How Facebook tracks you on Android (even if you don't have a Facebook account)

5,654 reads

Suppose you’ve picked up an Android phone on the street and you saw the 4 apps above. Can you guess the profile of the phone user?

reactions

Your guess is likely to be that the user is a ‘she’, her religion is Muslim, perhaps looking for a job recently, and she’s either a mother or someone who is into virtual cats.

reactions

Yes, in essence, that’s how Facebook profiles you if you own these apps in your Android phone. Now, let’s talk about the ‘how’.

reactions

Cut to the chase

Facebook is able to track you because Android developers of 3rd party apps (example: Indeed Job Search) implement Facebook’s Software Development Kit (SDK). SDK is a collection of tools that eases the creation of software. By using Facebook SDK, developers can do advanced analytics without the need to code it from scratch. SDK is like a Swiss Army Knife. With it, you can start your job immediately instead of having to build your own scissors, knife, corkscrew etc. This article is written based on the research conducted by Frederike Kaltheuner and Christopher Weatherhead. You can watch the full video here. The official study can be found here.

Purpose of this article

I wrote this article with the end in mind to educate the general public on how these tech companies collect our data and how we can protect our digital privacy. My job is to “de-jargonise” the research, not to be 100% technically accurate (although I will do my best to be).

reactions

Just a head’s up, I am not an expert in the data privacy domain; I just consider myself more of an intermediate developer. So if you have detected any technical inaccuracies, please point it out and I will send you a 💌.

reactions

Outline

Anatomy of the Google Play Store How the tech works (without going too much on the tech) What’s our defense?

Anatomy of the Google Play Store

According to Privacy International, research done by the University of Oxford has suggested that approximately 42.55% of the free apps in the Google Play Store could share data with Facebook.

reactions

Out of the 42.55%, this study picked 34 apps, based on the fact that they have either a huge number of installations, or they involve sensitive information such as religion and health, or they are simply utility apps (You know, torchlight, QR code scanner, fart sound etc).

reactions

Here’s a zoomed-in version. Found any app that’s installed on your phone right now?

reactions

Out of the 34 apps, over 61% of them automatically transfer data to Facebook the moment a user opens the app.

reactions

“…the moment a user opens the app”. That means, there is no chance for the app to ask permission from the user to grant/deny the sharing of personal data.

How the tech works (without going too much on the tech)

App #1: Kayak

reactions

Take Kayak for example. If you are unsure what’s Kayak, it’s a travel metasearch engine. It allows you to search for flights, hotels, and cars if you are going on holiday.

reactions

Action 1: You tap on the application icon.

reactions

What happens: The application is initialized and the following data is sent to Facebook immediately.

reactions

The highlighted word “anon_id” stands for anonymous id. Basically, you are identified as XZdfd5f00f-9271–4e82-a8ce-6cea1d38b6d3. Facebook does not know your actual name, and that doesn’t matter. There’s a term for that; it’s called shadow profiling.

reactions

It’s comical to know that Kayak confidently declares this message “Don’t worry, we’ll never share anything without your permission” at its login screen even though it shares data the moment you open the app. In Kayak’s defense, the SDK is built by Facebook, so Kayak should not shoulder the entire blame here. To be fair, Kayak no longer shares data instantaneously with Facebook as of this writing.

reactions

Action 2: You search for a flight with 1 economy passenger from London (Gatwick) to Tokyo on the 2nd December, returning on the 5th

What happens: The search is initialized and the app sends the following to Facebook.

reactions

In a span of a minute or two, Facebook took notice of this random person who wants to travel from London to Tokyo in December and he’s traveling alone. This data is harvested from a single person with a single device at a single search.

reactions

Imagine you close the Kayak app and switch to (say) “Amazon”. Facebook knows that you have these 2 apps and it will probably start to put you into categories like “preparing for holiday” or “affinity for winter clothes”.

reactions

The bottom line is that Facebook harvests billions of data points every single day, even from users who made a conscious effort to stay away from Facebook. That’s how creepy it is.

reactions

What’s our defense?

Stay in a cave.

reactions

I’m joking.

reactions

Well, half-joking.

reactions

The best defense is, of course, getting yourself off the internet. That means, no Facebook, no Google search, no YouTube, don’t hang out with friends who love to take selfies, and buy airline tickets at the booth. But we all know that that’s kind of impractical at this day and age. But there are certain ways to limit the reach of these tech companies into your personal life.

reactions

Here are 5 suggestions.

reactions

1. Reset your advertising identifier (Very simple)

reactions

Every device has an advertising identifier (aka ad id). You can’t stop Facebook or Google from tracking you but you can make their tracking difficult by frequently resetting your ad id. If you reset it, in theory, Facebook and Google algorithms will view you as a different person in your next online activity.

reactions

Android Phone: Go to settings > Google > Ads > Reset advertising identifier

reactions

iPhone: Go to settings > Privacy > Advertising > Reset advertising identifier

reactions

2. Limit ad personalization (Very simple)

reactions

In theory, this should limit the amount of data collected by the companies. However, this study showed that we can end up sharing more data to companies if we limit ad personalization. But I will not go into the details of that.

reactions

Android: Go to Settings > Google > Ads > Opt Out of Personalized Advertising

reactions

iPhone: Go to settings > Privacy > Advertising > turn on ‘Limit Ad Tracking’

reactions

3. Review permissions (Very annoying)

reactions

Did you notice that apps these days have been asking for permissions before you carry out a simple task like importing a photo or opening a map? Yeah, it’s irritating but it’s crucial. This allows you to have greater control of your privacy. Not perfect, but at least it helps to a certain extent.

reactions

4. Use Brave browser to surf & use DuckDuckGo to search (Simple)

reactions

Brave (as opposed to Google Chrome) is a web browser which focuses a lot more on data privacy.

reactions

DuckDuckGo (as opposed to Google Search) is a search engine which distinguishes itself from other search engines by not profiling its users.

reactions

5. Educate yourself / your parents / your children on how the Internet works (Not so simple)

reactions

Education is the most powerful weapon. There are tons of articles and YouTube videos explaining how computers and network works; go read them up. However, if the content is too complex, especially for the older generations and the newcomers (aka your children), you can check out Potato Pirates -Enter The Spudnet. It’s a board game that’s developed to teach cybersecurity and internet piracy without computers.

reactions

Closing Remarks

After the Facebook-Cambridge Analytica data scandal, people are starting to take notice of the importance of digital privacy and the government has been implementing measures after measures to curb the big companies from being overly intrusive in terms of data collection. One prominent move is the implementation of the General Data Protection Regulation (commonly known as GDPR) in the EU. It basically sets a compliance framework that companies need to comply with. While it’s heartening to know that the government has made progress to protect us, we need to do our part as well.

reactions

I hope this article is useful to you. Do drop me a response if you would like to discuss this topic further.

reactions







reactions

Tags