A few friends have asked me is it possible that Facebook is listening to their phone calls or intercepting their online communications because it mysteriously seems to know all their travel plans. Well, I didn’t take it seriously until now. A research organization has published a study that shows how apps, including popular travel applications like TripAdvisor, Kayak, Yelp and Skyscanner on mobile phones routinely transmit private data to Facebook.
Research conducted earlier indicated that 42.55% of free apps on the Google Play store could share data with Facebook. The new study published in December 2018 discovered that at least 61 percent of tested mobile apps automatically transferred data to Facebook the moment a user opens the app. Data is transmitted to Facebook regardless of having a Facebook account or not, or whether people are logged into Facebook or not.
Privacy International, a non-profit organisation based in London, is behind the study that discovered how extensive the leaking of private data from apps is. The study focused only on Android apps downloaded from the Google Play Store, and their connection to Facebook.
Privacy International tested many types of apps, trying to find out if they made a connection to Facebook servers. All tested travel booking applications Tripadvisor, Yelp, Kayak, and Skyscanner sent data to Facebook. In addition, Kayak and Skyscanner also transmitted user’s Google ad id to Facebook. This is not the only serious problem travel booking apps have since they are plagued with fake reviews and misleading information.
What data Kayak, TripAdvisor, Skyscanner and Yelp send to Facebook?
The report suggests that the most extensive data set is collected and sent by the Kayak app. User’s private information that Kayak provides to Facebook includes:
- When the search was done
- Name of the app
- Google advertising id
- Departure city, airport, and date
- Arrival city, airport, and date
- Number of tickets, including number of children
- Class of tickets (economy, business or first class)
Facebook hasn’t explained what it does with the data it receives from the apps. What makes this discovery particularly intriguing is the fact that apps send every user’s data to Facebook. It doesn’t matter if the user has registered a Facebook account, the data is always transmitted to the databases of the social media giant.
Facebook did explain how the data is transmitted. The company provides application developers with programming tools – an SDK – that they can use, for instance, for identifying the user, for getting statistics, and for displaying ads in the app. Once a programmer includes the Facebook provided code in the app, it starts sending data to the headquarters.
The key observations of the study
Observation 1: at least 61 percent of apps tested automatically transfer data to Facebook the moment a user opens the app. This happens for users with and without Facebook account, or whether they are logged into Facebook or not.
Observation 2: Many apps send the user’s unique Google ad ID as well. It is an ad targeting id that is unique to the user. Using this and data from apps, the user can be identified.
Observation 3: Some apps routinely send Facebook data that is detailed and sometimes sensitive. Travel booking app Kayak does this (as listed above).
Observation 4: It is practically impossible to prevent apps from sending data Facebook. A high-tech solution suggested by the research report is to install a firewall on the phone that can prevent traffic to specified addresses (using a firewall such as AFWall+ or NetGuard). Changing Facebook’s privacy settings did not prevent tracking.
What can a user do to prevent apps from sending data to Facebook?
The safest option is not to install an app at all, especially if there is an alternative
- Once an app has been downloaded (and its terms approved in the Google Play Store), and it is started on the phone, there is practically nothing a user can do to prevent it sending data. Installing and configuring a firewall onto the phone is something no one expects ordinary people to do.
- In some cases, accessing a social media or another service in a browser can be a safer alternative to an app. The research report tested the Opera browser, and it doesn’t leak data to Facebook. Dropbox is another application that keeps your data away from prying eyes.
Change your phone
- The research estimates that Google is even bigger private data sucker than Facebook. To stop Google and Facebook getting your data, you can try and find a phone that doesn’t run on Android. Apple iPhone is the major brand that also claims they care about customers’ privacy. Even Apple can’t prevent independent apps from sending data to third parties.
- The best choice is to change to an open source software that has been reviewed by experts. One of them is /e/ operating system, but at the moment, it requires an expert to install it on a phone.
Wait for the GDPR’s effect
- The European Union online privacy regulation GDPR has been in effect since May 2018. The first court cases that define how it is applied are ongoing. In this case, Facebook is saying it is the application developer’s responsibility to ensure compliance with GDPR, but it may not be that simple. GDPR is intended to protect people from businesses that are trying to vacuum their data, so it will have an impact on these practices sooner or later.