“The app hardly opens, data ends up on Facebook.”
Frederike Kaltheuner finds that when tracking is discussed in public, i.e. how individual people are pursued on their way through the Internet, this discussion lags behind reality. At Privacy International, an organization for digital civil rights, she is concerned with maintaining privacy on the Internet.
While the public discusses web browsers and cookies, i.e. technologies from the 90s and early 2000s, tracking by apps is often overlooked. The way in which data about users is collected there is “three steps further”.
At the Chaos Computer Club’s Hacker Congress, Kaltheuner presented a new report by Privacy International. The organization analyzed 34 apps to see whether data was sent to Facebook. The apps include the music service Spotify, the game Candy Crush and Skyscanner, an app for finding flights.
The report shows that the majority of these apps send data to Facebook as soon as the app is opened – even if the person does not have a Facebook account.
SZ.de: Mrs. Kaltheuner, what is the problem if apps are used for tracking?
Kaltheuner: We use our mobile phone all the time, several hours a day. If a company can track which apps we have downloaded and how we use them, it will get a good insight into our personal interests. This is invasive of privacy.
Researchers at Oxford University have analysed a million apps and found that many of them share data with third parties, including surprisingly often large corporations such as Google and Facebook. There are thousands of tracking companies, all of which you hardly know, but 90 percent of all apps were technically programmed to share data with Alphabet, Google. Almost 43 percent of all apps could share data with Facebook.
If Google is ranked number 1 by far, why did you analyze Facebook?
Because we wanted to know if you could at least avoid this company, so we only analyzed whether data was sent to Facebook even if you didn’t have an account there. The Oxford study examined whether the apps would technically allow data to be sent to Google and Facebook. We wanted to know whether that would actually happen. So we analyzed the data streams; the data that is sent as soon as you open the app.
They’ve looked at 34 apps in more detail. What criteria did you use to select these apps?
For example, we sorted the apps by size. With this study, you can make statements that affect hundreds of millions of people. In addition, we have selected categories that, at least by name, concern very personal interests. Apps that show prayer times for Muslims, physical health, or two period calendars for women.
Is data sent to Facebook?
Yes, in almost two thirds of all cases. As soon as the app is opened, data ends up on Facebook. Information is sent that the app has been opened and closed, which app it is, and a Google Advertising ID. In other words, a number that can be uniquely assigned to a person for advertising purposes. This is personal data. There are a number of apps that share much more detailed data. With Skyscanner or Kayak you can book trips. There many interactions are shared, for example from which city you fly and what the destination is, if you have children and if you fly Business Class. These search queries were shared.
This is very specific information.
Facebook has two billion users. So Facebook already has an incredible amount of data about an incredible number of people. It’s worrying that the company can also access more than millions of apps and websites from users who aren’t logged on to Facebook at all.
Facebook sees it as the developers’ duty. They must obtain the permission of users before data is sent.
Right, apps have the responsibility to protect the privacy of their users. This is the position of Facebook. But is Facebook allowed to shift the responsibility just like that or doesn’t the company also have a responsibility?
In addition, some developers have complained that data is being sent before there is even the possibility to ask users for permission. But Facebook has published an update in the meantime. That was in June, weeks after the entry into force of the basic data protection regulation. In any case, users must be given the opportunity to consent to the transfer of data.
How exactly does Facebook use data about non-users?
We’ve analyzed what data is shared when, but of course we can’t know how it’s used. According to Facebook, it is currently building a tool to make it easier for non-users to exercise their data rights. This is long overdue and we very much hope that Facebook will provide really easy access to all personal data.
What are the benefits for app providers if they forward data to Facebook?
Facebook gives app developers the ability to easily send data to Facebook. For example, a Muslim prayer app told us that it wants its users to be able to share prayer times on Facebook with their friends. So there are legitimate reasons why apps share data with third parties, including Facebook. The only question is how transparently users are told which data is sent when – and whether users, where it would be appropriate, are offered a real choice not to agree.
You have submitted the results of your study to Facebook. How did the company react?
Facebook likes to stress that this type of data collection is widespread and that companies such as Amazon, Twitter and Microsoft also collect data outside their platforms. That’s true.
But there’s no law of nature that says that every website and app we use has to share data with third parties; it’s the result of a development in recent years. Apps and websites want to advertise and understand how their users move around their sites. But this can also be done fairly and transparently.
Until then: Can users defend themselves against such data transfer?
It is incredibly difficult to protect yourself from the kind of tracking we have described in our report. But there are things that should be done. If you have a mobile phone with the Android operating system, you can change the advertising ID. This also works on iOS. This will give you a new advertising profile. But you can’t delete this ID. You should also deactivate personalized advertising.