Some Apps Using Facebook’s SDK Are Sending Sensitive User Data to Facebook ⇥ wsj.com

Sam Schechner, Wall Street Journal (like all WSJ articles, this is paywalled, but a Twitter link is a ladder over the wall):

Apple Inc. and Alphabet Inc.’s Google, which operate the two dominant app stores, don’t require apps to disclose all the partners with whom data is shared. Users can decide not to grant permission for an app to access certain types of information, such as their contacts or locations. But these permissions generally don’t apply to the information users supply directly to apps, which is sometimes the most personal.

In the Journal’s testing, Instant Heart Rate: HR Monitor, the most popular heart-rate app on Apple’s iOS, made by California-based Azumio Inc., sent a user’s heart rate to Facebook immediately after it was recorded.

Flo Health Inc.’s Flo Period & Ovulation Tracker, which claims 25 million active users, told Facebook when a user was having her period or informed the app of an intention to get pregnant, the tests showed.

Real-estate app Realtor.com, owned by Move Inc., a subsidiary of Wall Street Journal parent News Corp , sent the social network the location and price of listings that a user viewed, noting which ones were marked as favorites, the tests showed.

Reckless data sharing by app developers is a recurring concern. Two years ago, Will Strafach found that the AccuWeather app was providing users’ location data to Reveal Mobile. Last year, reporters at the New York Times found that many apps were still selling users’ locations to unscrupulous analytics and adtech firms. At the time, I wrote:

App developers should, at the very least, be required to be completely forthright in their permissions request dialogs. If a developer is scooping and selling user data, they should be able to defend that practice to users in language that they can understand; if they cannot, then perhaps that’s a practice they should cease.

At an absolute minimum, users should know which companies their data may be shared with and why, in plain language terms — now more than ever. That’s the responsibility of app developers, Apple, and Google; unfortunately, users simply have very little control:

Facebook allows users to turn off the company’s ability to use the data it collects from third-party apps and websites for targeted ads. There is currently no way to stop the company from collecting the information in the first place, or using it for other purposes, such as detecting fake accounts. Germany’s top antitrust enforcer earlier this month ordered Facebook to stop using that data at all without permission, a ruling Facebook is appealing.

Vile.

Even with better disclosure rules, I think all developers should assume users don’t read privacy policies; they place their blind trust that the app will do the right thing. Developers are abusing users’ naiveté, and I think the corrosion of user trust will do long-term damage to the digital economy if it is not curtailed.