Some of the most popular apps for Android smartphones, including Skyscanner, TripAdvisor and MyFitnessPal, are transmitting data to Facebook without the consent of users in a potential breach of EU regulations.

In a study of 34 popular Android apps, the campaign group Privacy International found that at least 20 of them send certain data to Facebook the second that they are opened on a phone, before users can be asked for permission.

Information sent instantly included the app’s name, the user’s unique ID with Google, and the number of times the app was opened and closed since being downloaded. Some, such as travel site Kayak, later sent detailed information about people’s flight searches to Facebook, including travel dates, whether the user had children and which flights and destinations they had searched for.

European law on data-sharing changed in May with the introduction of General Data Protection Regulation (GDPR) and mobile apps are required to have the explicit consent of users before collecting their personal information. Fines for breaching GDPR can be up to 4 per cent of revenues or €20 million, whichever is greater.

The researchers looked at apps with built-in Facebook trackers and intercepted data as it was sent. Many of the apps are free, suggesting that they make money from data-sharing and advertising.

Developer kit

Frederike Kaltheuner, who carried out the research, added that while Facebook places responsibility for complying with regulations on app developers, the US company’s developer kit did not give the option of waiting for a user’s permission before transmitting some types of data.

“At least four weeks after GDPR, it wasn’t even possible to ask for consent, because of the default setting of Facebook’s SDK [software development kit]. This means data is automatically shared the moment the app opens,” she said.

Several app developers have complained about the issue to Facebook since May, filing bug reports on Facebook’s developer platform saying they were unable to comply with the law.

For instance, on May 29th, four days after GDPR came into effect in the EU, a developer posted: “Hi all. We analized [sic] network activity of Facebook SDK for Unity and found that on application start it sends some requests to graph.facebook.com. It seems to be violation of GDPR: we can not send anything about a user until he allows us to do that. Could you please fix that or strongly confirm that these requests don’t violate GDPR.”

A few weeks, and several complaints later, Facebook responded to say it had created a fix but that developers would need to download the upgrade to use it. But developers have continued to file bug reports and it is not clear if the fix works.

“Six months after the release of the feature, we are still seeing very little evidence that developers are implementing it. Of all the apps that we have tested, 67.7 per cent automatically transmit data to Facebook the moment the app is launched,” the Privacy International report noted.

App analytics

A spokesperson for Facebook said that app developers could disable automatic data collection, and that this year it had introduced a new option that allows developers to delay collection of app analytics information.

The researchers also found that many apps were running older versions of the SDK as recently as this month that would not allow them to use the voluntary feature as it was designed.

Facebook can tie an Android ID to a user’s social network profile, instantly identifying them

Another major concern raised by activists is the “de-anonymisation” of the data – the practice of linking personal data back to a user, which is prohibited by GDPR.

Facebook can tie an Android ID to a user’s social network profile, instantly identifying them and adding any additional information to their personal profile.

“For example, an individual who has installed the following apps that we have tested, Qibla Connect (a Muslim prayer app), Period Tracker Clue (a period tracker), Indeed (a job search app), My Talking Tom (a children’s app), could be potentially profiled as likely female, likely Muslim, likely job seeker, likely parent,” the report said.

Facebook can also use the data to cross-target multiple people – for example, if a married couple use apps on the same wifi, or at the same location, their Android IDs can be tied together to target similar advertising to both of them.

Third-party tracker

Previous research from Oxford university has shown that 43 per cent of free apps on the Google Play store could share data with Facebook, making the social network the second most prevalent third-party tracker after Google’s parent company Alphabet.

A Facebook spokesperson wrote to the Privacy International researchers in response to their study, saying: “We agree that . . . it’s important for people to have access when we receive information about them when they’re not using our services, and to have control over whether we associate this information with them.

“Recognising the value of improvements in this area, we’re currently working on a suite of changes, including developing a new tool called Clear History, that we hope will address your feedback.”

A Skyscanner spokesperson said: “We were not aware that data was being sent to Facebook in this way without prior consent from our users, which went against our own internal rules on the integration of third-party technologies. We are still investigating how this happened.

“We’re currently reviewing our approach, both to this issue and to the use of similar technologies more generally, to ensure we’re doing everything we should be.”

TripAdvisor and Kayak did not respond to requests for comment and MyFitnessPal declined to comment.

– Copyright The Financial Times Limited 2018