Privacy International, a Britain-based organisation that promotes and defends the right to privacy worldwide, released a study which claims that Facebook collected data on users who don’t even own Facebook accounts.
 
It conducted the study in the wake of Facebook’s scandal in March last year, where the data of some 87 million of its users were obtained without their knowledge by London-based data firm Cambridge Analytica and was reportedly used to deliver pro-Donald Trump material to Facebook users during the 2016 US elections.

The study titled How Apps On Android Share Data With Facebook (Even If You Don’t Have A Facebook Account) states that: “Facebook routinely tracks users, non-users and logged-out users outside its platform through Facebook Business Tools. App developers share data with Facebook through the Facebook Software Development Kit (SDK), a set of tools that help developers build apps for a specific operating system.”

For instance, any website that has integrated a Facebook “Like” button or “tracking pixel” automatically sends data to Facebook.

Out of the 34 apps on the Android mobile operating system analysed by Privacy International between August and December 2018, 23 apps were found to send data to Facebook the moment a user launched them. These apps each have an install base from 10 to 500 million, and they include educational tool Duolingo, flight search engine Skyscanner, travel site Kayak and job database Indeed.

The analysis adds that the apps reportedly transmit data to Facebook with a unique identifier – Google advertising ID. It states: “The primary purpose of advertising IDs, such as the Google advertising ID (or Apple’s equivalent, the IDFA) is to allow advertisers to link data about user behaviour from different apps and web browsing into a comprehensive profile.”

The data when combined, can depict a detailed picture of people’s activities, interests, behaviours and routines, the report adds. Privacy International claims that Facebook directly places the responsibility on app developers to ensure that they notify the users before providing the platform with any data.

However, the default implementation of the Facebook SDK is designed to automatically transmit data to Facebook, before the user is even notified – which is against the General Data Protection Regulation (GDPR) that was mplemented in May last year in Europe.

The report adds that programers have been filing bug reports on developer platforms to notify that the  Facebook SDK automatically shares data “before apps are able to ask users to agree or consent”.

Last month, Facebook responded to Privacy International’s report via email, stating that it had introduced the “delay” option where developers “had the ability to disable transmission of automatic event logging data”.

Privacy International also added that Facebook said that sharing data is “common practice for many companies” as it helps developers understand how to improve their apps as well as let people receive relevant advertising in a “privacy-protective way”.

Facebook added: “We do this in a transparent manner by explaining the practice through our Data Policy and Cookies Policy, and by using Google’s advertising identifier, which can be controlled centrally by people using their device settings.”

The report concludes that without any further transparency from Facebook, one cannot know how and where the collected data is used. “This is particularity the case since Facebook has been less than transparent about the ways in which it uses data of non-Facebook users in the past,” according to the report.