Last December I reported on how Facebook’s S.D.K. was collecting information from apps like Tinder and Grindr as well as various pregnancy and religious apps. Among the information sent to Facebook: your device IP address and type, the time of use and your advertising ID. While the data is supposedly anonymized, the advertising ID makes it extremely easy for bigger companies like Facebook to identify and link third-party app information to existing Facebook users (if you’ve logged into Facebook on your phone or downloaded the app, Facebook can theoretically match that advertising ID with the ID transmitted through the S.D.K.).

S.D.K.s become particularly concerning when embedded inside apps that contain sensitive information. This month BuzzFeed News reported that period tracker apps were sending highly personal data to Facebook via S.D.K.s, including when women last had sex. And it’s not just Facebook; small tech companies and ad networks with unknown business practices provide S.D.K.s to apps, and hoover up and potentially expose information. In 2018, a researcher for Kaspersky Labs “found four million Android apps were sending unencrypted user profile data, such as names, ages, incomes, phone numbers and email addresses — and, in one example, dates of birth, user names and GPS coordinates” from the app to the advertisers’ servers.

To get a sense of how prevalent S.D.K.s are, I used MightySignal, a tool that tracks the S.D.K.s embedded inside tens of thousands of apps to search around for sensitive categories. I quickly found Period Tracker, an Android app with more than 100 million downloads, according to the site. MightySignal listed 26 S.D.K.s embedded in the app from Facebook and Google as well as smaller tech companies, each one transmitting potentially sensitive information. Feeld, an app that originally started as a way for couples and singles to participate in group hookups, currently has 42 installed S.D.K.s and 52 previously installed S.D.K.s on its iOS app. While its unclear exactly what information is being shared, each third party that’s receiving sensitive information is a potential vulnerability. In the case of some S.D.K.s, which belong to ad networks or smaller analytics firms, the companies may be bought or sold, so the data could change hands without its owners knowing.

Nearly every advertising industry source I’ve spoken with requested anonymity to speak about S.D.K.s, in part because their companies were using them in some way to collect data. One described the industry, which isn’t meaningfully regulated or monitored, as the Wild West. “It’s the industry standard,” an online ad industry veteran told me. “And every app is potentially leaking data to five or 10 other apps. Every S.D.K. is taking your data and doing something different — combining it with other data to learn more about you. It’s happening even if the company says we don’t share data. Because they’re not technically sharing it; the S.D.K. is just pulling it out. Nobody has any privacy.”

S.D.K.s are not, by nature, nefarious. But their prevalence can turn almost any application, no matter how mundane, into a data harvester. Beauty apps and smart TVs have S.D.K.s. Even cars have them. A 2015 report from Tech Crunch describes an early car S.D.K. as “streaming real-time data from a car’s computer and sensors to apps running on your phone.”