This is a translation of the German article Facebooks unsichtbare Datensammlung originally published on 13.12.2018.
Approximately 30 percent of all apps in Google’s Playstore contact Facebook at startup and transmit user data. This way, the company knows which apps you use and when you use them – including apps related to religion, sexuality or health. For users, this data-transmission is entirely invisible.
All services mentioned above (Tinder, Curvy, Grindr, Kwit, Moodpath) and in the following article have three things in common. First: Most users access them via their smartphone apps. Second: All of these apps establish a connection to Facebook the moment you open them and tell the platform. Third: Facebook connects all this info to the personal profile they have of you.
This is true at least for the Android apps of each of the services (we tested the versions available in the Playstore on November 28, 2018). Note: The operator of the app "moodpath" announced upon notification, that they will remove the Facebook module from the app.
Tell me which apps you use and I tell my customers, who you are
This way, Facebook collects precious data from outside its own platform: Who is using which apps and when?
For a calendar-app, this might not be highly sensitive information. But if you use the app “Bible + Audio” or have yourself reminded of Islamic prayer-times with “MuslimPro”, you give away quite some interesting details.
Facebook expands its profiles with this data, making lots of money from it. If you are using the parenting-guide “Pregnancy+”, you will likely be interested in baby-products soon. If you are monitoring your headaches with “Migraine Buddy”, you will likely respond well to ads for new migraine-medication.
Facebook confirmed the use of information from third party apps for targeted advertisement in a statement to mobilsicher.de.
How Facebook gets into your apps
The reason Facebook is able to collect all this data without you knowing about it is the result of the company strategically offering analytics tools, combined with complacency on the part of app developers. Because it´s the developers themselves who willingly build the means for Facebook to learn about your app use into their products. All Facebook does is provide the suitable software module, a so called Software Development Kit (SDK), ready to be downloaded and built into any smartphone app.
Why would any developer do this? If you build and offer an app, Facebook offers you “Facebook Analytics”, a service to analyze your users’ behavior. Facebook Analytics tells you what users do in your app – where they click, where they get confused or quit, which functions they prefer.
Sweet deal: Data for free Service
This is valuable and perfectly legitimate information you need as a developer if you want to build a good product. Facebook’s analytics tool is not only very professional and accurate but unlike many other similar services, it is also free. So unsurprisingly, it is vastly popular.
The US-based research project “AppCensus” found that 30 percent of all apps established a connection to Facebook (Facebook Analytics and other Facebook services) in a sample of 83,064 apps they analyzed.
The prize for the useful service: The data on user behavior and user journey end up in Facebook’s hands. The developer or operator of an app can look at them – but he has no control over them.
What exactly does Facebook learn?
This arrangement – data for free service – does not seem to bother app operators at all. We assume that this is at least partly due to the fact that most of them don’t know what Facebook’s SDK actually does.
For instance, most developers we asked about this issue assumed that the information Facebook receives is anonymized. However, that’s not the case. If you look at the data traffic of an app with the Facebook module built in, here’s what you will typically see (this example comes from the official app of the Conservative Party in Germany, CDU. After notification the party declared, that they will remove the Facebook-SKD with the next update.)
Meine CDU. On the left you see all web addresses the app connects to on startup. This is before any user interaction takes place. On the right, we show the content of one data package that is transmitted to Facebook. The highlighted line contains the Advertising-IDBesides technical information like the Code D5803, describing the device-model (Sony Xperia Z3 Compact), Facebook learns the time of use, the IP address and which app the traffic originates from – in this case the conservative party’s App “Meine CDU”.
But the critical piece of information is found in the highlighted line, tagged as “advertiser_id”. It contains the so called Advertising ID, in this example the string „3e072b22-ed75-4502-b26c-10ca1ad1abe1“.
Is the Advertising ID really anonymous?
Every Android device with a connected Google account has such an Advertising ID. iPhones and iPads have a similar identifier, created at first boot by Apples mobile operating system iOS.
The Advertising ID is unique for every device and can be read by any app installed – no permission or user interaction necessary. Facebook makes use of this: If you log on to your Facebook account just once using your smartphone, Facebook collects your Ad ID and connects it to your account. If your name, birthday, email address or other personal identifiable information is stored in this account, it is very far from being anonymous.
From now on, Facebook can connect every scrap of information to your account and user profile, as long as it comes together with your Ad ID. And that is exactly what it does with the information coming from third party apps, as Facebook confirmed in a written statement to mobilsicher.de.
This way, your Ad ID loses its anonymity, at least until the moment it changes. This happens automatically when you perform a factory reset or get a new phone. You can also change your Ad ID manually, whenever you want. But since hardly anyone does that, the Ad ID works perfectly well as an identifier.
Rough deal: Zero transparency for users
From the user interface, there is no way you can see that a connection to Facebook (or to anywhere else) is established. The data transmission is independent from user interaction or whether you chose to log in with your Facebook account. It happens even when you don´t have a Facebook account at all.
None of the apps we refer to in this text actively notifies users of this data transmission, for instance with a dialogue window. Not even half of them mention Facebook Analytics in their privacy policy. Strictly speaking, none of them is GDPR-compliant, since the transmission starts before any user interaction could indicate informed consent.
In the absence of authoritative numbers, our educated guess is that this does not look much different in the remaining 30 percent of apps who use the Facebook SDK.
Facebook itself states in its Data Policy that the company uses information from third-party apps for targeted advertisement. But many app developers don’t, and Facebook confirmed in a statement to mobilsicher.de that at this time, users have no option to see in their Facebook accounts which apps are connected to their profile. Mark Zuckerberg announced a functionality to make this transparent in May of this year, dubbed “clear history”. To this day, it is still not available.
Freedom of Choice?
Confronted with the issue, Facebook routinely points out that opt-out options are in place. In fact, targeted ads can be disabled through the settings of your Android device or in the settings of your Facebook account. So everybody has a choice, right?
But what exactly is the effect of this setting, regarding the collection of your data? We tested it with an Android device that had “targeted ads” disabled in its Android settings.
The data traffic of this device looked very much the same as pictured above (in this example from the app of a local section of the German Social Democratic Party SPD, dubbed "SPD Landtagsfraktion NRW". The app has been removed from the appstore upon notification).
SPD Landtagsfraktion NRW. The setting deactivate personal ads in the menu of the device is active. On the left you see all web addresses the app connects to on startup. On the right, we show the content of one data package that is transmitted to Facebook. The highlighted line advertiser_tracking_enabled reads now false. But the data are still beeing transmitted.The difference is: In the line beneath the Ad ID, dubbed “advertiser_tracking_enabled”, it reads “false”. So the SDK sends a flag along with the data, telling Facebook that the user opted out of targeted ads.
We asked Facebook whether data containing this flag will be discarded after transmission, as you would expect. In its written answer to exactly this question, a spokesperson replied:
“If a person utilizes one of these controls, then Facebook will not use data gathered on these third-party apps (e.g. through Facebook Audience Network), for ad targeting.”
It is hardly possible to overlook the ambiguity of this answer. In our view, it leaves only one conclusion: Facebook stores the data and builds a user profile nevertheless – it just doesn’t show the respective ads to the users. But should they decide at some later point to change the setting and allow for targeted ads, a well maintained and exhaustive user profile will be in place waiting for them.
