Previous research has shown how 42.55 percent of free apps on the Google Play store could share data with Facebook, making Facebook the second most prevalent third-party tracker after Google’s parent company Alphabet. In this report, Privacy International illustrates what this data sharing looks like in practice, particularly for people who do not have a Facebook account.
This question of whether Facebook gathers information about users who are not signed in or do not have an account was raised in the aftermath of the Cambridge Analytica scandal by lawmakers in hearings in the United States and in Europe. Discussions, as well as previous fines by Data Protection Authorities about the tracking of non-users, however, often focus on the tracking that happens on websites. Much less is known about the data that the company receives from apps. For these reasons, in this report we raise questions about transparency and use of app data that we consider timely and important.
Facebook routinely tracks users, non-users and logged-out users outside its platform through Facebook Business Tools. App developers share data with Facebook through the Facebook Software Development Kit (SDK), a set of software development tools that help developers build apps for a specific operating system. Using the free and open source software tool called “mitmproxy”, an interactive HTTPS proxy, Privacy International has analyzed the data that 34 apps on Android, each with an install base from 10 to 500 million, transmit to Facebook through the Facebook SDK.
All apps were tested between August and December 2018, with the last re-test happening between 3 and 11 of December 2018. The full documentation, including the exact date each app was tested, can be found at https://privacyinternational.org/appdata.