LEIPZIG, GERMANY – If you quit Facebook or never joined because of its data collecting practices the odds are good the social network is still tracking you – despite your protest.

Facebook collects data of non-users of its social network via dozens of mainstream Android apps that send tracking and personal information back to the social network. Some of the dozens of apps sharing data with Facebook include Kayak, Yelp and Shazam, according a report presented by Privacy International on Saturday here at 35C3.

“Facebook routinely tracks users, non-users and logged-out users outside its platform through Facebook Business Tools,” according to the report. “App developers share data with Facebook through the Facebook Software Development Kit (SDK).”

Privacy International examined 34 Android apps, each with an install base from 10 to 500 million, and found they transmitted data through the SDK to Facebook. Data shared with Facebook varies by app. Kayak, for example, sends Facebook all search data conducted through its app, according to researchers. A King James Bible app shared the passage and verse viewed by the app user.

Researchers said the majority of apps share data such as the fact the app is used, when the app is opened and closed, the Android device being used and the user’s inferred location based on language and time zone settings, according to researchers.

Part of the sensitive data shared with Facebook is the use of the app itself. For example, apps sharing data include a women’s period tracker, prayer apps, job search apps and apps appropriate for young children. Other data found shared by apps via the Facebook SDK is something called “user ratings”, session IDs and additional data variables.

Facebook, Privacy International points out, is just one of hundreds of so-called tracking companies that collect data that is used by online marketing firms that cull user information together to create massive digital dossiers on users. Facebook is the second largest of such tracking companies on the internet after Google.

“The reason we focused on Facebook, and not Google or any of the other tracking companies, is because the very fact that apps – like a period tracker or an LED flashlight [app] – share data with Facebook will come as a surprise to many people. And, especially for those who have made a conscious decision not to be on Facebook,” said Frederike Kaltheuner, researcher with Privacy International, during her talk on Saturday.

Key findings in Privacy Internationals examination of the 34 apps include 61 percent of apps tested automatically transfer data to Facebook the moment a user opens the app. Some apps routinely send Facebook data that is incredibly detailed and sometimes sensitive of people who are either logged out of Facebook or who do not have a Facebook account.

Analysis of individual apps can be found on the Privacy International website.

“Obviously we only focused on the data that apps transmits. However, what we can’t say is definitively how the data is being used,” Kaltheuner said.

Christopher Weatherhead, a Privacy International researcher, said the focus of its research wasn’t to blame app developers. “We’re not here to criticize developers for the way they make their apps. This is all about SDK and the way it transmits data with or without user consent,” he said.

The Facebook SDK for Android serves many purposes. It allows app developers to integrate their apps with Facebook’s platform. It also contains a number of helpful components to app developers, such as user analytics, the ability to display ads and allows a user to login to a service with their Facebook ID.

When Privacy International asked Facebook about the use of its SDK, the social network pointed out that developers were responsible for configuring the apps to share or not share data.

“Facebook places a legal and contractual obligation on the developer who they see as the data controller to get the consent that it is required from users before sharing data with Facebook by the SDK,” Kaltheuner said.

When Threatpost asked for comment on this report a spokesperson responded with a statement:

“Facebook’s SDK tool means that developers can choose to collect app events automatically, to not collect them at all, or to delay collecting them until consent is obtained, depending on their particular circumstances. We also require developers to ensure they have an appropriate legal basis to collect and process users’ information. Finally, we provide guidance to developers on how to comply with our requirements in this regard.”



But, Facebook acknowledged to Privacy International that most developers used the SDK’s default settings, which is to share the data the second an app is launched. That behavior has raised hackles among developers starting in May when they were forced to comply with the new General Data Protection Regulation law that require explicit and unambiguous permission before collecting user data.

In response, Facebook released a new feature in its SDK in June that delays what it calls “automatic event logging” which gives developers more flexibility to turn off the feature or request user permission to collect data. However, even with the changes Facebook made the SDK continues to send a signal that the SDK has been initialized when individual apps are opened – even if the SDK data sharing is turned off.

“The signal that the SDK has been initialized, that’s data that that gives [Facebook] a strong indication what kind of apps somebody uses and when they’re using it – all combined with a user ID,” Kaltheuner said. Whether this data collection is compliant with GDPR and other privacy laws is an open question, according to Privacy International.

Privacy International is advocating for further changes by Facebook and a heightened awareness among developers to transmit the least amount of data needed and give people more choices in what data is collected from them.

“The question [for developers] is, do you really need to integrate the SDK, and if you integrate, can you do it selectively,” Kaltheuner said. “You shouldn’t assume that the default implementation is compliance. And, whenever you do implemented it be very fair and transparent to users about how exactly you’re collecting data.”

Responses from app developers reacting to Privacy Internationals study varied.

“Some, we had the impression didn’t fully understand the SDK and what the SDK does. Others had a very different interpretation of what they should do legally. Others didn’t really didn’t realize that this is happening and promised to update their app,” Kaltheuner said.

Two apps when notified – Skyscanner and IBM’s The Weather Channel – agreed to make immediate changes to their use of the Facebook SDK.