After a year of especially terrible press, growing government scrutiny, and eroding public affection, Facebook is staring down yet another potential scandal involving sensitive user data.
The Wall Street Journal reports today on an investigation it conducted into about a dozen popular third-party mobile apps that are, unbeknownst to their users, transmitting the data entered into them straight to Facebook.
It has been well reported that third-party apps have had access to a bevy information on Facebook users — with Cambridge Analytica being the most infamous example. The New York Times reported in December that other partner companies like Netflix and Spotify have also been granted broad access to user information, including users' private messages, although Facebook subsequently denied that any third parties were reading users' messages.
But it hasn't been known before that third-party apps which have no apparent connection to Facebook, and which aren't necessarily using Facebook logins and asking users' permission to share data, are transmitting sometimes highly personal information that users enter into the app with Facebook.
Code created by Facebook within the apps transmits the data as part of what's called a "custom app event," which the apps themselves can then use to target their users with ads on Facebook. Even though the app users may not even be Facebook users, information about their location and their device is transmitted to Facebook, and Facebook can potentially connect that data to specific Facebook accounts, as the Journal reports.
Examples of apps that are engaging in this practice without their users' knowledge include Instant Heart Rate: HR Monitor, which is the most popular heart-rate app in Apple's App Store; and Flo Period & Ovulation Tracker, which has over 25 million active users.
Per the Journal, other apps transmitting non-health-related data to Facebook include Realtor.com, which sends "the social network the location and price of listings that a user viewed, noting which ones were marked as favorites."
Flo responded to the Journal's inquiries saying that it didn't share any sensitive data from its users with Facebook, and whatever was shared was fully anonymized. The Journal's tests, however, showed that the data came with unique advertising identifiers that Facebook could then connect with a user's device or profile.
In total, "at least 11" of the 70 apps the Journal tested were doing something similar in transmitting sensitive user data to Facebook.
A Facebook spokesperson tells the Journal that it automatically deletes any sensitive data it receives from third-party apps, such as social security numbers, and that no "custom app event" data is ever used for Facebook's own internal purposes. The spokesperson further said that it was looking into safeguards to prevent such sensitive third-party data from ever being stored by Facebook.
You Give Apps Sensitive Personal Information. Then They Tell Facebook. [Wall Street Journal]