Facebook has been collecting "intensely personal information" from millions of people - whether they have Facebook accounts or not, according to testing performed by the Wall Street Journal.

According to tests of more than 70 apps using software to monitor internet communications, the Journal found that "the apps often send the data without any prominent or specific disclosure," and that "Facebook software collects data from many apps even if no Facebook account is used to log in and if the end user isn’t a Facebook member."

Eleven of the apps tested sent Facebook "potentially sensitive information about how users behaved or actual data they entered."

For example, Flo Health Inc.'s "Period & Ovulation Tracker" - which boasts 25 million active users, was sending Facebook information on when women were having their periods - or indicated their desire to get pregnant, according to the tests.

Note: After being contacted by the Journal, Flo said it has ‘substantially limited’ data sharing with third-party analytics services.



Source: Wall Street Journal testing of the app

Other apps found sending Facebook information include; Instant Heart Rate: HR MOnitor, Realtor.com's app, "at least six of the top 15 health and fitness apps" and BetterMe: Weight Loss Workouts"

Apple Inc. and Alphabet Inc.’s Google, which operate the two dominant app stores, don’t require apps to disclose all the partners with whom data is shared. Users can decide not to grant permission for an app to access certain types of information, such as their contacts or locations. But these permissions generally don’t apply to the information users supply directly to apps, which is sometimes the most personal. In the Journal’s testing, Instant Heart Rate: HR Monitor, the most popular heart-rate app on Apple’s iOS, made by California-based Azumio Inc., sent a user’s heart rate to Facebook immediately after it was recorded. -Wall Street Journal

Facebook told The Journal that some of the data sharing uncovered by the tests violate its business terms, by which app developers are instructed not to send "health, financial information or other categories of sensitive information." The company has notified app developers identified in the tests to stop sending sensitive information to them, and it may take additional steps if the apps don't adhere to their requests.

"“We require app developers to be clear with their users about the information they are sharing with us," said a Facebook spokeswoman. In other words, they're sorry they got caught and are now on a finger-wagging campaign.

Apple and Google had relatively lawyerly responses to the investigation; Apple said its guidelines require apps to seek "prior user consent" before collecting user data, adding "When we hear of any developer violating these strict privacy terms and guidelines, we quickly investigate and, if necessary, take immediate action." Google declined to comment - pointing to the company's policy requiring that apps which handle sensitive data prominently "disclose the type of parties to which any personal or sensitive user data is shared."

Flo initially said in a written statement that it doesn’t send “critical user data” and that the data it does send Facebook is “depersonalized” to keep it private and secure. The Journal’s testing, however, showed sensitive information was sent with a unique advertising identifier that can be matched to a device or profile. A Flo spokeswoman subsequently said the company will “substantially limit” its use of external analytics systems while it conducts a privacy audit. Move, the owner of real-estate app Realtor.com—which sent information to Facebook about properties that users liked, according to the Journal’s tests—said “we strictly adhere to all local, state and federal requirements,” and that its privacy policy “clearly states how user information is collected and shared.” The policy says the app collects a variety of information, including content in which users are interested, and may share it with third parties. It doesn’t mention Facebook. -Wall Street Journal

"This is a big mess," said Disconnect's chief technology officer Patrick Johnson, who analyzed apps for the Journal analysis. "This is completely independent of the functionality of the app."

While the software used by the Journal wasn't able to decipher specific content sent by Android apps, Defensive Lab Agency's Esther Onfroy found in a separate test that at least one Android app flagged by the Journal - BetterMe: Weight Loss Workouts, shared users' weights and heights with Facebook almost immediately after they were entered.

How is this possible?

Apps often incorporate code known as software-development kits (SDKs) which allow developers to integrate various features or functions across platforms. One of these is Facebook's SDK - which allow apps to collect data for targeted advertising or to allow apps to beter understand user behavior.

Facebook’s SDK, which is contained in thousands of apps, includes an analytics service called “App Events” that allows developers to look at trends among their users. Apps can tell the SDK to record a set of standardized actions taken by users, such as when a user completes a purchase. App developers also can define “custom app events” for Facebook to capture—and that is how the sensitive information the Journal detected was sent. Facebook says on its website it uses customer data from its SDK, combined with other data it collects, to personalize ads and content, as well as to “improve other experiences on Facebook, including News Feed and Search content ranking capabilities.” -Wall Street Journal

A Facebook spokeswoman said that Facebook is now looking into how to search for apps violating its data sharing terms, and will build safeguards to prevent the company from storing any sensitive data which may be provided by apps.

Last year Facebook CEO Mark Zuckerberg claimed that the company would create a "Clear History" feature to allow users to analyze data which had been collected about them from various apps and websites - and then delete it from Facebook.

We're still waiting on that...