WSJ: You Give Apps Sensitive Personal Information. Then They Tell Facebook.

[Deleted member 43084]

https://www.wsj.com/articles/you-gi...formation-then-they-tell-facebook-11550851636

Millions of smartphone users confess their most intimate secrets to apps, including when they want to work on their belly fat or the price of the house they checked out last weekend. Other apps know users' body weight, blood pressure, menstrual cycles or pregnancy status.

Unbeknown to most people, in many cases that data is being shared with someone else: Facebook Inc.

Click to shrink...

Apple Inc. and Alphabet Inc.'s Google, which operate the two dominant app stores, don't require apps to disclose all the partners with whom data is shared. Users can decide not to grant permission for an app to access certain types of information, such as their contacts or locations. But these permissions generally don't apply to the information users supply directly to apps, which is sometimes the most personal.

In the Journal's testing, Instant Heart Rate: HR Monitor, the most popular heart-rate app on Apple's iOS, made by California-based Azumio Inc., sent a user's heart rate to Facebook immediately after it was recorded.

Flo Health Inc.'s Flo Period & Ovulation Tracker, which claims 25 million active users, told Facebook when a user was having her period or informed the app of an intention to get pregnant, the tests showed.

Click to shrink...

The Journal's testing, however, showed sensitive information was sent with a unique advertising identifier that can be matched to a device or profile. A Flo spokeswoman subsequently said the company will "substantially limit" its use of external analytics systems while it conducts a privacy audit.

Move, the owner of real-estate app Realtor.com—which sent information to Facebook about properties that users liked, according to the Journal's tests—said "we strictly adhere to all local, state and federal requirements," and that its privacy policy "clearly states how user information is collected and shared." The policy says the app collects a variety of information, including content in which users are interested, and may share it with third parties. It doesn't mention Facebook.

Click to shrink...

Journalism via packet inspection ftw.

 

[Memento]

I am shocked

 

[ElectricBlanketFire]

 

[DJ_Lae]

Sounds about right, and I'm sure it's buried in the EULA for each app that no one reads.

I can't read the article but is this specifically for people who use the 'log in with Facebook' option?

 

[Deleted member 4518]

I wouldn't be surprised. So many apps have that option to log into them using Facebook too. I imagine that even if you don't have a Facebook account this information is being shared.

 

[NekoFever]

I don't doubt this kind of thing is happening a lot, and is a big reason for those odd coincidences when you'll see online ads for something you've only discussed online. Maybe you have only discussed with your SO how you're trying to get pregnant, but if you're using Flo Health's app and they tell Facebook, you're going to see ads for baby equipment and fertility treatment.

It's not that these ad companies are secretly listening to your conversations, which is a common theory, because they don't need to.

 

[night814]

Sounds about right, and I'm sure it's buried in the EULA for each app that no one reads.

I can't read the article but is this specifically for people who use the 'log in with Facebook' option?

Click to shrink...

I wouldn't be surprised, I'm sure there is a quid pro qou style agreement where Facebook allows the quick account creation for these apps to increase their user base and Facebook gets full access to every bit of data because of it. Win-win for both of the companies, it's the End User that gets completely screwed. People have been way too Willy nilly about giving up info like their birthdate, full names, and in some of these apps cases possibly their full adresss if there is any kind of shipment involved.

 

[EN1GMA]

I bet someone is looking at you when you use your phone on the toilet.

 

[nsilvias]

Sounds about right, and I'm sure it's buried in the EULA for each app that no one reads.

Click to shrink...

 

[Deleted member 19844]

Is any of this data being sent personally identifiable? In other words, can they take the heartrate data from my app and tie it back to me?

 

[yumms]

Apps use send tracking data to graph.facebook.com, i have Adguard on my Android to block it system wide. You can also block it at router level.

 

[Veliladon]

Apple bought Shazam a little while ago and they just stripped out all the shit that was built into the app top make money.

Specifically, Bolts, InMobi, IAS, Google's AdMob and DoubleClick, Facebook's Ads, Analytics and Login, Oracle's Moat, and Twitter's MoPub are no longer included in the iOS version of Shazam.

Click to shrink...

 

[LosDaddie]

There's a reason why social media apps are free for users.

 

[FreezePeach]

Im pretty sure this is the app dev that dictates what gets sent to facebook. Facebook then records a device ID if the user isnt logged in. I don't think it's Facebook actually running data scraping software through people's data. If the app dev does not want that data to get sent i think they have control over that. Not that the mess is ok but yeah, i think its more complicated than most think.

 

[julia crawford]

Man i still have a very hard time believing this data is as valuable as it seems to these companies. I don't think i've seen a single text about data being a good investment that you can actually turn into profit, either short or long term.

Im pretty sure this is the app dev that dictates what gets sent to facebook. Facebook then records a device ID if the user isnt logged in. I don't think it's Facebook actually running data scraping software through people's data. If the app dev does not want that data to get sent i think they have control over that. Not that the mess is ok but yeah, i think its more complicated than most think.

Click to shrink...

Never worked with Facebook but this "send to Facebook" thing is making me think they may provide some kind of database service that hosts information for these apps, like Google's Firebase.

 

[FreezePeach]

Man i still have a very hard time believing this data is as valuable as it seems to these companies. I don't think i've seen a single text about data being a good investment that you can actually turn into profit, either short or long term.



Never worked with Facebook but this "send to Facebook" thing is making me think they may provide some kind of database service that hosts information for these apps, like Google's Firebase.

Click to shrink...

It's facebook analytics as far as i know. You plug it into your app and then you get access to different statistics about the users that use it.

 

[julia crawford]

It's facebook analytics as far as i know. You plug it into your app and then you get access to different statistics about the users that use it.

Click to shrink...

Oh. Yeah reading through the documentation now and it seems like it's up to the application to decide what data they are sending. Can't read the article so i can't see if they're mentioning something else. But if it's just this... i mean, yeah, it's a service that Facebook is offering but it's not hidden, handled in secrecy, or reserved for special developers.

 

[Deleted member 43084]

Update: New York governor orders probe into Facebook access to data from other apps

NEW YORK (Reuters) - New York Governor Andrew Cuomo on Friday ordered two state agencies to investigate a media report that Facebook Inc may be accessing far more personal information from smartphone users, including health and other sensitive data, than had previously been known.

The directive to New York's Department of State and Department of Financial Services came after The Wall Street Journal said testing showed that Facebook collected personal information from other apps on users' smartphones within seconds of them entering it.

Click to shrink...

That was fast.

 

[FreezePeach]

Oh. Yeah reading through the documentation now and it seems like it's up to the application to decide what data they are sending. Can't read the article so i can't see if they're mentioning something else. But if it's just this... i mean, yeah, it's a service that Facebook is offering but it's not hidden, handled in secrecy, or reserved for special developers.

Click to shrink...

I worked on the database end of it couple of years back for mobile apps, so im surprised this is coming out as a scandal now because devs have known about it for quite a long time.

 

[julia crawford]

I worked on the database end of it couple of years back for mobile apps, so im surprised this is coming out as a scandal now because devs have known about it for quite a long time.

Click to shrink...

Yeah it does feel awkward, and though i understand the attachment of Facebook as a signal of special concerns, and deservedly so, this kind of service is definitely not rare, especially with business intelligence feeling like a big thing nowadays. Without any more specifics about the technology that might reveal some other, more nefarious kind of data collection, it's hard to think of this as something out of the ordinary.

 

[Vuze]

Wonder why Apple hasn't taken steps yet. Could be a good extra selling point. Something like Little Snitch built in that shows you on a neat map where and whom the apps report back to and lets you block stuff easily.
I watch the traffic for some apps from time to time and it's shocking how much shit they send. Facebook, usage tracking, crash reports... all without any consent whatsoever.

 

[meowdi gras]

I only have five apps on my iPhone that didn't come with them already installed: Discord, Adobe Acrobat, Gorillacam, QR Code, and Dragon. Call me a Luddite, if you like.

 

[nature boy]

I worked on the database end of it couple of years back for mobile apps, so im surprised this is coming out as a scandal now because devs have known about it for quite a long time.

Click to shrink...

Facebook said some of the data sharing uncovered by the Journal's testing appeared to violate its business terms, which instruct app developers not to send it "health, financial information or other categories of sensitive information." Facebook said it is telling apps flagged by the Journal to stop sending information its users might regard as sensitive. The company said it may take additional action if the apps don't comply.
...

Flo Health's privacy policy says it won't send "information regarding your marked cycles, pregnancy, symptoms, notes and other information that is entered by you and that you do not elect to share" to third-party vendors.

Flo initially said in a written statement that it doesn't send "critical user data" and that the data it does send Facebook is "depersonalized" to keep it private and secure.

Click to shrink...

I.e., they're deceiving consumers.
Yes this mass collection of data is nothing new, but authorities are always slow to the party.

 

[Richiek]

Looks like the FBI isn't alone on this idea:

 

[devSin]

Facebook needs to be shut down.

 

[Dingens]

This stuff will just keep happening because people are already completely oblivious to this stuff. This thread has been up for hours and we haven't even made it past page 1 yet...
It's kinda frustrating when compared to various "russian meddling" threads... because THIS shit right here is what allows them to "meddle" in the first place. But I guess a good-guy american company isn't as easy to antagonize as the eternal enemy from Siberia.

 

[Book One]

Apple bought Shazam a little while ago and they just stripped out all the shit that was built into the app top make money.

Click to shrink...

lol, wow.

Apple Inc. and Alphabet Inc.'s Google, which operate the two dominant app stores, don't require apps to disclose all the partners with whom data is shared. Users can decide not to grant permission for an app to access certain types of information, such as their contacts or locations. But these permissions generally don't apply to the information users supply directly to apps, which is sometimes the most personal.

Click to shrink...

I wonder if Apple and Google should go a little further and require all apps to disclose who they share info with to the user, otherwise they get booted from the store.

 

[lunarworks]

I worked on the database end of it couple of years back for mobile apps, so im surprised this is coming out as a scandal now because devs have known about it for quite a long time.

Click to shrink...

No one was paying attention. Now that Facebook is under progressively more and more scrutiny, people are digging for stuff to report on.

 

[Min]

I worked on the database end of it couple of years back for mobile apps, so im surprised this is coming out as a scandal now because devs have known about it for quite a long time.

Click to shrink...

Would there be whistleblowers if all the employees thought it was morally acceptable? A very broad generalization, but it seems like silicon valley types don't find secretly collecting/sharing data or running covert sociology experiments to cross any ethical line.

 

[FreezePeach]

Would there be whistleblowers if all the employees thought it was morally acceptable? A very broad generalization, but it seems like silicon valley types don't find secretly collecting/sharing data or running covert sociology experiments to cross any ethical line.

Click to shrink...

Each scenario can be different depending on how much and how specific info is being logged. The way we did it, it was for cumulative scoring because it was a game app. There is very little data collected that can be tied to an individual person. You would probably have to do some hacking to actually get a specific target because advert IDs arent the most useful of things. That is, if these other apps are actually logging people's names and such in a way where it's trivual to actually target someone, which could be possible. Most of the agreements to allowing the data be sent ends up in app EULAs nobody reads.