Last week, the Wall Street Journal (WSJ) published an article that tells a worrying tale of a digital advertising ecosystem wherein unbeknown to most smartphone app users, their personal data shared with their applications are being shared with Facebook.
And this is regardless of whether the app users are registered Facebook users or not. Considering that a majority of smartphone users confess a lot of intimate, personal information to apps they use in their daily lives, this is a very unsettling finding.
According to the testing done by the WSJ, Facebook collects these kinds of personal information from multiple popular smartphone apps just seconds after the users have entered it into the app.
This information transfer from popular apps to Facebook includes information such as the price of houses users have looked at recently, when/how they are beginning a diet to work on their health, body weight, blood pressure, and even menstrual cycles.
Facebook software built into thousands of apps includes an analytics tool called ‘App Events’ that allows developers to record their users’ activity and report it back to Facebook, regardless of whether users log in via Facebook, or even have a profile.
Data from App Events is used to power Facebook’s advertising algorithms, though the company insists it wouldn’t use sensitive data for this (though this cannot be verified). Developers would use App Events to track how users use their app – something which is used to power target advertising
WSJ testing showed that some popular apps were using the Facebook software to create and send custom app events to Facebook that include sensitive data. Some of the apps include ‘Flo Period & Ovulation Tracker’, ‘Instant Heart Rate: HR Monitor’, and ‘Realtor.com’.
In Facebook’s policies for how to use Custom Events, it states that developers shouldn’t use Custom Events to gather and send back sensitive data. But, that’s what 11 of the most popular apps in the App Store supposedly did, according to the WSJ’s testing.
Perhaps most crucial in the WSJ’s findings, was that there seemed to be no apparent way of stopping this data transfer between the apps and Facebook.
While the article and the findings paint a worrying picture of the digital advertising ecosystem, it’s still unclear whether Facebook is truly to blame for this sensitive information transfer.
Yes the data is being sent to them, and potentially being used to power targeted advertising (which cannot be verified). And yes it’s their App Events software that is enabling these apps to transfer this data.
But, it is the individual apps and their developers that have created the Custom Events within their own apps that have taken their users’ sensitive personal information and sent it Facebook. This is something that Facebook cannot oversee, and a spokesperson from the social media giant has said they actively look to delete this kind of information if it receives it.
So could Facebook do a better job at enforcing its policies of not abusing the Custom Events? Yes. And could it be stricter with apps and developers that violate these policies? Yes. But in this case, it seems they are not directly to blame for the transfer of such sensitive, personal information.