Facebook routinely tracks users regardless of whether they are logged-in, logged-out, of don’t even have a Facebook account using its Facebook Business Tools. App developers using Facebook Software Development Kit (SDK), share user data with Facebook to aid this.
The full list is available here, however, some of the popular apps that were found to be sending data without their user’s permission are
- My Talking Tom / My Talking Hank, etc. (over 1 billion downloads)
- Duolingo (over 100 million downloads)
- Shazam by Apple (over 100 million downloads)
- Spotify (over 100 million downloads)
- TripAdvisor (over 100 million downloads)
- VK (
vkontakte) (over 100 million downloads)
- Calorie Counter by MyFitnessPal (over 50 million downloads)
- Indeed Job Search (over 50 million downloads)
- Muslim Pro (over 10 million downloads)
- Qibla Connect® Find Direction- Prayer, Azan, Quran (over 10 million downloads)
What is being transmitted to Facebook?
The analysis by Privacy Internation suggests that these apps transmit the status of the app first by sending “App Installed” or “SDK Initialized”, revealing the fact if a particular user is using a particular app.
E.g. if a person has “Indeed Job Search” installed, and also has “Muslim Pro” installed, it can be inferred that the person is a Muslim and is looking for a job, even though the person might not consent to
The apps automatically share this data along with the Google advertising ID (AAID) which lets Facebook build a profile for a users.
Similarly, if a person has “Period Tracker Clue” installed and has “Talking Tom” installed it can be inferred that the person is either an adolescent girl or a woman with a kid. Both potentially violating right to privacy.
What makes it worse is that these details are sent to Facebook at the launch of an app, i.e. even before the user can provide or revoke consent.
All of these findings indicate that Facebook could have violated GDPR and other Privacy laws in Europe and other places.
Source: Privacy International