
Facebook collects a wide range of private data from developers - mudil
https://www.wsj.com/articles/you-give-apps-sensitive-personal-information-then-they-tell-facebook-11550851636
======
nkrisc
> Move, the owner of real-estate app Realtor.com—which sent information to
> Facebook about properties that users liked, according to the Journal’s
> tests—said “we strictly adhere to all local, state and federal
> requirements,” and that its privacy policy “clearly states how user
> information is collected and shared.” The policy says the app collects a
> variety of information, including content in which users are interested, and
> may share it with third parties. It doesn’t mention Facebook.

Then local, state, and federal requirements are lacking. "Privacy" is taking a
new meaning in today's world than what it would have been understood to mean
previously. Yes, I think the scope of the concept of privacy needs to expand
to match the expanding capabilities of all actors to violate it. We could have
more privacy by living like Ted Kaczynski but that's not conducive to
participating in today's society.

~~~
dgzl
> "Privacy" is taking a new meaning in today's world than what it would have
> been understood to mean previously.

Try to imagine the most personal and private thing about a person, what would
it be? Their medical and biological information, of course! In the future
we'll be able to look at 3d renders of our body systems, see real-time health
statistics, and be able to discover our ailments near instantaneously.

Now, who else should have this data? In my opinion, only the doctor.
Definitely not the government, and definitely not my neighbors. Possibly some
businesses for product development. Possibly medical researchers, for
educational advancement.

~~~
pjc50
> not the government

Point of information: "the government" should not be regarded as a monolithic
entity unless it actually behaves as such. As a Brit, my medical records are
held by the nationalised health service, but this doesn't mean that random
cabinet ministers or police can go leafing through them on a whim.

For me, they're held with [https://nhsnss.org/how-nss-
works/](https://nhsnss.org/how-nss-works/) ; quite a lot of England actually
has them held by a private company, Serco.

(edit: should probably add another distinction between "illegal" and "doesn't
happen at all")

~~~
dgzl
Not even the ones with friends at GHCQ et al?

I value your idea about language, and sometimes I use 'government' in general
terms. In your example however, I believe given the opportunity, scumbag
ministers and police would indeed look into people's medical records, and
would indeed abuse this information.

As an American, I'm constantly upset with our government's abuses, especially
by our police and their access to otherwise private info.

~~~
pjc50
Not that it's not happening, but the ICO seems to be consistently ruling that
it's illegal: [https://www.digitalhealth.net/2017/08/ico-warns-nhs-staff-
th...](https://www.digitalhealth.net/2017/08/ico-warns-nhs-staff-that-
unlawfully-accessing-patient-records-is-an-offence/) ;
[https://www.telegraph.co.uk/technology/2017/07/03/googles-
de...](https://www.telegraph.co.uk/technology/2017/07/03/googles-deepmind-nhs-
misused-patient-data-trial-watchdog-says/)

More on confidentiality: [https://www.gponline.com/confidentiality-when-gps-
disclose-i...](https://www.gponline.com/confidentiality-when-gps-disclose-
information-police/article/1430705)

------
minimaxir
Per the author on Twitter
([https://twitter.com/samschech/status/1098981978462961670](https://twitter.com/samschech/status/1098981978462961670)):

> A few seconds after the app finished measuring my pulse, I saw it pop up in
> the network traffic headed to Facebook: \"heartrate\":56,\"

What Facebook endpoint lets the app developer accept arbitrary customer data?
What does Facebook do with that data? Do they tie it to the user?

~~~
tv8kpkq4hcx7
It's an analytics feature like those offered by Google and a dozen other
analytics SDKs:

[https://developers.facebook.com/docs/app-
events/](https://developers.facebook.com/docs/app-events/)

[https://developers.google.com/analytics/devguides/collection...](https://developers.google.com/analytics/devguides/collection/android/v4/events)

~~~
ar0
Which, in my opinion, means that the blame should really go the app developers
of these apps.

Who are those people that think it is a good idea to send your medical details
(the article also mentions "Flo Period & Ovulation Tracker", which apparently
sends whether you may be ovulating to Facebook) to a third-party, let alone
Facebook?

(Actually, at least for Android apps there is a answer to who these people
are... and there are quite a lot of them: [https://reports.exodus-
privacy.eu.org/en/trackers/66/](https://reports.exodus-
privacy.eu.org/en/trackers/66/))

~~~
cmroanirgo
If this list is really a list of companies sending personal data to FB, then
this is rather appalling!

It's increasingly obvious that iOS and Android need to restrict network
connectivity of apps because it's being seriously abused.

Unfortunately this problem is escalating because too few people give a damn
about their own privacy, drowning out the voices who do care, deeply, about
this issue.

A proper user configurable firewall is the obvious answer, but perhaps also
adding limits that an app can only phone home to the domain that the app was
signed with.

I feel that both Apple and Google are deliberately perpetuating this problem
for financial gain, and should be held accountable as well.

Edit: grammar

------
angrydev
This headline has been modified from the original, and is a
mischaracterization of what's happening here. Facebook isn't collecting this
data, rather the authors of many popular apps are sending these statistics to
Facebook's analytics tool to better target with ads. The article explains
Facebook doesn't want these companies sending users' personal data to them
without their knowledge.

They are not completely absolved of blame because they should be monitoring
for personal data (somehow), but the app developers should be to blame more
using this data without users' knowledge.

Now if Facebook were to use this data for their own purposes, we'd have
(another) real scandal on our hands.

~~~
pdkl95
> Facebook doesn't want these companies sending users' personal data to them
> without their knowledge

Facebook's _claim_ about not wanting the data is contradicted by _actions_.
They chose to make their SDK send[1] analytics signals _on library init_
before the user could have even been presented with a request for consent.
They chose to have their analytics SDK send[2] everything to Facebook _by
default_ , requiring developers to go out of their way to disable the spyware
(including somehow discovering that this step is needed).

> Now if Facebook were to use this data for their own purposes,

What would Bayesian analysis say about that question given a history with
multiple events where FB _et al_ were using the all of data they received
however they want? Facebook lost the benefit of the doubt a _long_ time ago,
and it will take a _lot_ of work to rebuild their reputation.

[1]
[https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_...](https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_android)

[2] Ibid.

~~~
edmundsauto
A Bayesian analysis would have to include all the decisions where FB was a
good steward of user data. The events reported in the news are a very small
fraction of the possible times that FB _could_ have done wrong.

Not that I'm defending FB, but your attempt to lend credence to your statement
with a smart sounding approach was undercut by selecting a superficial and
biased prior.

------
product50
For people reading this article and immediately passing judgements on
Facebook, do remember that other networks/SDKs including Google, Applovin,
Appsflyer - all capture the same information from the app which WSJ is
reporting here. Of course, it makes the narrative softer if you blame all tech
companies vs. their favorite whipping candidate (which is Facebook) these
days.

Here is a question to consider. If Facebook doesn't do this and all other
companies do and use that data for optimization and measurement purposes,
won't FB unilaterally lose out? The solution is either no one does it or
everyone does it. There is no in between.

~~~
Zelphyr
You're probably right but this is indicative of our increasing distrust of
Facebook. They lie all the time about what they're doing with our data. So can
we as developers trust them any more than the average user given their
demonstrable willingness to abuse that trust? I personally think not.

~~~
product50
It is the same with Google who is collecting and using the exact same data
from 3rd party apps as Facebook and is equally opaque on how they use that
data. Why do you have different principles when it comes to privacy to judge
FB and Goog?

~~~
PavlovsCat
> Why do you have different principles when it comes to privacy to judge FB
> and Goog?

Why do you assume anyone has? Even if some do, why should the ones that don't
have to answer to your assumptions?

When a thief gets caught, and they say "why don't you care about the other
thieves?", nobody honors that with an answer.

~~~
product50
Not the same analogy

~~~
PavlovsCat
I'm not equating collecting data with theft, I might as well have used mass
murder or a parking violation. That someone criticizes FB doesn't mean they
don't _also_ criticize similar things, or the whole category, that's really
all I'm saying.

Hey, you could even use something positive as example, e.g. that someone says
something nice about X doesn't justify the assumption that they wouldn't also
appreciate similar qualities in or achievements by Y. Criticism or praise, the
principle is the same.

------
jzylstra
This is the sort of user information that I am much more interested in
defending from overreach (developer misuse, knowingly or unknowingly) vs.
activity which actually goes on as a user accesses any fb-owned domain (or
within fb's apps)

Of course, there is the stock reply about half way through the article from
app Move's owner, Realtor.com:

>“we strictly adhere to all local, state and federal requirements,” and that
its privacy policy “clearly states how user information is collected and
shared.” The policy says the app collects a variety of information, including
content in which users are interested, and may share it with third parties. It
doesn’t mention Facebook.

Fortunately, there has been recognition and action taken against the
collection/usage of this sort of third-party information, albeit in
Germany.[0]

>There is currently no way to stop the company from collecting the information
in the first place, or using it for other purposes, such as detecting fake
accounts. Germany’s top antitrust enforcer earlier this month ordered Facebook
to stop using that data at all without permission, a ruling Facebook is
appealing.

[0] [https://www.wsj.com/articles/germany-orders-facebook-to-
stop...](https://www.wsj.com/articles/germany-orders-facebook-to-stop-combing-
users-data-without-consent-11549532461?mod=article_inline)

------
nigma
Apple is creating a false sense of privacy with their privacy-focused
marketing. I appreciate their efforts building secure products but without a
way to block or filter 3rd party app network data they leave their users
vulnerable.

Also many ad-blockers that could filter app traffic were nuked from the App
Store. I wish there was a way to firewall network traffic in the same way it
is possible on other systems.

~~~
amelius
Shouldn't Apple simply block the Facebook app from the App Store then? And
similarly for all apps that pass data to Facebook?

~~~
m463
well that would be a lot of them.

For example, the kindle app contacts graph.facebook.com.

I really really wish apple would allow a true firewall

------
kolbe
[https://outline.com/ZUGZzz](https://outline.com/ZUGZzz)

------
Despegar
This is an important story (along with the NYT one a while back about location
data) because it will help move the ball forward on a privacy law in the US.
The ad-tech industry is putting all their lobbying muscle in making sure that
nothing as strong as GDPR gets passed.

It also makes it more likely that Apple will crack down on third party SDKs,
something I've been posting about a lot here.

[https://news.ycombinator.com/item?id=19220520](https://news.ycombinator.com/item?id=19220520)

------
dylan604
I've often considered myself a bit of a paranoid freak with my resistance to
running apps on my mobile devices. However, this really makes the point of
mobile devices questionable for me if I don't really do anything with them
because of the fear of not knowing what they really do. While that's all a bit
hyperbolic, I'm kind of glad I just don't trust anything. I have a few apps
that I use, but I can't really vouch that they are not doing things I don't
know about. If it were not for maps, decent web browsing, and a small number
of other slightly more useful than just convenient apps, I'd be willing to go
back to a feature phone. One I can take the battery out of if I felt the need.

------
denart2203
Facebook has always made it almost impossible to delete anything.If you don't
delete your activity on facebook every day,you have a buttload of
stuff,including all comments.You can go to activity log and you have hundreds
of comments,you can delete them one by one.That can take months because they
make it hard to do even that.Who cares what you commented on three years ago ?
Much of the activity log can not be deleted at all. My activity log gets
deleted every day so I don't have years of crap on there.People have been
complaining about this for years,but facebook doesn't care.They just want
everything they can get about you to make money off you.

------
craneabove
The whole business model is based on mining users’ data. These stories
unfortunately are not a surprise anymore.

------
imgabe
> Millions of smartphone users confess their most intimate secrets to apps,
> including when they want to work on their belly fat or the price of the
> house they checked out last weekend.

The price of a publicly listed property for sale is my most intimate secret?
Even if I were to buy it, the sale price would be a matter of public record
that anyone could look up.

