Fraud Management & Cybercrime , Governance , Privacy
Why Are Users Surprised by Data Slurping?(jeremy_kirk) • February 25, 2019 Here's a visualization of data Facebook collects created by ShareLab's Facebook Algorithmic Factory investigation. (Source: ShareLab)Over the last few months, there's been a steady drip of investigative stories looking at the data that mobile apps collect and how companies like Facebook ingest it.
The latest came on Friday from the Wall Street Journal. The top-line finding: Eleven health and fitness apps shared sensitive data, such as heart rates, menstrual cycles or pregnancy statuses, with Facebook. This occurred whether or not a user had a Facebook account.
The data was sent because the apps used Facebook's mobile analytics SDK, which collects information that helps for better ad targeting. The SDK allows app developers to create new advertiser segments. These "buckets" - broad categories such as age brackets or whether someone is a sports enthusiast - can then be used to target ads. The ad industry maintains that this method protects people's privacy, as the generalized categories don't reveal any specific, identifying information.
Facebook advises app developers not to send it health and financial information. The company also says it didn't use the data for advertising. Sending that kind of data would violate its terms and conditions, Facebook tells the Journal. But the newspaper reports that users had no way of opting out of that kind of data transfer.
The story raises concerning questions about users' expectations when they download an app, the opaqueness around what the app is actually doing and how this relates to privacy law.
Some of the apps stopped sharing data with Facebook after the Journal published its report, the newspaper reported Sunday.
Meanwhile, New York Governor Andrew Cuomo has ordered two state agencies to investigate the Journal's report that Facebook may be accessing far more personal information than previously known. The Guardian reports.
Blaming the User
There's a tendency to blame the victim, although calling app users victims is probably hyperbole. The argument runs like this: If you don't want your personal data collected and transferred to unnamed companies, don't use the app.
This seems like a fair point on the surface. Mobile apps have to generate revenue, and that is largely done through targeted advertising, which is based on collecting location data, app activity, browsing activity and a variety of other metrics. Consumers should know by now this is a common practice that makes unpaid apps possible.
But clearly, they don't. And that's because some online advertising companies and app developers haven't been forthright about what's going on under the hood of their services. They've rightly anticipated that if users knew the full details of how their personal data was collected and shuffled around, the response may be: "No way. Bye."
It's misleading when mobile app developers point to their privacy policies as a reason why the data collection should be expected. Privacy policies virtually never dig into the details and are usually slyly crafted to reassure.
The only accurate way to figure out what data an app is transmitting is to man-in-the-middle the traffic with a web debugging proxy and scan data fields. That's unreasonable for most users.
Europe's General Data Protection Regulation represents the biggest driver to shine a light on data sharing. The regulation demands clarity in privacy polices and terms of service, mandating plain language. That is starting to play out, starting with Google, which received a record $57 million GDPR fine from French regulators last month (see: France Hits Google With $57 Million GDPR Fine).
Zeynep Tufekci, a privacy expert and associate professor at the University of North Carolina at Chapel Hill, concisely sums up the problem:
This shouldn't be the case. The Journal, for example, spoke to a 25-year-old woman who used Flo, a menstrual cycle app. After learning her health data was transferred to Facebook, she was considering deleting it.
Flo's privacy policy appeared to give assurance that the kind of information it collected, such as menstrual cycle, wouldn't be shared. Following the Journal's story, Flo said it would limit its use of external analytics systems while it conducts a privacy audit.
Keeping Track Is Challenging
With tens of thousands of mobile apps, it's impossible for investigative journalists and privacy researchers to keep up. The data sent one day may be different than the data sent five days and two updates later.
There is a fair argument about the balance of Journal's story, which seemed to put cast Facebook shady light. Facebook was only the recipient of the data sent by the 11 apps. The responsibility lies with the app developers, writes Antonio Garcia Martinez, an author who was Facebook's first ads targeting product manager.
With its lingering data foibles and general shadiness, it's hard to see how Facebook would get off easy here, but Martinez has a solid point. Martinez also highlights that the technical documentation for the analytics SDK has been public for five years, suggesting the story may be more a scoop of perception than a scoop.
But clearly there's a case to be answered here by Apple, Facebook, Google, which also has an analytics SDK for Android apps. The companies are in the best position to do the technical testing to figure out what data apps are sending and whether there's friction between user expectations and privacy policies.
Until those gaps are closed, stories such as the Journal's will still hold unwelcomed surprises.