Apps Give Private Data To Facebook Without User's Knowledge or Permission
MARY LOUISE KELLY, HOST:
Let's dig deeper now into how some of these apps are sharing users' data without their knowledge. Laura mentioned The Wall Street Journal just there. It recently published another story headlined "You Give Apps Sensitive Personal Information. Then They Tell Facebook." Sam Schechner is one of the reporters on the story, and I asked him what sensitive personal information we're talking about here.
SAM SCHECHNER: Well, it could be your weight, if you're having your period, your height, your blood pressure. We saw all of that kind of information being transferred from apps directly to Facebook servers in testing that we ran over the last few months.
KELLY: Yeah, you give an example of an app that allows women to track when they're getting their period and ovulation. They enter that in, and then it immediately gets fed straight over to Facebook.
SCHECHNER: Yeah. What we saw - and this was actually part of what set off the investigation. While we were doing the testing, I was entering information to the app, and I saw that it was immediately sending a notification that I had altered the dates of my period to Facebook.
KELLY: Your virtual period. I assume - (laughter) I'll make a wild leap and assume here.
SCHECHNER: Sending the dates of my virtual period. I was using the app even though I don't get one. And in addition, it would send a notification to Facebook when you entered pregnancy mode. The app would show kind of confetti on the screen. But behind the scenes, the app was informing Facebook that it was now in pregnancy status.
KELLY: Here's the sentence from your article that stopped me cold. I'm just going to read it. (Reading) The social media giant collects intensely personal information from many popular smartphone apps just seconds after users enter it even if the user has no connection to Facebook. Really? I mean, even if I don't have a Facebook account, this is happening.
SCHECHNER: Yes, that is correct. And the reason is 'cause apps build in software from Facebook in order to do all kinds of things, including to track their users' behavior. And that software sends the data back to Facebook regardless of whether or not you're a user. In fact, the app doesn't have any way of knowing whether you're a user when it sends the data.
KELLY: And what does Facebook say they are doing with this data?
SCHECHNER: Facebook says that they offer services to the developers that send it. They offer analytic services so you can see how users are interacting with that app. And they allow the app developer to then target users of the app on Facebook properties with ads. It's worth noting, however, that Facebook's terms of service give it wide latitude to use that information for other purposes, such as targeting ads more generally, for personalizing their service, including the news feed, and for research and development.
KELLY: Does it appear based on your reporting that regulators are sitting up and paying attention?
SCHECHNER: Well, already New York Governor Andrew Cuomo has directed state agencies to look into the matter. And already since our report, at least five of the apps that we highlighted have stopped sending the information that we highlighted to Facebook. And Facebook has sent out letters to those apps and other major app developers telling them to stop sending any health-related information or other potentially sensitive information.
KELLY: Did you find yourself changing settings or deleting apps as you reported this out?
SCHECHNER: I definitely did. I advised my wife to use a different app to track her own cycle, and I certainly made sure that, you know, when I exercise, I'm using apps that didn't in my testing turn up to be sending this specific data. Of course I am a tech reporter, not a, you know, software engineer, so the likelihood is that I'm still being tracked. And in fact when I go on my phone, I see plenty of ads for exercise apps probably from the fact that I just went running.
KELLY: Wall Street Journal reporter Sam Schechner, thanks so much.
SCHECHNER: Thanks for having me.
[EDITOR'S NOTE on March 1, 2019: For the record, Facebook is among NPR’s financial supporters.]
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.