Ever get targeted by a Facebook ad so highly specific you wonder if there’s now an algorithm that reads your thoughts? Yeah, one of your apps probably snitched on you.
According to a study conducted by The Wall Street Journal, many popular apps, including a period tracking app called Flo, is sending highly personal data directly to Facebook the moment users enter it, regardless of whether or not that person has a Facebook account.
This is because of something in Facebook’s software development kit called “App Events,” which allows developers to search user data for trends and create “custom app events,” such as when users are or aren’t having their periods, in order to personalize and target Facebook ads. So if a user missed a period, they might get targeted for ads featuring baby supplies. The fact that the two most popular app stores, Apple and Google, don’t force apps to inform users of partners that also get access to data makes this the perfect shit storm for a creepy invasion of privacy. But Facebook says they didn’t mean it like that:
Facebook said some of the data sharing uncovered by the Journal’s testing appeared to violate its business terms, which instruct app developers not to send it “health, financial information or other categories of sensitive information.” Facebook said it is telling apps flagged by the Journal to stop sending information its users might regard as sensitive. The company said it may take additional action if the apps don’t comply.
“We require app developers to be clear with their users about the information they are sharing with us,” a Facebook spokeswoman said.
All told, the Journal tested 70 popular apps and found that “at least 11 apps sent Facebook potentially sensitive information about how users behaved or actual data they entered.” Other apps that sent user data directly to Facebook included health, real-estate, and meditation apps.
In the U.S., the Federal Trade Commission has begun to look into instances of companies sharing data in ways that aren’t readily apparent to users, and in May 2018, the EU passed the General Data Protection Regulation law for greater transparency around data issues. The Journal’s findings may be in violation of that law.