non-Facebook user are saved in Facebook servers without any permission.
“The fact that the SDK’s default implementation automatically transmits data when an app is opened, and that a voluntary feature to delay this transmission was only provided in July 2018, raises questions about Facebook’s responsibility towards developers, as well as its own compliance with key data protection principles such as data protection by design and by default,” added Privacy International.
The authors of the apps need to fully explain to their users the utility of sending their personal data to Facebook servers. Since Android Marshmallow (Android 6.0), users are given the option to accept or deny permission on a more granular basis, and app developers need to come clean and give the user the option to proceed with accepting the permission request or not. Not accepting the requested permission should maintain a graceful downgrade of experience, like the app will work as normal but just inability to save progress using Facebook servers. Google has provided Google Play Games as a platform for global high scores and save systems for Android. All Android users who bought a new device are expected to accept the Android user agreement, creating a legal bind between the users and Google-based services.