Some health apps send data to Facebook without asking users, report says

Jessica Kim Cohen - Print  | 

Many popular Android apps automatically share data with Facebook, regardless of whether a user is logged into Facebook on their smartphone — or whether the user has a Facebook account, according to a recent report.

Privacy International, a London-based charity that tackles user privacy issues, tested 34 popular Android apps between August and December 2018 for its report. The charity found at least 61 percent of the services transfer data to Facebook the moment a user opens their app. This transfer takes place through the Facebook Software Development Kit, a business tool that helps developers build apps.

"Facebook places the sole responsibility on app developers to ensure that they have the lawful right to collect, use and share people's data before providing Facebook with any data," the report reads. "However, the default implementation of the Facebook SDK is designed to automatically transmit event data to Facebook."

Many of these apps don't share personal data that users have submitted to the app — but they do share data that tells Facebook that a user has installed, opened or closed a specific service.

Privacy International acknowledged it's unclear how Facebook is using the data it gleans from these transfers, but argues data from different apps can be combined to create a window into a user's "interests, behaviors and routines." For example, by combining data from Muslim prayer app Qibla Connect and period tracker app Clue, Facebook could profile a user as likely Muslim and female.

In one particularly extensive case, Privacy International noted travel search engine app Kayak sends Facebook information on users' flight search history, such as departure and arrival cities and dates, along with the number of tickets — including number of children — and class of tickets, such as economy, business or first class.

Of the five health and fitness apps Privacy International tested in its analysis, only two — diet and exercise tracker MyFitnessPal and period tracker Clue — shared data with Facebook.

In response to the report, Facebook and various apps included in the study provided statements to Privacy International via email. Here are a few:

Facebook: "Facebook offers analytics and advertising services to app developers, which help them receive aggregated information about how people engage with their apps — this is a common practice for many companies. This information is important for helping developers understand how to improve their apps and for helping people receive relevant advertising in a privacy-protective way. We do this in a transparent manner by explaining the practice through our Data Policy and Cookies Policy, and by using Google's advertising identifier, which can be controlled centrally by people using their device settings."

MyFitnessPal: "The SDK identified is a common analytics tool. It provides information that allow apps, like MyFitnessPal, to improve the services provided to their user communities (i.e., it serves to provide an aggregative view of app installs, app open and in app purchase activity — information that is then used to enhance the app experience). MyFitnessPal specifically outlines this to users in its Privacy Policy as analytics processed for a legitimate interest as permitted under Art. 6 (1) (f) of the General Data Protection Regulation (GDPR), namely '… to enhance … [user] experience and to develop and improve our services.'"

Clue: "Clue uses the SDK to provide certain service features such as a login to the Clue app with Facebook credentials which means we do share usage information containing the meta-data of the app-usage with Facebook. We don't share any personal data of our users with Facebook. We believe that this is something we should make clearer to our users and have already begun procedures to update our privacy policy in this regard."

To download Privacy International's report, click here.

More articles on health IT:
AI can re-identify de-identified health data, study finds
HHS issues guidance on preventing 5 types of cyberattacks
In 2009, Microsoft predicted what 2019 would look like — Here's how it stacks up today

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

To receive the latest hospital and health system business and legal news and analysis from Becker's Hospital Review, sign-up for the free Becker's Hospital Review E-weekly by clicking here.