



[ad_1]

Some of the most popular applications for Android smartphones, such as Skyscanner, TripAdvisor and MyFitnessPal, are transmitting data to Facebook without the consent of users in a possible breach of EU regulations.

In a study of 34 popular Android applications, the Privacy International campaign group found that at least 20 of them send certain data to Facebook in the second that they open in a phone, before they can be asked for permission to the users.

The information sent instantly included the name of the application, the unique identification of the user with Google and the number of times the application was opened and closed since it was downloaded. Some, such as Kayak, the travel site, then sent detailed information about people's flight searches to Facebook, including travel dates, if the user had children and what flights and destinations they had searched for.

The European law on data exchange changed in May with the introduction of the General Data Protection Regulation and requires that mobile applications have the explicit consent of users before collecting their personal information. The fines for violating the GDPR can be up to 4% of revenues or 20 million euros, whichever is greater.

Researchers analyzed applications with embedded Facebook crawlers and intercepted data as they were sent. Many of the applications are free, suggesting that they earn money with data sharing and advertising.

Frederike Kaltheuner, who conducted the research, added that while Facebook assigns responsibility for complying with regulations to application developers, the developer kit of the US company did not give the option of waiting for permission from a developer. user before transmitting some types of data.

"At least four weeks after GDPR, it was not even possible to ask for consent, due to the default configuration of the Facebook SDK [software development kit]which means that the data is automatically shared at the moment the application is opened" , He said.

Several application developers have complained about the problem to Facebook since May, reporting bug reports on Facebook's developer platform that they said they could not comply with the law.

For example, on May 29, four days after GDPR came into force in the EU, a developer posted: "Hello everyone. We analyzed [sic] the network activity of the Facebook SDK for Unity and found that when starting the application it sends some requests to graph.facebook.com. It seems to be a violation of GDPR: we can not send anything about a user until he allows us to do so. Could you fix that or strongly confirm that these requests do not violate GDPR? "

Some weeks, and several complaints later, Facebook responded that it had created a solution but that developers would need to download the update to use it, but developers have continued to report errors and it is not clear if the solution works .

"Six months after the launch of the show, we are still seeing very little evidence that the developers are implementing it. Of all the applications we have tested, 67.7 percent automatically transmit data to Facebook at the time the application is launched, "says the Privacy International report.

A Facebook spokesperson said that application developers could disable automatic data collection, and this year had introduced a new option that allows developers to delay the collection of application analysis information.

The researchers also found that many applications were running older versions of the SDK in this month. , which would not allow them to use the voluntary function as it was designed.

Another of the main concerns raised by the activists is the "desanonization" of the data: the practice of linking personal data with a user, which is prohibited by GDPR.

Facebook can link an Android ID with the information social network of a user network profile, identifying them instantly and adding any additional information to their personal profile.

"For example, a person who has installed the following applications that we have tried, Qibla Connect (a Muslim prayer application), Period Tracker Clue (a period tracker), Indeed (a job search application), My Talking Tom (an application for children), could be outlined as probable woman, probably Muslim, probable job applicant, probable father, "said the report.

Recommended

Facebook can also use data to address multiple people, for example, if a married couple uses applications on the same WiFi, or at the same location, their Android IDs can be merged to target similar advertising for both.

Previous research from the University of Oxford has shown that 43% of free applications in the Google Play store could share data with Facebook, which makes the social network the second most frequent third-party tracker after the alphabet of the parent company of Google.

A Facebook spokesperson wrote to Privacy International investigators in response to their study, saying: "We agree … it is important that people have access when we receive information about them when they are not using our services and we control if we associate this information with them.

"Recognizing the value of improvements in this area, & # 39; We are currently working on a set of changes, including the development of a new tool called Clear History, which we hope will respond to your comments. "

A Skyscanner spokesperson said:" We did not know the data was being sent to Facebook. in this way without the prior consent of our users, which goes against our own internal rules on the integration of third-party technologies. We are still investigating how this happened. "

" We are currently reviewing our approach, both in this area and in the use of similar technologies in general, to make sure that we are doing everything we should. "

TripAdvisor and Kayak did not respond to requests for comments and MyFitnessPal declined to comment.