Tag Archives: leak

Ebook reading, travel, and other mobile apps may be leaking private data to Facebook

2019-03-25

Writers, ebook lovers, travelers, and anyone who is using downloaded applications on their mobile phones or tablets are silently leaking their personal data to Facebook. A research organization has published a study that shows how apps, including popular travel applications like TripAdvisor, Kayak, Yelp and Skyscanner continuously transmitted users’ private data to Facebook.

An earlier study indicated that 42.55% of free apps on the Google Play Store sent private data to Facebook without having users’ permission to do so. A recent study published in December 2018 discovered that at least 61% of tested mobile apps automatically transmitted personal data to Facebook the very moment the app is opened. The apps transmit a set of data to Facebook in every case: whether the user has a Facebook account or not, or whether the user is logged into Facebook or not.

Privacy International, a non-profit organisation based in London, conducted the research that discovered how extensive the leaking of private data from mobile apps is. The study focused only on Android apps downloaded from the Google Play Store, and their silent background connection to Facebook.
Kayak app screen capture
Privacy International tested many types of apps, trying to find out if they connected to Facebook servers. For instance, all tested travel applications – Tripadvisor, Yelp, Kayak, and Skyscanner (as reported by Skift) – sent data to Facebook. In addition, Kayak and Skyscanner also sent user’s Google ad id to Facebook. This, however, is not the only nasty problem travel booking apps have: they are also seriously troubled by fake reviews and misleading travel product information.

Four months after the Privacy International research paper was published, some apps were re-tested. Cnet reported that Yelp, Duolingo, Indeed, and a few religious apps were still sharing user data without having a permission to do so. Music library Spotify, and travel apps Skyscanner and Kayak don’t automatically connect with Facebook anymore.

Mobile apps send plenty of data to Facebook in the background

The report concludes that the largest set of data was leaked by the Kayak app. User’s private information that Kayak provided to Facebook included:

When the search was done
Name of the app
Google advertising id
Departure city, airport, and date
Arrival city, airport, and date
Number of tickets, including number of children
Class of tickets (economy, business or first class)

Facebook hasn’t told exactly what it does with the data it receives from the apps. The peculiar thing with this discovery is that the apps send user data to Facebook. It doesn’t matter if the user has a Facebook account, the data is always transmitted to the social media giant.

Nonetheless, Facebook explained how the data is collected. The company provides application developers with programming tools – a Software Development Kit (SDK) – that they can use, for instance, for identifying the user, for getting statistics, and for displaying ads in the app. Once a programmer includes the Facebook provided identification in the app, it starts sending data to the social media service databases.

The major observations of the Facebook data leak study

Observation 1: at least 61 percent of apps tested automatically transferred data to Facebook. This concerns all users – with and without Facebook account, or whether they are logged into Facebook or not.

Observation 2: Many apps send the user’s unique Google ad id to Facebook as well. It is an ad targeting id that is unique to the user. Using this id and data from apps, the user can be identified.

Observation 3: Some apps continuously send Facebook data that is detailed and often sensitive. Travel booking app Kayak was a prime example of this activity (as listed above).

Observation 4: For a normal mobile app user, it is practically impossible to prevent apps from sending data to Facebook. The research report proposes a high-tech solution that involves installing a firewall on the phone that can prevent traffic to specified addresses (using a firewall app such as AFWall+ or NetGuard). Changing Facebook’s privacy settings did not prevent tracking.

Tips for preventing apps from leaking private data to Facebook

tripadvisor app on phone, screen shot

The safest option is not to install an app at all, especially if an alternative exists.
Once an app has been downloaded, and the app is opened on the mobile device, there is practically nothing a user can do to prevent it from leaking data. Installing and configuring a firewall is something an ordinary people won’t do.
In some cases, accessing a social media or another service in a browser can be a safer alternative than an app. The research team tested the Opera browser, and discovered it doesn’t send data to Facebook. Dropbox is application that keeps your data away from Facebook’s databases as well.

Change to a phone that is running on secure operating system
The research argues that Google is even bigger private data collector than Facebook. To stop Google and Facebook getting your personal data, finding a phone that doesn’t run on Android is an option. Apple iPhone is the major brand that also claims they care about customers’ privacy. Even Apple can’t completely prevent independent apps from sending data to other parties.
The best choice is to change to an open source software that has been reviewed by experts. One of them is /e/ (eelo) operating system, but at the moment, it requires an experienced techie to install it on a phone.

GDPR will affect rogue practices
The European Union online privacy regulation known as GDPR has been in effect since May 2018. The first court cases that define how it is applied have been started. Regarding GDPR, Facebook argues it is the application developer’s responsibility to manage it follows the GDPR rules. GDPR is intended to protect people from businesses that are collecting their data without permission, so the laws will have an impact on these malpractices sooner or later.