BuzzFeed News

Major Android apps like Tinder, Grindr, and Pregnancy+ are quietly transmitting sensitive user data to Facebook, according to a new report by the German mobile security initiative Mobilsicher. This information can include things like religious affiliation, dating profiles, and health care data. It's being purposefully collected by Facebook through the Software Developer Kit (SDK) that it provides to third-party app developers. And while Facebook doesn't hide this, you probably don't know about it. Certainly not all developers did. “Most developers we asked about this issue assumed that the information Facebook receives is anonymized,” Mobilsicher explains in its report, which explores the types of information shared behind the scenes between the platform and developers. Through its SDK, Facebook provides app developers with data about their users, including where you click, how long you use the app, and your location when you use it. In exchange, Facebook can access the data those apps collect, which it then uses to target advertising relevant to a user’s interests. That data doesn’t have your name attached, but as Mobilsicher shows, it’s far from anonymized, and it's transmitted to Facebook regardless of whether users are logged into the platform. Among the information transmitted to Facebook are the IP address of the device that used the app, the type of device, time of use, and a user-specific Advertising ID, which allows Facebook to identify and link third-party app information to the people using those apps. Apps that Mobilsicher tested include Bible+, Curvy, ForDiabetes, Grindr, Kwitt, Migraine Buddy, Moodpath, Muslim Pro, OkCupid, Pregnancy+, and more.

Mobilsicher A screenshot of the official app of the Conservative Party in Germany, CDU, which shows a user’s unique advertising ID. This information is transmitted to Facebook.

As long as you’ve logged into Facebook on your mobile device at some point (through your phone’s browser or the Facebook app itself), the company cross-references the Advertising ID and can link the third-party app information to your profile. And even if you don’t have a Facebook profile, the data can still be transmitted and collected with other third-party app data that corresponds to your unique Advertising ID. For developers and Facebook, this transmission appears relatively common. The privacy researcher collective App Census estimates that “approximately 30 percent of all apps in Google’s Play store contact Facebook at startup” through the company’s SDK. The research firm Statista estimates that the Google Play store has over 2.6 million apps as of December 2018. As the Mobilsicher report details, many of these apps contain sensitive information. And while Facebook users can opt out and disable targeted advertisements (the same kind of ads that are informed by third-party app data), it is unclear whether turning off targeting stops Facebook from collecting this app information. In a statement to Mobilsicher, Facebook specified only that “if a person utilizes one of these controls, then Facebook will not use data gathered on these third-party apps (e.g. through Facebook Audience Network), for ad targeting.” A Facebook representative clarified to BuzzFeed News that while it enables users to opt out of targeted ads from third parties, the controls apply to the usage of the data and not its collection. The company also said it does not use the third-party data it collects through the SDK to create profiles of non-Facebook users. Tinder, Grindr, and Google did not respond to requests for comment. Apple, which uses a similar ad identifier, was not able to comment at the time of publication.

None of the apps Mobilsicher found to be transmitting data to Facebook "actively notified users" that they were doing so.

The publication of Mobilsicher’s report comes at the end of a year rife with Facebook privacy scandals. In the past few months alone, the company has grappled with a few massive ones. In late September, Facebook disclosed a vulnerability that had exposed the personal information of 30 million users. A month later, it revealed that same vulnerability had exposed profile information including gender, location, birth dates, and recent search history. Earlier this month, the company reported another security flaw that potentially exposed the public and private photos of as many as 6.8 million Facebook users to developers that should not have had access to them. And on Tuesday, the New York Times reported that Facebook gave more than 150 companies, including Netflix, Amazon, Microsoft, Spotify, and Yahoo, unprecedented and undisclosed access to users’ personal data, in some cases granting access to read users' private messages. The vulnerabilities, coupled with fallout from the Cambridge Analytica data mining scandal, have set off a Facebook privacy reckoning that’s inspired grassroots campaigns to #DeleteFacebook, leading to some high-profile deletions. They’ve also sparked a technical debate about whether Facebook “sells data” to advertisers. (Facebook and its defenders argue that no data changes hands as a result of its targeted advertising, while critics say that's a semantic dodge and that the company sells ads against your information, which is effectively similar.)

Lost in that debate is the greater issue of transparency. Platforms like Facebook do disclose their data policies in daunting mountain ranges of text with impressively off-putting complexity. Rare is the normal human who reads them. Rarer still is the non-developer human who reads the company's even more off-putting data policies for developers. For these reasons, the mechanics of the Facebook platform — particularly the nuances of its software developer kit — are largely unknown to the typical Facebook user. Though CEO Mark Zuckerberg told lawmakers this year that Facebook users have "complete control" of their data, Tuesday's New York Times investigation as well as Mobilsicher's report reveal that user information appears to move between different companies and platforms and is collected, sometimes without notifying the users. In the case of Facebook’s SDK, for example, Mobilsicher notes that the transmission of user information from third-party apps to Facebook occurs entirely behind the scenes. None of the apps Mobilsicher found to be transmitting data to Facebook “actively notified users” that they were doing so. According to the report, “Not even half of [the apps Mobilsicher tested] mention Facebook Analytics in their privacy policy. Strictly speaking, none of them is GDPR-compliant, since the transmission starts before any user interaction could indicate informed consent." Similarly, Facebook has lagged on promises to increase data transparency. In May, the company pledged it would launch a feature called “Clear History” that would allow users to opt out of data collection — including browser history and third-party data — to be used for targeted advertising. The feature, according to reports, may still be months away from launch. For now, Facebook users are left in an uncomfortable position, aware that apps may be transmitting data to be amassed by the platform, but unaware exactly which ones or what is out there. That it’s taken this long is notable. Privacy concerns have rankled Silicon Valley platforms like Facebook for over a decade, and activists and rivals have chastised ad-supported platforms to stop hiding behind cumbersome policies. Onstage after a Facebook privacy blunder in 2007, Apple CEO Steve Jobs excoriated Facebook and advocated for clearer explanations. “Privacy means people know what they’re signing up for, in plain English, and repeatedly. Ask them. Ask them every time. Make them tell you to stop asking them if they get tired of your asking them. Let them know precisely what you’re going to do with their data.”

In the audience that day? None other than Facebook CEO Mark Zuckerberg.