
How Apps on Android Share Data with Facebook (2018) - allwynpfr
https://privacyinternational.org/report/2647/how-apps-android-share-data-facebook-report
======
ankit219
This is not just facebook. This is what all the DMPs[1] in advertising do, and
charge millions of dollars for it. There is BlueKai from Oracle, one from
Adobe, and various others. The core proposition is to collect as much data
about the user to understand the interests (profiling) and then target that
user or users like him to get a better conversion rate.

Why facebook emerged as a big player in this field was because the other
companies were really expensive for consumer apps and hence they were used
only by the biggest players. Facebook made it cheap, automated the process and
allowed for targeting without even telling the advertisers what audience needs
to be targeted. All at the cost startups and smbs could afford. Google also
does the same. Infact all the big advertising networks do it, or utilize a DMP
to do it on their behalf.

I realize that this discussion is about privacy, and in that regard, it should
not be allowed by any company. However, this is just the tip of the iceberg.
Almost all the big players in travel have huge customer profiles on us, gained
by our credit card transactions, credit history, data from insurance and other
friendly companies (you scratch my back and I scratch yours) and various other
practices which frequently compromise on user's privacy. I dont know how one
can solve this though.

[1]
[http://www.bluekai.com/files/DMP_Demystified_Whitepaper_Blue...](http://www.bluekai.com/files/DMP_Demystified_Whitepaper_BlueKai.pdf)

[2] [https://www.adobe.com/analytics/audience-
manager.html](https://www.adobe.com/analytics/audience-manager.html)

~~~
username223
From BlueKai/Oracle:

> Behaviorally-targeted advertising is 2.7 times as effective as non-targeted
> advertising.

Really? That's it? We're paying for a multi-billion-dollar surveillance
apparatus to make ads 2.7 times as effective as the part of the website you
automatically ignore, or the part of the newspaper you immediately throw in
the trash?

~~~
derefr
Those are kind of sucky examples of advertising, really.

Better ones (in the sense of advertisers thinking they work better and being
willing to pay more for them; not in terms of them being “better” ethically)
would include YouTube pre-roll ads, product placement in movies and TV, and
billboards on boring stretches of road (as observed by the passengers in a
car, not the driver.)

~~~
Asooka
> YouTube pre-roll ads

God those are so awful. I wasn't running adblock on youtube, but that shit
made me install one. I could be listening to a nice playlist and suddenly some
ad at 200% volume blares in my ear "YOU NEED TO BUY THIS TOOTHPASTE" or
whatever. I wouldn't mind being forced to watch ads before being allowed to
watch other videos, but let me bank watch time. Tell me how much time I have
left before the next ad and let me watch enough ads that I don't see any in
the next e.g. 3 hours. Or okay let's say the ads I get depend on the videos I
watch, then put the ads on my tab and let me watch them later. Whatever
arrangement works, just let me control when the ads happen, because right now
it's maximum obnoxious.

~~~
derefr
> just let me control when the ads happen

That is exactly what would make YouTube ads useless, from the advertisers'
perspective.

The key to "impressonability", from advertisers' PoV, is attention. You need
to actually be looking at the ad. You don't have to _think_ you're looking at
the ad—you might think you're just looking at the "seconds until you can skip"
timer—but you're looking (and listening) all the same, at least peripherally,
and advertisers think that that's time they have power over you, in at least
some subliminal sense.

But if you let users bunch up twenty ads in a row? They're going to queue them
up and then go get a drink. The audience won't be looking; won't be listening.
The ability to control ads inherently means the ability to ignore ads. Ignored
ads aren't impressions.

The only valuable ad is an ad that sits on your attention stack on top of
something that _was_ getting your full attention, such that you have to (still
with full attention) pop the ad from the stack to return your attention to the
previous stack frame. Whether that's an ad in a newspaper between two columns
where you have to pass "through" the ad content to find the next article; or
an ad on YouTube where you have to wait; or a Google Sponsored link you have
to read "past" to find the regular links; or a modal ad on a website that only
appears five seconds after (the heuristic on the site says) you've started
reading the content. The goal is to put the ad where your active attention is,
such that the ad "impresses" upon your attention, however fleetingly. Anything
else is a failed ad.

And yes, it's obnoxious. But that's... what advertising is. Those are the only
ads that are really doing their job. The ads that don't end up on top of your
attention stack? Subtract those from your perception of the field—they're just
cargo-cult attempts to advertise that persist because it's really hard to
measure the success of ad campaigns. What's left when you subtract those nice,
unobtrusive ads, is what advertising as a field is really "about." It's what
advertising would be, exclusively, if they got better at measuring things. And
it's awful.

~~~
keepmesmall
Actually, it would be somewhat consensual if it were a setting with a time
lock after the first change (e.g. you explicitly commit to the settings you
choose for a set time). And there's zero issue with limiting ad distribution,
you don't have to allow for queuing 20 ads in a row, just like your human
cattle isn't obliged to keep the volume on and their eyes peeled.

It's just that ads are irrelevant, disruptive, and non-consensual at the same
time. The whole "ad impressions as subliminal messages" idea is a normalized
form of non-consensual (senti-)mental assault or penetration, depending on
whether it results in a headache or a purchase.

------
HenryBemis
NoRoot Firewall: I got a global Block rule for 31.13. _._

The exact same thing applies for all iOS devices. Web banking, airlines,
almost every game. There very few exceptions of the most common apps, e.g.
Dropbox, Skype, stock apps. Facebook is cancer. It gets into the body and
never leaves. Unless you firewall or hosts block their IPs.

~~~
elorant
Just a friendly reminder, because I see this line of reasoning too often in
here. We're not the average Joe. Just because we can circumvent those
techniques doesn't mean that everyone can, or for that matter they even bother
to. Most people can't even understand the repercussions of profiling.

~~~
HenryBemis
I very well understan that, and unfortunately:

1) not many people see the evil of Facebook's immoral actions

2) not many people (even in here) are aware that they can firewall their
Android devices.

------
throw2016
Isn't this the nightmare scenario the GPL was created to fight against, a
device that is not acting in the users interest but against it, with tons of
private APIs [1], complete lack of transparency, deceptive language and
hoovering up user data to send to others. And the kicker is this is happening
on the supposedly 'open' Android platform. Take that Stallman.

Its really disappointing to see how the software ecosystem has degenerated
into these shady mercenaries with zero compass. The only thing that can temper
this crazy greed fueled appetite for surveillance is regulations and
prosecutions because what some of these articles describe is venal and corrupt
to restore some sense of propriety and civilization values.

[1] [https://techcrunch.com/2019/03/25/android-users-security-
and...](https://techcrunch.com/2019/03/25/android-users-security-and-privacy-
at-risk-from-shadowy-ecosystem-of-pre-installed-software-study-warns/)

~~~
random878
Android and the apps (in this sense) are not 'open source' and, regardless,
'open source' is not the same thing as 'Free'. Richard Stallman is known for
his hatred of the term 'open source' (as it generally causes a
misunderstanding such as yours).

------
ignoramous
I have come across fair share of blog posts on how horrendous this is getting
in the current age of _big data_ and _app economy_. This behaviour is
warranted by how VCs, PEs, and potential acquirers value a company... by
number of users an app tracks. Boils down to battle for eye-balls all the way
down because ads are guaranteed revenue stream that scales in-propotion to
number-of-users * user-engagement, I guess.

I think everyone agrees there's a market for a simple-to-use solution.

Folks at [https://GuardianApp.com](https://GuardianApp.com) are doing just
that for iOS. For Android, apps like NoRootFirewall, NetGuard, Glasswire exist
and other solutions like XPrivacyLua require root, or flashing
LineageOS/ChromeheadOS and/or de-googling the phone voids the warranty. Most
of the 2 Billion Android user-base wouldn't go anywhere near these.

A stop-gap then might be to provide a zero-touch / firction-free Firewall/VPN
app that's "free" and one that's anti-surveillance _and_ anti-censorship, but
is also transparent, in that it enables end-user to inspect the traffic
flowing in and out of their devices.

The challenge is no one wants to pay the internet provider _and_ a random VPN
app for a censorship-free / surveillance-free internet but they might gladly
pay the internet provider extra premium if they offered the same experience. I
know my dad wants this, but he wouldn't pay two entities for the same service.

May be what [https://puri.sm](https://puri.sm) is doing is the eventual end-
game, but I think they're trying too hard. May be its time for an Android
phone-manufacturer to launch a privacy focused phone. OnePlus reached its
heights by placing itself as a Nexus/Pixel killer offering vanilla Android
experience... so may be there's a market for privacy focused phone too, or may
be [https://e.foundation](https://e.foundation) might pull this miracle off
and become mainstream enough to matter.

Eventually, though, governments have to step in and bring forth regulations
that prevents relentless surveillance of the end-user, similar to how wire-
tapping phone-calls is illegal.

~~~
SomeHacker44
I want the features these things offer without the requirement to use a VPN.
That gives too much trust to the VPN operator. All of this can operate on
device at the OS/IP stack layer. I use Little Snitch on the Mac and it works
great.

~~~
ignoramous
> All of this can operate on device at the OS/IP stack layer.

I think, on Android, with root you could do a lot more and not have to use
VPNs at all.

> That gives too much trust to the VPN operator.

Local VPN apps like NetGuard are open-source, btw. And server VPNs like
ProtonVPN have no-logs policy. I'm curious, what other guarantees are you
looking for?

~~~
SomeHacker44
Guarantees? None. I don't want all my traffic routed through some random VPN
company's servers. Small companies are probably also judgement-proof, as even
if they really harmed you, what could you gain by suing them? Why would I want
to use a VPN to enforce access controls my OS can do just as well?

~~~
ignoramous
I don't think little-snitch can tackle anti-censorship or can really prevent
ISPs from snooping up on you? VPNs like Orbot might be required then.

------
ndnxhs
The only way to crack down on this is to prevent apps sending any data at all
and to minimise the use of proprietary software. As soon as your personal data
leaves your phone and hits someone else's server they will sell it.

Its a bit of a hard problem which we tried to solve using a permissions system
but its a hassle because its hard to tell if a permission is being used
legitimately and the average user just hits accept on anything because they
don't know how to verify if something seems right.

The GDPR was a step in the right direction where it allows you to say no to
tracking and still use the service as normal.

~~~
Drakim
I think it's not good enough to merely prevent it from happening with
sandboxing or permissions, that's a very technically-oriented way of solving
the problem (and obviously what most of us here on HN would go to first).

But merely preventing it on a technical level creates this race where
companies and startups are always finding new ways to violate our privacy,
while we stumble after trying to patch the latest evil, hoping that it's even
possible to patch this time. Stop ajax calls to third party domains? What if
they start piping it though the first party server? etc.

There fundamentally needs to be laws and principles in place that sets clear
lines as to what's okay and not, it shouldn't come down to "whatever is
technically possible". You may NOT take my personal data, my contact list, my
browsing habits, and sell them to a third party, even if it's hidden somewhere
deep in your T&S. No human actually wants you to do that, if you offered
somebody on the street five bucks for their phone contact list they wouldn't
say yes. It's only possible because you are doing these evil things hidden
from view.

~~~
lucio
There are a lot of humans that are OK with that. The average person do not
value privacy that much. There are a lot of people willing to trade data/usage
patters for a free app. On the proposition "Pay $5/month or pay $0 but let me
track you" a lot of people will choose the 2nd.

~~~
chii
they may choose the 2nd option, but it's unknown if they would continue if
told what the ramifications are. People chose brexit without knowing its
ramifications, because they did not understand fully their choice. I suspect
those who opt for tracking is also making this mistake.

~~~
matz1
I doubt it, as a tech savy user I know the ramifications but still going to
for the 2nd option. Why ? Because the ramifications is largely inconsequential
or not harmful enough for me to care

~~~
skummetmaelk
And this is the problem. You know the ramifications for you as an individual
are fairly small, but this is a problem of scale. Billions of people handing
over their data allows the creation of much more sophisticated and insidious
models. The costs of your decisions are externalized to society as a whole and
will affect you one day. You just don't see that.

It is the classic tragedy of the commons. Everyone doing whatever is best for
themselves leads to the absolute worst outcome for everyone (including
yourself) in the end. E.g you running 50 kWh of AC per day is pretty
inconsequential. 2 billion people doing the same is not.

~~~
matz1
So then what is the effect on me ?

------
kleiba
"You have zero privacy anyway. Get over it."

Scott McNealy, former chairman of Sun Microsystems.

~~~
skummetmaelk
Ah yes. We should just accept body builders mugging us whenever we step
outside because the reality is they are stronger than us.

~~~
dingaling
The reason strong bad men don't rob us constantly us because other strong men
are legally permitted to do violence unto them. I don't think that's a model
that works for the Internet.

Instead I think we should take Mr McNealy's words as prescient. Even if you
protect your privacy, people you know are still willing to tag you in photos
or upload their contact lists.

Instead of pretending that we can remain private online perhaps we should be
thinking about how to compartmentalise our online identities so that the whole
'us' can't be revealed by an inadvertent mouse click.

TLDR: Scott was right, so let's work out what to do next.

------
allwynpfr
The important point here to note is that it shares this data even if you don't
use / don't have a facebook account

------
mrzool
I'd be very interested to know how this compares to apps on iOS. Can someone
shed some light?

~~~
izacus
Most of these frameworks are built for iOS first and Android second (you can
quickly glance at their marketing material to find proof). There are also no
restrictions (policy or system-wise) that prevent these SDKs from uploading
data about your profile as well.

It's unfortunate that Android is singled out here - it'll lure iOS users into
false sense of privacy.

~~~
tinus_hn
It is more difficult for apps to know your identity in other apps on iOS.
Although Apple has bungled it quite a few times these frameworks are supposed
to use an identifier that you can reset and change to be per-developer. Also
if the framework goes over the line, which might be defined as ‘bad publicity
happens’, Apple might come down hard and simply ban the whole thing (no app
that includes the framework gets approved).

~~~
izacus
As I developer I didn't really see much of a difference - most of profile
matching I've seen these SDKs do is via social logins and not via device
identifiers. The OSes currently are very close in what you can get to identify
the user.

------
product50
This is so misleading. Almost all SDKs do this and this also happens on iOS
too. If you have an SDK on iOS, there is nothing the OS can do to stop
tracking of the users.

Also, the author literally says that Google tracks even more apps vs. FB but
still chooses to use FB in their headline. Sigh.

------
ape4
I like the idea of your device giving out fake advertising id's out.

~~~
ignoramous
There's more than ad-ids to fingerprinting a user [0]. For instance, MAC
addresses (wifi, Bluetooth), IMEI, GPU based fingerprinting techniques,
scanning for apps installed, WiFi networks connected to, location, and so on.
You need to fake a lot of things to be scot-free from this madness. It's
ashtonishing, really [1].

[0] [https://panopticlick.eff.org/](https://panopticlick.eff.org/)

[1]
[https://copperhead.co/android/docs/usage_guide](https://copperhead.co/android/docs/usage_guide)

------
karmakaze
Has anyone found the list of tested apps and their results? I've followed many
of the links but find more articles/versions

~~~
pretty_dumm_guy
Maybe this is what you are looking for ? I looked into certain apps (Shazam,
Duolingo etc.,) and its quite interesting.

[https://privacyinternational.org/appdata](https://privacyinternational.org/appdata)

~~~
karmakaze
Yes thanks. I looked at this page but perhaps it didn't render fully on the
platform I first saw it on.

------
OrgNet
Does Facebook share data back with the app? For example, your name, etc...

------
amelius
Question: it's been almost a year now since GDPR has come into effect. Has
there been evidence that people from the EU have been able to completely
withdraw themselves from the user-tracking universe?

~~~
kmlx
yes. websites across the world have been banning whole EU countries like
there’s no tomorrow. but on the plus side we now we know how it feels for the
Chinese and their firewall. only ours is called GDPR. to put this in context:
there are more websites accessible from Hong Kong than from the EU.

~~~
r3bl
> there are more websites accessible from Hong Kong than from the EU.

After a quick search, I couldn't find a source that claims that any website is
blocked in Hong Kong, and several that claim that no website is blocked.

The Internet connection is monitored, there's pressure and self-censorship,
but there's no blocked access to websites. It's easy to be bigger than zero.

 __EDIT: __The biggest collection of the websites I could find lists 1129 that
are still blocking access to EU citizens, and 252 that stopped (presumably,
once they 've become GDPR compliant):
[https://data.verifiedjoseph.com/dataset/websites-not-
availab...](https://data.verifiedjoseph.com/dataset/websites-not-available-eu-
gdpr)

~~~
Renaud
>The Internet connection is monitored[...]

While I agree that there is pressure from pro-Chinese Government henchmen to
intimidate free press in HK, I am curious as to where you get this assertion
that the internet is monitored. That would imply some kind of government
surveillance. I have never heard of any systematic internet monitoring in HK
of the kind done in other countries, like mainland China.

------
mshahi8210
Whats the sole purpose behind this?

~~~
badwolf
Same as any other ads or analytics sdk (google, branch.io, etc...)

getting data to target ads. Apps gladly integrate them, because they can get
better analytics on how the app functions and is used, but also for marketing
attribution (comes back to ads.)

I find the outrage at Facebook for this to be a bit obnoxious. Are we equally
as outraged at every app that has Google Analytics implemented? It's sending
your data to Google, even if you don't have an account!

~~~
ignoramous
I'm not sure about you, but yes, I'm def outraged by analytics gathered
without user's consent, sometimes complete with fingerprinting, as well.

I tolerate WebRTC blocker, Canvas Blocker, DecentralEyes, FPI, PrivacyBadger,
HttpsEverywhere, uMatrix, and NoScript on Firefox and painfully deal with all
the broken websites, despite the costs. It is worth it ten times over.

------
devoply
Is there any solution to ban facebook from your android phone like you can
from a browser like firefox through a facebook container? I would imagine
something like a firewall that keeps your phone from being able to connect to
URLs or IPs owned by Facebook.

~~~
franky47
I use Exodus Privacy [1] to learn more about what SDKs and permissions are
used by the app before even installing it, and as a last line of defense,
NetGuard [2] which is an open-source VPN-based firewall that lets you block
requests to some servers on a per-app basis (some features are paid).

[1] [https://reports.exodus-privacy.eu.org/en/](https://reports.exodus-
privacy.eu.org/en/)

[2] [https://www.netguard.me/](https://www.netguard.me/)

~~~
djaychela
Well, using exodus privacy to look up some apps that I use has just opened up
a portal to hell for me! I had no idea about the depth of the tracking that
was happening - I foolishly thought it was only browsing issues I needed to
worry about until reading this thread and then looking on there.

Thanks for opening my eyes to this!

