HowAppsonAndroidShareDatawithFacebook
(evenifyoudon’thaveaFacebookount)
December2018
HowAppsonAndroidShareDatawithFacebook
PrivacyInternationalisaUK-registeredcharity(1147471)thatpromotestherighttoprivacyataninternationallevel.Itissolelyresponsiblefortheresearchandinvestigationunderpinningitsreports.
2 HowAppsonAndroidShareDatawithFacebook ExecutiveSummary Previousresearchhasshownhow42.55percentoffreeappsontheGooglePlaystorecouldsharedatawithFacebook,makingFacebookthesecondmostprevalentthird-partytrackerafterGoogle’spanyAlphabet.1Inthisreport,PrivacyInternationalillustrateswhatthisdatasharinglookslikeinpractice,particularlyforpeoplewhodonothaveaFacebookount. ThisquestionofwhetherFacebookgathersinformationaboutuserswhoarenotsignedinordonothaveanountwasraisedintheaftermathoftheCambridgeAnalyticascandalbylawmakersinhearingsintheUnitedStatesandinEurope.2Discussions,aswellaspreviousfinesbyDataProtectionAuthoritiesaboutthetrackingofnon-users,however,oftenfocusonthetrackingthathappensonwebsites.3Muchlessisknownaboutthedatathatpanyreceivesfromapps.Forthesereasons,inthisreportweraisequestionsabouttransparencyanduseofappdatathatweconsidertimelyandimportant. Facebookroutinelytracksusers,non-usersandlogged-outusersoutsideitsplatformthroughFacebookBusinessTools.AppdeveloperssharedatawithFacebookthroughtheFacebookSoftwareDevelopmentKit(SDK),asetofsoftwaredevelopmenttoolsthathelpdevelopersbuildappsforaspecificoperatingsystem.Usingthefreeandopensourcesoftwaretoolcalled"mitmproxy",aninteractiveHTTPSproxy,PrivacyInternationalhasanalyzedthedatathat34appsonAndroid,eachwithaninstallbasefrom10to500million,transmittoFacebookthroughtheFacebookSDK. AllappsweretestedbetweenAugustandDecember2018,withthelastre-testhappeningbetween3and11ofDecember2018.Thefulldocumentation,includingtheexactdateeachappwastested,canbefoundat/appdata. Findings •Wefoundthatatleast61percentofappswetestedautomaticallytransferdatatoFacebookthemomentauseropenstheapp.ThishappenswhetherpeoplehaveaFacebookountornot,orwhethertheyareloggedintoFacebookornot. •Typically,thedatathatisautomaticallytransmittedfirstiseventsdatamunicatestoFacebookthattheFacebookSDKhasbeeninitializedbytransmittingdatasuchas"Appinstalled” 1Binns,
R.,Lyngs,
U.,VanKleek,
M.,Zhao,
J.,Libert,T.andShadbolt,
N.,2018.ThirdPartyTrackingintheMobileEcosystem.arXivpreprintarXiv:1804.03603.2Brandom,
J.(2018)‘ShadowprofilesarethebiggestflawinFacebook’sprivacydefense’,TheVerge.Availableat:/2018/4/11/17225482/facebook-shadow-profiles-zuckerberg-congress-data-privacy(essed:1December2018).3Forinstance,in2015FacebookwasfinedbytheBelgianDataProtectionAuthority(“DPA”)fortrackingtheonlineactivitiesofBelgiannon-Facebookusersthroughsocialplugins(suchasthelike-button),cookiesandinvisiblepixelsonthird-partywebsites.See,withoutofferinguserssufficientwarning./content/10f558c6-3a26-11e7-821a-6027b8a20f23
3 HowAppsonAndroidShareDatawithFacebook and"SDKInitialized".Thisdatarevealsthefactthatauserisusingaspecificapp,everysingletimethatuseropensanapp.•Inouranalysis,appsthatautomaticallytransmitdatatoFacebooksharethisdatatogetherwithauniqueidentifier,theGoogleadvertisingID(AAID).TheprimarypurposeofadvertisingIDs,suchastheGoogleadvertisingID(orApple’sequivalent,theIDFA)istoallowadvertiserstolinkdataaboutuserbehaviorfromdifferentappsandwebbrowsingintoprehensiveprofile.bined,datafromdifferentappscanpaintafine-grainedandintimatepictureofpeople’sactivities,interests,behaviorsandroutines,someofwhichcanrevealspecialcategorydata,includinginformationaboutpeople’shealthorreligion.Forexample,anindividualwhohasinstalledthefollowingappsthatwehavetested,"QiblaConnect"(aMuslimprayerapp),"PeriodTrackerClue"(aperiodtracker),"Indeed"(ajobsearchapp),"MyTalkingTom"(achildren’s’app),couldbepotentiallyprofiledaslikelyfemale,likelyMuslim,likelyjobseeker,likelyparent.•bined,eventdatasuchas"Appinstalled”,"SDKInitialized"and“Deactivateapp”fromdifferentappsalsoofferadetailedinsightintotheappusagebehaviorofhundredsofmillionsofpeople.•WealsofoundthatsomeappsroutinelysendFacebookdatathatisincrediblydetailedandsometimessensitive.Again,thisconcernsdataofpeoplewhoareeitherloggedoutofFacebookorwhodonothaveaFacebookount.Aprimeexampleisthetravelsearchandparisonapp"KAYAK",whichsendsdetailedinformationaboutpeople’sflightsearchestoFacebook,including:departurecity,departureairport,departuredate,arrivalcity,arrivalairport,arrivaldate,numberoftickets(includingnumberofchildren),classoftickets(economy,businessorfirstclass).•Facebook’sCookiesPolicydescribestwowaysinwhichpeoplewhodonothaveaFacebookountcancontrolFacebook'suseofcookiestoshowthemads.PrivacyInternationalhastestedbothopt-outsandfoundthattheyhadnodiscernibleimpactonthedatasharingthatwehavedescribedinthisreport. Discussion Facebookplacesthesoleresponsibilityonappdeveloperstoensurethattheyhavethelawfulrighttocollect,useandsharepeople’sdatabeforeprovidingFacebookwithanydata.However,thedefaultimplementationoftheFacebookSDKisdesignedtoautomaticallytransmiteventdatatoFacebook.SinceMay25,2018–thedaythattheEUGeneralDataProtectionRegulation(GDPR)enteredintoforce-developershavebeenfilingbugreportsonFacebook’sdeveloperplatform,raisingconcernsthattheFacebookSDKautomaticallysharesdatabeforeappsareabletoaskuserstoagreeorconsent.OnJune
4 HowAppsonAndroidShareDatawithFacebook 28,2018,Facebookreleasedavoluntaryfeaturethatshouldallowdeveloperstodelaycollectingautomaticallyloggedeventsuntilaftertheyacquireuserconsent.Thefeaturewaslaunched35daysafterGDPRtookeffectandonlyworksontheSDKversion4.34andlater.Inresponsetothisreport,FacebookhasstatedinanemailtoPrivacyInternationalon28December2018:“Priortoourintroductionofthe“delay”option,developershadtheabilitytodisabletransmissionofautomaticeventloggingdata,exceptforasignalthattheSDKhadbeeninitialized.FollowingtheJunechangetoourSDK,wealsoremovedthesignalthattheSDKwasinitializedfordevelopersthatdisabledautomaticeventlogging.”(emphasisadded).This“signal”isthedatathatweobserveinourfindings.Weassumethatpriortothereleaseofthisvoluntaryfeature,manyappsthatuseFacebookSDKintheAndroidecosystemwerethereforenotabletopreventordelaytheSDKfromautomaticallycollectingandsharingthattheSDKhasbeeninitialized.SuchmunicatestoFacebookthatauserusesaparticularapp,whentheyareusingitandforhowlong. ConclusionWithoutanyfurthertransparencyfromFacebook,itisimpossibletoknowforcertain,howthedatathatwehavedescribedinthisreportisbeingused.ThisisparticularitythecasesinceFacebookhasbeenlessthantransparentaboutthewaysinwhichitusesdataofnon-Facebookusersinthepast.Ourfindingsalsoraiseanumberoflegalquestions.AsthisresearchwasconductedintheUKwehavefocusedontherelevantEUframework,namelyEUdataprotection(“GDPR”)andePrivacylaw(theePrivacyDirective2002/58/EC,asimplementedbyMemberStatelaws)4aswellasCompetitionLaw.Anunderlyingthemeistheresponsibilityofthevariousactorsinvolved,includingFacebook. 4TheEuropeanCommissionpublishedaproposalforanePrivacyRegulationinJanuary2017,toupdatetheDirectiveandalignwithGDPR.However,thislegislationisstillundernegotiation.
5 HowAppsonAndroidShareDatawithFacebook ThirdPartyTracking InOctober2018,researchersattheUniversityofOxford5publishedapeer-reviewedstudyof959,000appsintheUSandUKGooglePlaystoresthatrevealedhowdatafromsmartphonesissharedandharvestedby‘third-partytrackers’,thatisentitiesthatcollectdataaboutusersfromfirst-partywebsitesand/orapps.6 Mostappscontainthird-partytrackersandmanyappscontainalargenumberofdifferenttrackers.ResearchbyFrenchanizationExodusPrivacyandYaleUniversity’sPrivacyLab,forinstance,showedthatmorethanthreeinfourappsonAndroidcontainatleastonethird-party“tracker”in2017.7 TheunprecedentedscopeoftheOxfordresearch,however,uncoveredtheextenttowhichbigpanieslikeGoogle,Facebook,MicrosoftandTwitterarethemostprevalenttrackersonfreeappsonAndroid.Theresearchersfoundthat90percentoftheappsanalyzedcouldsharedatawithGoogle’spanyAlphabet,whileFacebookcouldreceivedatafrom42.55percentofapps.8 Appdevelopersintegratethetechnologiesof‘thirdparties’intheirmobileapplicationssourcecodeforanumberofreasons:totrackcrashreports,measureuserengagement(analytics)ortoconnecttheirapptoworks(forinstance,byallowinguserstosharephotosonFacebookfromtheapp),andtogeneraterevenuebyizinguserdataanddisplayingbehaviorallytargetedads.9 Whiletoolsdevelopedbythirdpartiescanbeusefulfordevelopers,thosetoolsoftenalsoallowthirdpartiestocollect(“track”)userdatafromthedeveloper’s‘firstparty’mobileappsforthethirdparty’suse.10Inparticular,thirdpartieswhosecodeisembeddedinalargenumberofappsreceivedataaboutusersthatcouldbelinkedbinedintoadetailedprofile. Mobiledevicescontainmanydifferenttypesofidentifiers,suchasinformationrelatingtothedevice,aswellapplications,toolsorprotocolsthat,whenused,allowtheidentificationoftheindividualtowhomtheinformationmayrelate.11Evenintheabsenceofsuchidentifiers,researchershavefoundthatknowledgeofanyfourappsinstalledonusers’smartphonesisenoughtoessfullytrack95percent 5Binns,
R.,Lyngs,
U.,VanKleek,
M.,Zhao,
J.,Libert,T.andShadbolt,
N.,2018.ThirdPartyTrackingintheMobileEcosystem.arXivpreprintarXiv:1804.03603.6Ibid.78Binns,
R.,Lyngs,
U.,VanKleek,
M.,Zhao,
J.,Libert,T.andShadbolt,
N.,2018.ThirdPartyTrackingintheMobileEcosystem.arXivpreprintarXiv:1804.03603.9EuropeanUnionAgencyforNetworkandInformationSecurity.(2017).Privacyanddataprotectioninmobileapplications.Availableat:essed:1December2018).10Ibid.11InformationCommissioner’sOffice(2018).Whatareidentifiersandrelatedfactors?
Availableat:anisations/guide-to-the-general-dataprotection-regulation-gdpr/what-is-personal-data/what-are-identifiers-and-related-factors/
(essed:1December2018).
6 HowAppsonAndroidShareDatawithFacebook ofusers.12Manythird-partiesalsoperformcross-devicetracking13,thepracticeoflinkingmultipledevices,suchassmartphones,televisionsets,smartTVs,andputers,toasingleuser.Themoregranularauserprofile,themoreintimateinferencescanbederivedaboutpeople’slikelyattributes,identities,habitsandopinions.14 Itisinthiscontextthattheprevalenceofbigpaniesinthetrackingecosystemraisesconcerns.panyreceivesdatafromaconsiderablepercentageofallapps,wouldbeabletogainaparticularlydeepinsightintotheeverydaybehaviorandinterestsofmobilephoneusers. Whythird-partytrackingonappsraisesuniqueprivacychallenges PrivacyInternationalhasrecentlyaskedregulatorstoinvestigateanumberofdatabrokerandadvertisingpanies(“AdTech”)thatconstituteplexback-endsystemthatisusedtodirectadvertisingtoindividualsandspecifictargetaudiences.15Atageneralizedlevelpaniestrackindividualsaroundthewebandacrossdifferentappsandhelpdictatewhatadvertisingcontenttheysee.16 Despitehavingtrackersthroughouttheweb,manythirdpartiesarenothouseholdnames.Mostpeoplehaveneverheardofthem,donotknowthattheyprocesstheirdataandprofilethem,whetherthisdataisurate,forwhatpurposestheyareusingit,orwithwhomitisbeingsharedorwhattheconsequencesare.Quantcast,panythatPrivacyInternationalhasinvestigatedaspartofplaints,forinstance,claimsthatitcancollectreal-timeinsightsonaudiencesonover100millionmobileandwebdestinations17.AmemberofPrivacyInternational’sstaffhasdescribedthepictureQuantcastwasabletoobtainaboutherlife,fromthedatagatheredthroughasinglecookieplacedononeofherbrowsersalone.18InplaintswearguedthatthisexploitationofthepersonaldataofmillionsofpeopleintheEuropeanUnionandfurtherafieldconstitutesaninfringementofdataprotectionlaw. Third-partytrackinginbothmobileappsandonthewebraisesimportanthumanrightsconcerns,inparticularconcerningtherighttoprivacyanddataprotection.Thirdpartytrackingonappsusuallyhappensinthebackground,whichmeansthatmanyusersareunawareofthefactthatthirdpartiesare 12Achara,
J.P.,Acs,G.andia,
C.,2015,October.Ontheunicityofsmartphoneapplications.InProceedingsofthe14thACMWorkshoponPrivacyintheElectronicSociety(pp.27-36).ACM.13Brookman,
J.,Rouge,
P.,Alva,A.andYeung,
C.,2017.Cross-devicetracking:Measurementanddisclosures.ProceedingsonPrivacyEnhancingTechnologies,2017
(2),pp.133-148.14PrivacyInternational(2018).ASnapshotofCorporateProfiling.Availableat:/feature/1721/snapshot-corporate-profiling(essed:1December2018).15PrivacyInternational(2018).plaintsagainstAcxiom,Criteo,Equifax,Experian,Oracle,Quantcast,Tapad.Availableat:plaints-against-acxiom-criteo-equifax-experian-oracle-quantcast-tapad(essed:1December2018).16PrivacyInternational(2018).SubmissiontotheInformationCommissioner–RequestforanAssessmentNotice/ComplaintofAdtechDataBrokers.Availableat:/sites/default/files/201811/08.11.2018%20Final%20Complaint%20AdTech%20Criteo%2C%20Quantcast%20and%20Tapad.pdf
(essed:1December2018).17/data-hub/18PrivacyInternational(2018).Iaskedanonlinepanyforallofmydataandhere'swhatIfound.Availableat:pany-all-my-data-and-heres-what-i-found(essed:1December2018).
7 HowAppsonAndroidShareDatawithFacebook trackingthem.Whatmakestrackingonmobileappsuniquelychallengingisthatitismucheasiertoblockorreducetrackingonbothmobileandwebbrowsersthanitisinapps. Therationaleofthisreport:whywearefocusingonthird-partytrackingbyFacebook ThepurposeofthisreportistoillustrateonewayinwhichmobileappsontheAndroidoperatingsystemsharedatawithlargepanies.Forthisreport,wefocusedonAndroid(insteadofotheroperatingsystemsordevices),however,thirdpartytrackingisprevalentonotherplatformsaswell.WewerespecificallyinterestedinthekindsofdatathatappssharewithFacebookaboutusersthatdonothaveaFacebookount(orthatarelogged-outoftheplatform),aswellaswhenandhowthisdataisbeingtransmitted.Whileothershavelookedattheprevalenceoftrackingmorebroadly19,wehavefocusedonFacebookbecausetheiresstodataasathirdesinanunusualandunexpectedwayforconsumers. Facebookroutinelytracksusers,non-usersandlogged-outusersoutsideitsplatformthroughFacebookBusinessTools.Forinstance,anywebsitethathasintegratedaFacebooklikebuttonortrackingpixelautomaticallysendsdatatoFacebook. AsoutlinedinFacebook’sUKdatapolicy,thisinformationincludes“informationaboutyourdevice,websitesyouvisit,purchasesyoumake,theadsyouseeandhowyouusetheirservices–whetherornotyouhaveaFacebookountorareloggedintoFacebook.”20 AppdeveloperssharedatawithFacebookthroughtheFacebookSoftwareDevelopmentKit(SDK),asetofsoftwaredevelopmenttoolsthatcanbeusedtodevelopapplications(Apps)foraspecificoperatingsystem.Facebook'sSDKforAndroidallowsappdeveloperstointegratetheirappswithFacebook’splatformandcontainsanumberofponents:Analytics,Ads,Login,ountKit,Share,GraphAPI,AppEventsandAppLinks.Forexample:UsingFacebook'sSDK,allowsforsupportof"LoginwithFacebook"basedauthentication,whichallowuserstologinusingaphonenumberofemailaddresswiththeirFacebookpassword.Facebook'sSDKalsooffersAnalytics(data,trends,andaggregatedaudienceinsightsaboutthepeopleinteractingwiththeapp),aswellasAdsandreadingandwritingtoFacebook'sGraphAPI. ThisquestionofwhetherFacebookgathersinformationaboutuserswhoarenotsignedinordonothaveanountwasraisedintheaftermathoftheCambridgeAnalyticascandalbylawmakersinhearingsin 19InformationSocietyProjectYaleLawSchoolPrivacyLab.Availableat:(essed:1December2018).20FacebookUKDataPolicy.Availableat:/policy.php(essed:1December2018).
8 HowAppsonAndroidShareDatawithFacebook theUnitedStatesandinEurope.21Discussionsaboutthetrackingofnon-users,however,oftenfocusonthetrackingthathappensonwebsites.22Muchlessisknownaboutthedatathatpanyreceivesfromapps. Facebookhasalsonotalwaysbeenverytransparentaboutthewaysinwhichisusesdataiscollects.Forinstance,inSeptember2018,researchersatNortheasternUniversityandPrincetonfoundthatFacebookallowsadvertiserstotargetpeoplebasedoncontactinformationtheyhandedoverforsecuritypurposesandcontactinformationthatwascollectedfromotherpeople’scontactbooks,23orwhatthejournalistKashmirHillcalls“shadowcontactinformation”.24 Forthesereasons,inthisreportweraisequestionsabouttransparencyanduseofappdatathatweconsidertimelyandimportant. SelectionCriteriaandMethodology AresearchgroupattheComputerSciencedepartmentoftheUniversityofOxford,theauthorsoftheaforementionedstudyon“ThirdPartyTrackingintheMobileEcosystem”,providedPrivacyInternationalwithalistof1,000apps(intermsofinstallbase)thatlikelytransmitdatatoFacebook. These1,000appsconstitutethemostinstalledappsofthe42.55percentof~1millionAndroidappsthattheresearchersidentifiedaslikelytransmittingdatatoFacebook.TheauthorsidentifiedappsthatlikelytransmitdatatoFacebook(andothertrackers)byidentifyingreferencestohostsinapps’AndroidPackageKit(APK)-anAndroidfileformatthatcontainsallresourcesneededbyanapptorunonadevice. 21Brandom,
J.(2018)‘ShadowprofilesarethebiggestflawinFacebook’sprivacydefense’,TheVerge.Availableat:/2018/4/11/17225482/facebook-shadow-profiles-zuckerberg-congress-data-privacy(essed:1December2018).22Forinstance,in2015FacebookwasfinedbytheBelgianDataProtectionAuthority(“DPA”)fortrackingtheonlineactivitiesofBelgiannon-Facebookusersthroughsocialplugins(suchasthelike-button),cookiesandinvisiblepixelsonthird-partywebsites.Seeprehensivestudy,draftedattherequestoftheBelgianPrivacyCommission,outlinesthedifferentdatacollectiontechniques,suchascookies,pixels,socialplug-insandothersimilartechnologiesusedbyFacebooktobuildupuserandnon-userprofiles.Seemission-in-facebook-investigation.TheBelgianDPA’sdecisionwaschallengedbyFacebookongroundsofjurisdiction,howeverinFebruary2018theBelgianCourtofFirstInstanceonceagainruledthatFacebookviolatedprivacylaws(seelegalanalysisbelow)bydeployingtechnologysuchascookiesandsocialplug-instotrackusersacrosstheweb.ThecourtorderedFacebooktotrackingBelgians’webbrowsinghabitsanddestroyanyillegallyobtaineddata.missionfacebook-proceeding.In2017,FacebookwasalsofinedbytheFrenchDataProtectionAuthority(CNIL)fordifferentprivacyviolations,amongthem“unfair”trackingofusersandnon-usersastheybrowsethe,withoutofferinguserssufficientwarning./content/10f558c6-3a26-11e7-821a6027b8a20f2323Venkatadri,
G.,Lucherini,
E.,Sapiezynski,P.andMislove,
A.,2019.InvestigatingsourcesofPIIusedinFacebook’stargetedadvertising.ProceedingsonPrivacyEnhancingTechnologies,1,p.18.24Hill,
K.(2018)‘FacebookIsGivingAdvertisersesstoYourShadowContactInformation’.Gizmodo,26September,Availableat:ess-to-your-shadow-co-1828476051(essed:1December2018).
9 HowAppsonAndroidShareDatawithFacebook Asdescribedinmoredetailinthepaper’sdatacollectionandmethodologysection:“Upondownload,eachAPKwasunpackedanddecodedusingAPKTool25toobtaintheapp’sassets,inparticularitsicon,bytecode(intheDEXformat)andmetadata(inXMLformat).Finally,permissionrequestswereparsedfromtheXMLandhostswerefoundinthebytecodeusingasimpleregex.”26 Inanextstep,referencestohostsweremappedwithlistsofknowntrackers:“Hostnamesinthetrackerlistswereshortenedto2-leveldomainsusingthepythonlibrarytldextract4(e.g.for‘’,thedomainname‘example’-leveldomainsuffix‘’werekeptandanysubdomainswereomitted).Trackerhostswerethenmatchedtohostsidentifiedinappbytecodewitharegularexpres-sionwhichexcludedmatchesthatwasfollowedbyadotoranalpha-beticcharacter(matching‘’to‘/somepath’butnot‘.domain’or‘ing’).”27 Aninherentlimitationofthismethodology,asexplainedatlengthinthepaper,isthatitisimpossibletoknowifthepresenceofcoderelatingtoorreferencingtoknowntrackerhostsalsomeansthatthesehostsareevercalled.Inotherwords:thepresenceofcodeisindicativeoftisuse,butdoesn’tactuallymeanitisevercalledbytheapplication.Toconfirmifappsactuallysharedata,andtofurtherunderstandwhatkindofdataissharedwhen,weselected34appsforfurthermanualanalysisfromtheoriginallistof1,000apps(seeAppendix1).Wechooseappswhosepurposesuggestspotentiallysensitivedata(health,faithetc.)andappsthatareeitherwell-known,orhavealargeinstallbase. Analysis PrivacyInternational'sponentsconsistedoftheponents: •ArunningaVirtualMachine(usingOracle’sVirtualBox)withmitmproxyin"transparent"mode(meaningthattheconnectionisbeinginterceptedwithouttheknowledgeoftheclient).Alongwiththenecessarytoolstocreateaworkesspoint.TheVirtualMachineisrunningDebian10(Buster/Unstable)duetotherequirementsofmitmproxyusingpython3.6.4orlater. •ANexus5AndroidPhone,RunningAndroid8.1(Oreo)–weusedLineageOS,builtfromtheAndroidOpenSourceProject(AOSP),inordertorunlaterversionsofAndroidonthedevice. •Adevice()toruntheAndroidDevelopmentBridge(ADB)inordertoinstallthemitmproxycertificateintotheSystemsTrustStore(asopposedtotheUsersTrustStore)duetosecurity 25Taylor,
V.F.andMartinovic,
I.,2017,April.Toupdateornottoupdate:Insightsfromatwo-yearstudyofandroidappevolution.InProceedingsofthe2017ACMonAsiaConferenceonComputerandCommunicationsSecurity(pp.45-57).ACM.26Binns,
R.,Lyngs,
U.,VanKleek,
M.,Zhao,
J.,Libert,T.andShadbolt,
N.,2018.ThirdPartyTrackingintheMobileEcosystem.arXivpreprintarXiv:1804.03603.27Ibid. 10 HowAppsonAndroidShareDatawithFacebook constraintsintroducedinAndroid728,andtoscreenrecordactivesundertakeninappsusingthe"screenrecord"functionalityofADB.AlldatabeingtransmittedbetweenFacebookandappsisencryptedintransitusingTransportLayerSecurity(TLS,formallySSL).OuranalysisconsistedofcapturinganddecryptingdataintransitbetweenourowndeviceandFacebook’sservers(socalled"man-in-the-middle")usingthefreeandopensourcesoftwaretoolcalled"mitmproxy",aninteractiveHTTPSproxy.Mitmproxyworksbydecryptingandencryptingpacketsontheflybymasqueradingasaremotesecureendpoint(inthiscaseFacebook).Inordertomakethiswork,weaddedmitmproxy'spublickeytoourdeviceasatrustedauthority.Thedataexistsonourworkattimeofdecryption. AnewGoogleountwassetupforthesolepurposeofthisresearchandafullphone"nandroid"backupwastakensothedevicecouldquicklybereturnedtoaknownstate,particularlyconsideringthatwhensomeappsareinstalledandrun,theycontinuetoruninthebackgroundpotentiallypollutingtheresults. Allsessiondatathattraversedmitmproxy("flows")whererecordedandstored,sotheycouldbeanalyzedfurther. •Allsessiondatathattraversedmitmproxy("flows")whererecordedandstored,sotheycouldbeanalyzedfurther,andsharedlatershouldtheneedarise. •ThescreenandinteractionswhererecordedasvideousingtheAndroidsDeveloperBridge(ADB)allactivitythattakesplaceonthescreenoftheAndroiddeviceisrecorded •TheoutputsofeachtestswherethenstoredinPrivacyInternationalsinternalknowledgemanagementsystemwithmentsontheactivityobserved. Oncethispletedandappropriatesettingwithinthephonewhereselected(pertainingtoWi-Fi,certificatetrust,securitysuchasPINandscreenlockoutanddevelopertoolssuchasshowingtouches)afullphone"nandroid"backupwastakensothedevicecouldquicklybereturnedtoaknownstate,particularlyconsideringthatwhensomeappsareinstalledandrun,theycontinuetoruninthebackgroundpotentiallypollutingtheresults. •Aftereachwipethefollowingstepswhereundertaken•Connecttoanon-interceptingWi-Fi•DownloadtheApplicationfromtheGooglePlayStore•ConnecttomitmproxyVM(viaWi-Fi),andcreateanewflow 28Android7Nougatandcertificateauthorities.Availableat:essed:1December2018). 11 HowAppsonAndroidShareDatawithFacebook •StartScreenRecordingusingADB•Opentheapp,anddovariousactivitiesforupto320seconds(iftheapprequiressignuptouse, Googleountcreatedatthestartoftheprocess)•Savescreenrecordingoffthephoneandtheflowinmitmproxy•Reboottorecoveryandrestorethenandroidbackup,readytorestarttheprocess•Rebootthedevice Findings Observation1–atleast61percentofallappstestedautomaticallytransferdatatoFacebookthemomentauseropenstheapp OftheAndroidappstested,amajorityautomaticallytransmitdatatoFacebook.ThishappenswhetherpeoplehaveaFacebookountornot,orwhethertheyareloggedintoFacebookornot.Typically,thefirstdatathatisautomaticallytransmittediseventsdatamunicatestoFacebookthattheFacebookSDKhasbeeninitializedbytransmittingeventsdatasuchas"Appinstalled”and"SDKInitialized."TheeventsdatathatissharedcontainsinformationabouttheversionoftheSDKused,theuser’suniqueGoogleadvertisingID(AAID),aswellastheapp’suniquenameintheGooglePlayStore.Italsoincludesextraneousdatasuchastheappversion,thedevicename(e.gNexus5),theversionofAndroid,thescreenresolutionandinformation,suchastheinputLanguageofthedevice(en_GB)andthedevicetimezone[Europe/London].Aftertheapphasbeeninitialized,weobservedthatappsshareothereventsdatasuchas"Appclosed"or"AppOpened".Ourfindingsindicatethat23outof34appsmunicatedthefollowinginformationtoFacebookaboutuserswhodonothaveaFacebookount(orthatareloggedoutoftheplatform):•Thefactthatauserisusingaspecificapp•Everysingletimethatuseropensandclosesanapp•Informationaboutthenatureofthedevicetheuserowns,andtheuser’ssuspectedlocationbased onlanguageandtimezonesettings 12 HowAppsonAndroidShareDatawithFacebook Observation2–ThedatathatFacebookreceivesislinkedtotheGoogleadID,auniqueidentifier Inouranalysis,appsthatautomaticallytransmitdatatoFacebooksharethisdatatogetherwithauniqueidentifier,theGoogleadvertisingID(AAID).Aswehavementionedabove,knowledgeofanyfourappsinstalledonusers’smartphonesisenoughtoessfullytrack95%ofusers.29However,sincethedatathatisreceivedisalreadylinkedtoauniqueidentifier,itwouldbeespeciallyeasybinedataaboutauser’sbehaviorfromdifferentappsintoaprofile. TheGoogleadvertisingID(AAID)isaunique,user-specificIDforadvertising,providedbyGooglePlayservices,thatisautomaticallyassignedtoeachAndroiduser.30TheprimarypurposeofadvertisingIDs,suchastheGoogleadvertisingID(orApple’sequivalent,theIDFA),istoallowadvertiserstolinkdataaboutuserbehaviorfromdifferentappsandwebbrowsingintoprehensiveprofile.InPrivacyInternational’plaintsagainsttheadpaniesQuantcast,CriteoandTapad,forinstance,wedescribehowpaniescollectuseridentifiersforthepurposeoflinkingdifferentbrowsersandmobileapps(sometimescalled“IDsyncing”).31Criteo,forinstance,specificallymentionsinitsprivacypolicythatitiscollectingmobileadvertisingIDs(suchastheGoogleAAID)forthepurposeofIDsyncing.32 bined,datafromdifferentappscanpaintafine-grainedandintimatepictureofpeople’sactivities,interests,behaviorsandroutines,someofwhichcanrevealspecialcategorydata,includinginformationaboutpeople’shealthorreligion. Forexample,anindividualwhohasinstalledthefollowingappsthatwehavetested,"QiblaConnect"(aMuslimprayerapp),"PeriodTrackerClue"(aperiodtracker),"Indeed"(ajobsearchapp),"MyTalkingTom"(achildren’s’app),couldbepotentiallyprofiledas: •Likelyfemale•LikelyMuslim•Likelyjobseeker•Likelyparent SinceAugust2014,GooglerequiresthatallservicesrelatedtoadvertisingtargetingandtrackingonAndroiduseAAIDinlieuofotheridentifiers,suchaspersistentdeviceIDs.33Googleallowuserstoreset 29Achara,
J.P.,Acs,G.andia,
C.,2015,October.Ontheunicityofsmartphoneapplications.InProceedingsofthe14thACMWorkshoponPrivacyintheElectronicSociety(pp.27-36).ACM.30PlayConsoleHelp–AdvertisingID.Availableat:/googleplay/android-developer/answer/6048248?
hl=en(essed:1December2018).31PrivacyInternational(2018).SubmissiontotheInformationCommissioner–RequestforanAssessmentNotice/ComplaintofAdtechDataBrokers.Availableat:/sites/default/files/201811/08.11.2018%20Final%20Complaint%20AdTech%20Criteo%2C%20Quantcast%20and%20Tapad.pdf
(essed:1December2018).32Ibid.33AndroidDevelopers–AdvertisingID.Availableat:(essed:1December2018). 13 HowAppsonAndroidShareDatawithFacebook (andtherebychange)theirAdvertisingIDintheirphones’Googlesettings34.However,wefoundthatunlessauseractivelychangestheirAdvertisingID,itstayspersistent.Forinstance,wefoundthattheAdvertisingIDdoesn’tchangewhenadeviceisresettoitsfactorysettingsiftheuserlogsintotheAndroiddeviceusingthesameGoogleount.Inane-mailtoPrivacyInternationalon29December2018Googlestated: “Thisisurate.WewouldexpectthatafactoryresetofthedevicewouldhavetheeffectofgeneratinganewAdvertisingID.Wetestedacoupleofdeviceswehadonhand,andconfirmedthattheAdvertisingIDwaschangeduponfactoryreset,regardlessofwhethertheusersignedinwiththesameGoogleountornot.Ifyouareseeingotherbehavior,itwouldbeusefultoknowtheprecisespecificationsofthedeviceandversionofAndroid.Ingeneral,theAdvertisingIDdoesremainthesameuntilitisresetbytheuser—whichtheusercandoatanytimeforanyreason.”PrivacyInternationalwasunabletoindependentlyverifyGoogle’stestsondifferentdevices.Ifurate,itcouldmeanthatthebehaviorweobservedisspecifictoourtestingenvironment.WehaveshareddetailsaboutourtestingenvironmentwithGoogle. Observation3–SomeappsroutinelytransmitadditionaldatatoFacebook,someofwhichishighlygranular WealsofoundthatsomeappsroutinelysendFacebookdatathatisincrediblydetailedandsometimessensitive.Again,thisconcernsdataofpeoplewhoareeitherloggedoutofFacebookorwhodonothaveaFacebookount.Aprimeexampleisthetravelsearchandparisonapp"KAYAK",whichsendsdetailedinformationaboutpeople’ssearchbehaviorontheapptoFacebook.Forexample,whensearchingforflightsbetweenLondonandTokyo,theappsharesthefollowinginformation,including:•Timestampofthesearch•Nameoftheapp•GoogleadvertisingID•Departurecity 34Ibid. 14 HowAppsonAndroidShareDatawithFacebook •Departureairport•Departuredate•Arrivalcity•Arrivalairport•Arrivaldate•Numberoftickets,includingnumberofchildren•Classoftickets(economy,businessorfirstclass) Anumberofotherapps,suchasDuolingoorInstantHeartrate,sharehowtheappisused,whichmenustheuserhasvisited,andotherinteractioninformation.Thisisinadditiontothedatatransmitted,asdescribedinObservation2. Observation4–ItisdifficulttoavoidbeingtrackedbyFacebookbyappsonAndroid Facebook’sCookiesPolicy35describestwowaysinwhichpeoplewhodonothaveaFacebookountcancontrolFacebook'suseofcookiestoshowthemads: “Youcanoptoutofseeingonlineinterest-basedadsfromFacebookandotherpaniesthrough[…]theEuropeanInteractiveDigitalAdvertisingAllianceinEuropeorthroughyourmobiledevicesettings.Pleasenotethatadblockersandtoolsthatrestrictourcookieusemayinterferewiththesecontrols.”36 PrivacyInternationalhastestedbothopt-outsandfoundthattheyhadnodiscernibleimpactonthedatasharingthatwehavedescribedinthisreport. Androiddevicesettingsdon’tpreventdatasharingwithFacebook DevicesrunningAndroid6.0andupafforduserscontroloversomeofthedatathateachappispermittedtocollect.37Thesesettings,however,donocontroltheautomatictransmissionofthedatawehavedescribedinthisreport.Googlealsoallowusersto"OptoutofAdsPersonalization"38onAndroid,whichwillapplyacrossbothGoogleadsservices(ex:Searchads)andthe2+millionwebsitesandappsthatpartnerwithGoogleto 35Facebookdefinescookiesbroadly,including“identifiersassociatedwithyourdevice,andothersoftware,areusedforsimilarpurposes”.36FacebookCookiePolicy(DateofLastRevision:4April2018).Availableat:/policy/cookies/printable,(essed:1December2018).37Thisincludesthingslikelocationandesstocontacts,butnotthingslikeadevices’batteryleveland,crucially,esstothedevices’currentadID.38Dependingonyoursmartphonemodel,thiscanbefoundintheGoogleAdsettingsinthemainSettingsmenuorhiddenawaysomewhereelse. 15 HowAppsonAndroidShareDatawithFacebook showads.Optingoutofadspersonalization,however,doesnotnecessarilymeanthatusersoptoutofthird-partytracking.WehavetestedthesettingfortheSkyscannerapp,theKAYAKappandShazamandfoundthattheappsstillsharethesameamountofdatawithFacebook,regardlessofwhetherthissettingisturnedonoroff. Inane-mailtoPrivacyInternationalon29December2018Googlestated: “Thisisurate.Ifauserdisables“adspersonalization”inthedeviceAdvertisingIDsettings,noapporadvendormayusetheadvertisingidentifierforcreatinguserprofilesforadvertisingpurposesorfortargetinguserswithpersonalizedadvertising.ThisistrueforGoogleapps,likeGoogleSearch,MapsandYouTube,butitisalsotrueforallotherappsinstalledonthedevice.ThisrequirementisestablishedviathePlayDeveloperterms. Separately,GoogleuserscandisableadspersonalizationviaacontrolintheGoogleountcontrols.ThiswillGoogleadvertisingservicesfromcreatinguserprofilesforadvertisingpurposesorfortargetinguserswithpersonalizedadvertising.OptingoutofadspersonalizationviatheGoogleountcontrolwillautomaticallyapplyonanydevicewheretheusersignsintohisorherGoogleount.” PrivacyInternationalbelievesthatthisstatementabovedoesnotcontradictourfindings.Appsmaynotbeallowedtousetheadvertisingidentifierforcreatinguserprofilesfor“advertisingpurposesorfortargetinguserswithpersonalizedadvertising”(emphasisadded),butthatdoesnotpreventthemfromtrackingusers,thatiscollectingthedatainthefirstplace,orforusingthisdataforotherpurposes. TheEEDAoffersnotoolthatpreventsthetrackingwehavedescribedinthisreport TheEuropeanInteractiveDigitalAdvertisingAlliance(EEDA)isaself-regulatoryinitiativethatoffers“controlsolutions”throughitswebsitewebbrowsersandassuch,isunabletoblocktrackingonappsthatisdonethroughtechnologiesliketheFacebookSDKinsteadofcookies. OtheralternativestopreventtrackingviatheFacebookSDKonAndroid End-userswithappropriateexpertisecouldmanuallyblockonworklevel(viatheirrouter)orevenonthedevice(usingafirewallsuchasAFWall+orNetGuard).Boththesesolutionsrequirealevelofexpertiseandunderstandingastotheimplicationsofmakingsuchchanges,andalsomaynotfullydatabeingsenttoFacebook. 16 HowAppsonAndroidShareDatawithFacebook Observation5–Facebookpliedwithourdatasubjectessafterseveralfollow-ups DataprotectionlawintheEU(theEUGeneralDataProtectionRegulation“GDPR”)providesthatindividualshaveanumberofrightsinrelationtotheirpersonaldata,includingtherighttoinformationabouthowtheirdataisprocessed,therighttoesstheirdata,togetherwiththerightstorectify,erase,restrict,portandobjecttotheprocessingoftheirdata. •OnOctober29,2018,amemberofstaffsubmittedanessrequestviatheonlineformthatFacebookprovidesfornon-usersofitsplatform39,requestingesstoallpersonaldatarelatingtotheGoogleadvertisingIDthatwasusedinconductingthisresearch.TherationalebehindthisessrequestwastogainfurtherunderstandingaboutthewaysinwhichFacebookusesthedataitreceivesfromappsandforhowlongitisbeingstored. •FacebookautorespondedonOctober29,2018,askingtheusertoconfirmthattheydon’thaveaFacebookount,askingwhethertheusershashadapreviousountassociatedwiththeiremailaddress,aswellasadetailedexplanationoftheinformationtheuserisrequesting. •OnOctober29,2018thememberofstaffconfirmedthattheiremailaddressisnot(andhasneverbeen)associatedwithaFacebookandrequestedallpersonaldatathatisassociatedwiththeirGoogleAdvertisingID. •OnOctober30,2018Facebookresponded:“wecouldn’tfindaFacebookountassociatedwiththeemailaddressyou’reusingtocontactus.IfyouhaveaFacebookountassociatedwithadifferentemailaddress,pleasesubmitanewreport.”(emphasisadded) •OnNovember29,2018thememberofstaffsentareminder.•OnDecember6,2018,thestaffmembersentanotherreminder.•OnDecember20,2018Facebookrespondedthattherewere“unabletolocateanypersonaldata processedaboutyoubyFacebook,otherthaninconnectionwiththisrequest.” Wewillfollowuponthisrequestin2019. Discussion WhydosomanyappssharedatawithFacebookthesecondtheyareinitialized?
ThedefaultimplementationoftheFacebookSDKisdesignedtoautomaticallytransmiteventdatatoFacebook.ThisisclearlystatedinFacebook’sAnalyticsQuickstartGuideforAndroid,whichstates: 39/help/contact/3 17 HowAppsonAndroidShareDatawithFacebook “WhenyouusetheFacebookSDK,someeventsinyourappareautomaticallyloggedandcollectedforFacebookAnalyticsunlessyoudisableautomaticeventlogging.”40 Facebookplacesthesoleresponsibilityonappdeveloperstoensurethattheyhave“thelawfulrighttocollect,useandshare[people’s]databeforeproviding[Facebook]withanydata”.41pany’sBusinessToolTerms42furtherrequiredeveloperstonotifyindividualswhentheyareusingFacebooktechnology(includingpixels,SDKs,andAPIs)thatenablesFacebooktocollectandprocessdataaboutthoseindividualsandobtaintheirpriorinformedconsentforthedevelopers’useofsuchtools: “IfyouuseourpixelsorSDKs,youfurtherrepresentandwarrantthatyouhaveprovidedrobustandsufficientlyprominentnoticetousersregardingtheCustomerDatacollection[…]Injurisdictionsthatrequireinformedconsentforstoringandessingcookiesorotherinformationonanenduser'sdevice(suchasbutnotlimitedtotheEuropeanUnion),youmustensure,inaverifiablemanner,thatanenduserprovidesthenecessaryconsentbeforeyouuseFacebookBusinessToolstoenableustostoreandesscookiesorotherinformationontheenduser'sdevice.”(emphasisadded) WhileFacebookacknowledgesthatusingtheSDKrequiresuserinformedconsentandalsodemandsthatdeveloperstoobtainthisconsent,developershavebeenfilingbugreportsonFacebook’sdeveloperplatform,raisingconcernsthattheFacebookSDKautomaticallysharesdatabeforetheyareabletoaskuserstoagreeorconsenttotheprocessing. Forinstance,onMay29,fourdaysaftertheGDPRenteredintoeffectintheEU,adeveloperposted: “Hiall.WeworkactivityofFacebookSDKforUnityandfoundthatonapplicationstartitsendssomerequeststo.ItseemstobeviolationofGDPR:wecannotsendanythingaboutauseruntilheallowsustodothat.Couldyoupleasefixthatorstronglyconfirmthattheserequestsdon'tviolateGDPR”43 AFacebookemployeerespondedthatthedeveloper“shouldnothavetoworryaboutthisspecificrequest.”44 OnJune8,2018,thesamedeveloperopenedanotherbugreport,repeatingtheirconcerns,thistimeabouttheiriOSAppusingUnitySDK7.12.2: 40FacebookAnalyticsQuickstartGuideforAndroid.Availableat:/docs/analytics/quickstart-list/android/(essed:1December2018).41FacebookPrivacyPolicy(Dateoflastrevision:19April2018).Availableat:/about/privacy/update/printable(essed:1December2018).42FacebookBusinessToolTerms(Effectivedate:25May2018).Availableat:/legal/terms/businesstools(essed:1December2018).43/support/bugs//?
disable_redirect=0(essed:1December2018).44Ibid. 18 HowAppsonAndroidShareDatawithFacebook “Wecan'tsenduserIDFAandotherpersonalinfountilitispermittedbyuser,butwecan'tpreventitbecauseFBSDKsendsitonappstart.ThisrequestneedstobemovedtoSDKinititalizationwhichiscalledafterausereptslicenseagreement.”45 Inresponsetothethread,onJune18,2018,anotherdeveloperconfirmedthatIDFA(Apple’sadID)isalsobeingreportedtoFacebookpriortologinonAndroid.46 AthirdbugreportwasfiledonJuly24,2018,byadeveloperwhonotes: “WhenintegratingtheFacebookloginSDKintoandroidwerealized,thatwheninitializingtheSDKarequestissenttotheGraphAPIserver,whichincludesanApp-IDandanAdvertisingID.Unfortunatelythisisn'pliantwiththeGDPRGuidelines,becausetheusershaven'tyetagreedtotheprivacytermswhenstartingtheapp.Thisisalsothecase,whentheautomaticeventsaredeactivated.Atthemomentwehavetoavoidtheproblemwithaworkaround,whichhoweverleadstocrashes.FromourpointofviewtheFacebookSDKshouldbeinitializedatalaterstageortherequestshouldonlybesentaftertheuseragreedtotheterms.Pleasehelpusassoonaspossible,asotherwisewearenotallowedorabletousetheFacebookSDKtologinintoourAndroidapp.”47 OnJuly25,2018anemployeeofFacebookrespondedtothethirdreportthattheissuehasbeenresolvedthroughanewSDKfeature.ThevoluntaryfeaturewasreleasedonJune28,2018andshouldallowdeveloperstodelaycollectingautomaticallyloggedeventsuntiltheyacquireuserconsent.DevelopersneedtoupgradetothelatestFacebookSDKversion,eitheriOSSDKv.4.34orAndroidSDKv.4.34tousethisfeatureandtheeventsthatareincludedare:appinstallandapplaunches.48 Thefeaturewaslaunched35daysafterGDPRtookeffect.Weassumethatpriortothereleaseofthisvoluntaryfeature,manyappsthatuseFacebookSDKintheAndroidecosystemwerenotabletodelaycollectingautomaticallyloggeddatabeforetheyacquireduserconsent. InanemailtoPrivacyInternationalFacebookhasstatedon29December2018(seeAppendix): “Anappdevelopercangetauser'sconsenttocollectandprocesstheirdata(includingsendingittoFacebookviatheSDK).Theycanalsochoosetodisableautomaticeventlogging.Earlierthisyear,wealsointroducedanewoptionthatallowsdeveloperstodelaycollectionofappanalyticsinformation.[…]inJuneofthisyearweintroducedanotheroptionforbusinessesthatwanttouseourauto-eventloggingfeatureiftheychoosenottouseapre-installmechanismforobtaining 45/support/bugs/8/?
disable_redirect=0(essed:1December2018).46Ibid.47/support/bugs/4/?
disable_redirect=0(essed:1December2018).48FacebookAdsNews–NewPrivacyComplianceandProtectionsforGDPR.Availableat:plianceprotections-gdpr/(essed:1December2018). 19 HowAppsonAndroidShareDatawithFacebook thepriorconsentcontractuallyrequired.Thelegalandcontractualobligationisonthedeveloper(datacontroller)togetconsentasrequiredfromtheirusersbeforesharingpersonaldatawithFacebookviatheSDK,andwewantedtoprovideanothertoolinthetoolboxtohelpdevelopersfulfilltheirlegalandcontractualobligations,whilealsoprovidingagoodexperiencefortheirusers. […]Priortoourintroductionofthe“delay”option,developershadtheabilitytodisabletransmissionofautomaticeventloggingdata,exceptforasignalthattheSDKhadbeeninitialized.FollowingtheJunechangetoourSDK,wealsoremovedthesignalthattheSDKwasinitializedfordevelopersthatdisabledautomaticeventlogging. InJunewealsointroducedanotheroptionforbusinessesthatwanttouseourauto-eventloggingfeaturepliancewithourBusinessToolsTerms.Today,anappdevelopercaneitherchoosetouseapre-installedmechanismforobtaininganend-user'spriorinformedconsent(astheycouldinthepast),orusetheSDKdelayfeature.”(emphasisadded). This“signal”isthedatathatweobserveinourfindings.Weassumethatpriortothereleaseofthisvoluntaryfeature,manyappsthatuseFacebookSDKintheAndroidecosystemwerethereforenotabletopreventordelaytheSDKfromautomaticallycollecting
2 HowAppsonAndroidShareDatawithFacebook ExecutiveSummary Previousresearchhasshownhow42.55percentoffreeappsontheGooglePlaystorecouldsharedatawithFacebook,makingFacebookthesecondmostprevalentthird-partytrackerafterGoogle’spanyAlphabet.1Inthisreport,PrivacyInternationalillustrateswhatthisdatasharinglookslikeinpractice,particularlyforpeoplewhodonothaveaFacebookount. ThisquestionofwhetherFacebookgathersinformationaboutuserswhoarenotsignedinordonothaveanountwasraisedintheaftermathoftheCambridgeAnalyticascandalbylawmakersinhearingsintheUnitedStatesandinEurope.2Discussions,aswellaspreviousfinesbyDataProtectionAuthoritiesaboutthetrackingofnon-users,however,oftenfocusonthetrackingthathappensonwebsites.3Muchlessisknownaboutthedatathatpanyreceivesfromapps.Forthesereasons,inthisreportweraisequestionsabouttransparencyanduseofappdatathatweconsidertimelyandimportant. Facebookroutinelytracksusers,non-usersandlogged-outusersoutsideitsplatformthroughFacebookBusinessTools.AppdeveloperssharedatawithFacebookthroughtheFacebookSoftwareDevelopmentKit(SDK),asetofsoftwaredevelopmenttoolsthathelpdevelopersbuildappsforaspecificoperatingsystem.Usingthefreeandopensourcesoftwaretoolcalled"mitmproxy",aninteractiveHTTPSproxy,PrivacyInternationalhasanalyzedthedatathat34appsonAndroid,eachwithaninstallbasefrom10to500million,transmittoFacebookthroughtheFacebookSDK. AllappsweretestedbetweenAugustandDecember2018,withthelastre-testhappeningbetween3and11ofDecember2018.Thefulldocumentation,includingtheexactdateeachappwastested,canbefoundat/appdata. Findings •Wefoundthatatleast61percentofappswetestedautomaticallytransferdatatoFacebookthemomentauseropenstheapp.ThishappenswhetherpeoplehaveaFacebookountornot,orwhethertheyareloggedintoFacebookornot. •Typically,thedatathatisautomaticallytransmittedfirstiseventsdatamunicatestoFacebookthattheFacebookSDKhasbeeninitializedbytransmittingdatasuchas"Appinstalled” 1Binns,
R.,Lyngs,
U.,VanKleek,
M.,Zhao,
J.,Libert,T.andShadbolt,
N.,2018.ThirdPartyTrackingintheMobileEcosystem.arXivpreprintarXiv:1804.03603.2Brandom,
J.(2018)‘ShadowprofilesarethebiggestflawinFacebook’sprivacydefense’,TheVerge.Availableat:/2018/4/11/17225482/facebook-shadow-profiles-zuckerberg-congress-data-privacy(essed:1December2018).3Forinstance,in2015FacebookwasfinedbytheBelgianDataProtectionAuthority(“DPA”)fortrackingtheonlineactivitiesofBelgiannon-Facebookusersthroughsocialplugins(suchasthelike-button),cookiesandinvisiblepixelsonthird-partywebsites.See,withoutofferinguserssufficientwarning./content/10f558c6-3a26-11e7-821a-6027b8a20f23
3 HowAppsonAndroidShareDatawithFacebook and"SDKInitialized".Thisdatarevealsthefactthatauserisusingaspecificapp,everysingletimethatuseropensanapp.•Inouranalysis,appsthatautomaticallytransmitdatatoFacebooksharethisdatatogetherwithauniqueidentifier,theGoogleadvertisingID(AAID).TheprimarypurposeofadvertisingIDs,suchastheGoogleadvertisingID(orApple’sequivalent,theIDFA)istoallowadvertiserstolinkdataaboutuserbehaviorfromdifferentappsandwebbrowsingintoprehensiveprofile.bined,datafromdifferentappscanpaintafine-grainedandintimatepictureofpeople’sactivities,interests,behaviorsandroutines,someofwhichcanrevealspecialcategorydata,includinginformationaboutpeople’shealthorreligion.Forexample,anindividualwhohasinstalledthefollowingappsthatwehavetested,"QiblaConnect"(aMuslimprayerapp),"PeriodTrackerClue"(aperiodtracker),"Indeed"(ajobsearchapp),"MyTalkingTom"(achildren’s’app),couldbepotentiallyprofiledaslikelyfemale,likelyMuslim,likelyjobseeker,likelyparent.•bined,eventdatasuchas"Appinstalled”,"SDKInitialized"and“Deactivateapp”fromdifferentappsalsoofferadetailedinsightintotheappusagebehaviorofhundredsofmillionsofpeople.•WealsofoundthatsomeappsroutinelysendFacebookdatathatisincrediblydetailedandsometimessensitive.Again,thisconcernsdataofpeoplewhoareeitherloggedoutofFacebookorwhodonothaveaFacebookount.Aprimeexampleisthetravelsearchandparisonapp"KAYAK",whichsendsdetailedinformationaboutpeople’sflightsearchestoFacebook,including:departurecity,departureairport,departuredate,arrivalcity,arrivalairport,arrivaldate,numberoftickets(includingnumberofchildren),classoftickets(economy,businessorfirstclass).•Facebook’sCookiesPolicydescribestwowaysinwhichpeoplewhodonothaveaFacebookountcancontrolFacebook'suseofcookiestoshowthemads.PrivacyInternationalhastestedbothopt-outsandfoundthattheyhadnodiscernibleimpactonthedatasharingthatwehavedescribedinthisreport. Discussion Facebookplacesthesoleresponsibilityonappdeveloperstoensurethattheyhavethelawfulrighttocollect,useandsharepeople’sdatabeforeprovidingFacebookwithanydata.However,thedefaultimplementationoftheFacebookSDKisdesignedtoautomaticallytransmiteventdatatoFacebook.SinceMay25,2018–thedaythattheEUGeneralDataProtectionRegulation(GDPR)enteredintoforce-developershavebeenfilingbugreportsonFacebook’sdeveloperplatform,raisingconcernsthattheFacebookSDKautomaticallysharesdatabeforeappsareabletoaskuserstoagreeorconsent.OnJune
4 HowAppsonAndroidShareDatawithFacebook 28,2018,Facebookreleasedavoluntaryfeaturethatshouldallowdeveloperstodelaycollectingautomaticallyloggedeventsuntilaftertheyacquireuserconsent.Thefeaturewaslaunched35daysafterGDPRtookeffectandonlyworksontheSDKversion4.34andlater.Inresponsetothisreport,FacebookhasstatedinanemailtoPrivacyInternationalon28December2018:“Priortoourintroductionofthe“delay”option,developershadtheabilitytodisabletransmissionofautomaticeventloggingdata,exceptforasignalthattheSDKhadbeeninitialized.FollowingtheJunechangetoourSDK,wealsoremovedthesignalthattheSDKwasinitializedfordevelopersthatdisabledautomaticeventlogging.”(emphasisadded).This“signal”isthedatathatweobserveinourfindings.Weassumethatpriortothereleaseofthisvoluntaryfeature,manyappsthatuseFacebookSDKintheAndroidecosystemwerethereforenotabletopreventordelaytheSDKfromautomaticallycollectingandsharingthattheSDKhasbeeninitialized.SuchmunicatestoFacebookthatauserusesaparticularapp,whentheyareusingitandforhowlong. ConclusionWithoutanyfurthertransparencyfromFacebook,itisimpossibletoknowforcertain,howthedatathatwehavedescribedinthisreportisbeingused.ThisisparticularitythecasesinceFacebookhasbeenlessthantransparentaboutthewaysinwhichitusesdataofnon-Facebookusersinthepast.Ourfindingsalsoraiseanumberoflegalquestions.AsthisresearchwasconductedintheUKwehavefocusedontherelevantEUframework,namelyEUdataprotection(“GDPR”)andePrivacylaw(theePrivacyDirective2002/58/EC,asimplementedbyMemberStatelaws)4aswellasCompetitionLaw.Anunderlyingthemeistheresponsibilityofthevariousactorsinvolved,includingFacebook. 4TheEuropeanCommissionpublishedaproposalforanePrivacyRegulationinJanuary2017,toupdatetheDirectiveandalignwithGDPR.However,thislegislationisstillundernegotiation.
5 HowAppsonAndroidShareDatawithFacebook ThirdPartyTracking InOctober2018,researchersattheUniversityofOxford5publishedapeer-reviewedstudyof959,000appsintheUSandUKGooglePlaystoresthatrevealedhowdatafromsmartphonesissharedandharvestedby‘third-partytrackers’,thatisentitiesthatcollectdataaboutusersfromfirst-partywebsitesand/orapps.6 Mostappscontainthird-partytrackersandmanyappscontainalargenumberofdifferenttrackers.ResearchbyFrenchanizationExodusPrivacyandYaleUniversity’sPrivacyLab,forinstance,showedthatmorethanthreeinfourappsonAndroidcontainatleastonethird-party“tracker”in2017.7 TheunprecedentedscopeoftheOxfordresearch,however,uncoveredtheextenttowhichbigpanieslikeGoogle,Facebook,MicrosoftandTwitterarethemostprevalenttrackersonfreeappsonAndroid.Theresearchersfoundthat90percentoftheappsanalyzedcouldsharedatawithGoogle’spanyAlphabet,whileFacebookcouldreceivedatafrom42.55percentofapps.8 Appdevelopersintegratethetechnologiesof‘thirdparties’intheirmobileapplicationssourcecodeforanumberofreasons:totrackcrashreports,measureuserengagement(analytics)ortoconnecttheirapptoworks(forinstance,byallowinguserstosharephotosonFacebookfromtheapp),andtogeneraterevenuebyizinguserdataanddisplayingbehaviorallytargetedads.9 Whiletoolsdevelopedbythirdpartiescanbeusefulfordevelopers,thosetoolsoftenalsoallowthirdpartiestocollect(“track”)userdatafromthedeveloper’s‘firstparty’mobileappsforthethirdparty’suse.10Inparticular,thirdpartieswhosecodeisembeddedinalargenumberofappsreceivedataaboutusersthatcouldbelinkedbinedintoadetailedprofile. Mobiledevicescontainmanydifferenttypesofidentifiers,suchasinformationrelatingtothedevice,aswellapplications,toolsorprotocolsthat,whenused,allowtheidentificationoftheindividualtowhomtheinformationmayrelate.11Evenintheabsenceofsuchidentifiers,researchershavefoundthatknowledgeofanyfourappsinstalledonusers’smartphonesisenoughtoessfullytrack95percent 5Binns,
R.,Lyngs,
U.,VanKleek,
M.,Zhao,
J.,Libert,T.andShadbolt,
N.,2018.ThirdPartyTrackingintheMobileEcosystem.arXivpreprintarXiv:1804.03603.6Ibid.78Binns,
R.,Lyngs,
U.,VanKleek,
M.,Zhao,
J.,Libert,T.andShadbolt,
N.,2018.ThirdPartyTrackingintheMobileEcosystem.arXivpreprintarXiv:1804.03603.9EuropeanUnionAgencyforNetworkandInformationSecurity.(2017).Privacyanddataprotectioninmobileapplications.Availableat:essed:1December2018).10Ibid.11InformationCommissioner’sOffice(2018).Whatareidentifiersandrelatedfactors?
Availableat:anisations/guide-to-the-general-dataprotection-regulation-gdpr/what-is-personal-data/what-are-identifiers-and-related-factors/
(essed:1December2018).
6 HowAppsonAndroidShareDatawithFacebook ofusers.12Manythird-partiesalsoperformcross-devicetracking13,thepracticeoflinkingmultipledevices,suchassmartphones,televisionsets,smartTVs,andputers,toasingleuser.Themoregranularauserprofile,themoreintimateinferencescanbederivedaboutpeople’slikelyattributes,identities,habitsandopinions.14 Itisinthiscontextthattheprevalenceofbigpaniesinthetrackingecosystemraisesconcerns.panyreceivesdatafromaconsiderablepercentageofallapps,wouldbeabletogainaparticularlydeepinsightintotheeverydaybehaviorandinterestsofmobilephoneusers. Whythird-partytrackingonappsraisesuniqueprivacychallenges PrivacyInternationalhasrecentlyaskedregulatorstoinvestigateanumberofdatabrokerandadvertisingpanies(“AdTech”)thatconstituteplexback-endsystemthatisusedtodirectadvertisingtoindividualsandspecifictargetaudiences.15Atageneralizedlevelpaniestrackindividualsaroundthewebandacrossdifferentappsandhelpdictatewhatadvertisingcontenttheysee.16 Despitehavingtrackersthroughouttheweb,manythirdpartiesarenothouseholdnames.Mostpeoplehaveneverheardofthem,donotknowthattheyprocesstheirdataandprofilethem,whetherthisdataisurate,forwhatpurposestheyareusingit,orwithwhomitisbeingsharedorwhattheconsequencesare.Quantcast,panythatPrivacyInternationalhasinvestigatedaspartofplaints,forinstance,claimsthatitcancollectreal-timeinsightsonaudiencesonover100millionmobileandwebdestinations17.AmemberofPrivacyInternational’sstaffhasdescribedthepictureQuantcastwasabletoobtainaboutherlife,fromthedatagatheredthroughasinglecookieplacedononeofherbrowsersalone.18InplaintswearguedthatthisexploitationofthepersonaldataofmillionsofpeopleintheEuropeanUnionandfurtherafieldconstitutesaninfringementofdataprotectionlaw. Third-partytrackinginbothmobileappsandonthewebraisesimportanthumanrightsconcerns,inparticularconcerningtherighttoprivacyanddataprotection.Thirdpartytrackingonappsusuallyhappensinthebackground,whichmeansthatmanyusersareunawareofthefactthatthirdpartiesare 12Achara,
J.P.,Acs,G.andia,
C.,2015,October.Ontheunicityofsmartphoneapplications.InProceedingsofthe14thACMWorkshoponPrivacyintheElectronicSociety(pp.27-36).ACM.13Brookman,
J.,Rouge,
P.,Alva,A.andYeung,
C.,2017.Cross-devicetracking:Measurementanddisclosures.ProceedingsonPrivacyEnhancingTechnologies,2017
(2),pp.133-148.14PrivacyInternational(2018).ASnapshotofCorporateProfiling.Availableat:/feature/1721/snapshot-corporate-profiling(essed:1December2018).15PrivacyInternational(2018).plaintsagainstAcxiom,Criteo,Equifax,Experian,Oracle,Quantcast,Tapad.Availableat:plaints-against-acxiom-criteo-equifax-experian-oracle-quantcast-tapad(essed:1December2018).16PrivacyInternational(2018).SubmissiontotheInformationCommissioner–RequestforanAssessmentNotice/ComplaintofAdtechDataBrokers.Availableat:/sites/default/files/201811/08.11.2018%20Final%20Complaint%20AdTech%20Criteo%2C%20Quantcast%20and%20Tapad.pdf
(essed:1December2018).17/data-hub/18PrivacyInternational(2018).Iaskedanonlinepanyforallofmydataandhere'swhatIfound.Availableat:pany-all-my-data-and-heres-what-i-found(essed:1December2018).
7 HowAppsonAndroidShareDatawithFacebook trackingthem.Whatmakestrackingonmobileappsuniquelychallengingisthatitismucheasiertoblockorreducetrackingonbothmobileandwebbrowsersthanitisinapps. Therationaleofthisreport:whywearefocusingonthird-partytrackingbyFacebook ThepurposeofthisreportistoillustrateonewayinwhichmobileappsontheAndroidoperatingsystemsharedatawithlargepanies.Forthisreport,wefocusedonAndroid(insteadofotheroperatingsystemsordevices),however,thirdpartytrackingisprevalentonotherplatformsaswell.WewerespecificallyinterestedinthekindsofdatathatappssharewithFacebookaboutusersthatdonothaveaFacebookount(orthatarelogged-outoftheplatform),aswellaswhenandhowthisdataisbeingtransmitted.Whileothershavelookedattheprevalenceoftrackingmorebroadly19,wehavefocusedonFacebookbecausetheiresstodataasathirdesinanunusualandunexpectedwayforconsumers. Facebookroutinelytracksusers,non-usersandlogged-outusersoutsideitsplatformthroughFacebookBusinessTools.Forinstance,anywebsitethathasintegratedaFacebooklikebuttonortrackingpixelautomaticallysendsdatatoFacebook. AsoutlinedinFacebook’sUKdatapolicy,thisinformationincludes“informationaboutyourdevice,websitesyouvisit,purchasesyoumake,theadsyouseeandhowyouusetheirservices–whetherornotyouhaveaFacebookountorareloggedintoFacebook.”20 AppdeveloperssharedatawithFacebookthroughtheFacebookSoftwareDevelopmentKit(SDK),asetofsoftwaredevelopmenttoolsthatcanbeusedtodevelopapplications(Apps)foraspecificoperatingsystem.Facebook'sSDKforAndroidallowsappdeveloperstointegratetheirappswithFacebook’splatformandcontainsanumberofponents:Analytics,Ads,Login,ountKit,Share,GraphAPI,AppEventsandAppLinks.Forexample:UsingFacebook'sSDK,allowsforsupportof"LoginwithFacebook"basedauthentication,whichallowuserstologinusingaphonenumberofemailaddresswiththeirFacebookpassword.Facebook'sSDKalsooffersAnalytics(data,trends,andaggregatedaudienceinsightsaboutthepeopleinteractingwiththeapp),aswellasAdsandreadingandwritingtoFacebook'sGraphAPI. ThisquestionofwhetherFacebookgathersinformationaboutuserswhoarenotsignedinordonothaveanountwasraisedintheaftermathoftheCambridgeAnalyticascandalbylawmakersinhearingsin 19InformationSocietyProjectYaleLawSchoolPrivacyLab.Availableat:(essed:1December2018).20FacebookUKDataPolicy.Availableat:/policy.php(essed:1December2018).
8 HowAppsonAndroidShareDatawithFacebook theUnitedStatesandinEurope.21Discussionsaboutthetrackingofnon-users,however,oftenfocusonthetrackingthathappensonwebsites.22Muchlessisknownaboutthedatathatpanyreceivesfromapps. Facebookhasalsonotalwaysbeenverytransparentaboutthewaysinwhichisusesdataiscollects.Forinstance,inSeptember2018,researchersatNortheasternUniversityandPrincetonfoundthatFacebookallowsadvertiserstotargetpeoplebasedoncontactinformationtheyhandedoverforsecuritypurposesandcontactinformationthatwascollectedfromotherpeople’scontactbooks,23orwhatthejournalistKashmirHillcalls“shadowcontactinformation”.24 Forthesereasons,inthisreportweraisequestionsabouttransparencyanduseofappdatathatweconsidertimelyandimportant. SelectionCriteriaandMethodology AresearchgroupattheComputerSciencedepartmentoftheUniversityofOxford,theauthorsoftheaforementionedstudyon“ThirdPartyTrackingintheMobileEcosystem”,providedPrivacyInternationalwithalistof1,000apps(intermsofinstallbase)thatlikelytransmitdatatoFacebook. These1,000appsconstitutethemostinstalledappsofthe42.55percentof~1millionAndroidappsthattheresearchersidentifiedaslikelytransmittingdatatoFacebook.TheauthorsidentifiedappsthatlikelytransmitdatatoFacebook(andothertrackers)byidentifyingreferencestohostsinapps’AndroidPackageKit(APK)-anAndroidfileformatthatcontainsallresourcesneededbyanapptorunonadevice. 21Brandom,
J.(2018)‘ShadowprofilesarethebiggestflawinFacebook’sprivacydefense’,TheVerge.Availableat:/2018/4/11/17225482/facebook-shadow-profiles-zuckerberg-congress-data-privacy(essed:1December2018).22Forinstance,in2015FacebookwasfinedbytheBelgianDataProtectionAuthority(“DPA”)fortrackingtheonlineactivitiesofBelgiannon-Facebookusersthroughsocialplugins(suchasthelike-button),cookiesandinvisiblepixelsonthird-partywebsites.Seeprehensivestudy,draftedattherequestoftheBelgianPrivacyCommission,outlinesthedifferentdatacollectiontechniques,suchascookies,pixels,socialplug-insandothersimilartechnologiesusedbyFacebooktobuildupuserandnon-userprofiles.Seemission-in-facebook-investigation.TheBelgianDPA’sdecisionwaschallengedbyFacebookongroundsofjurisdiction,howeverinFebruary2018theBelgianCourtofFirstInstanceonceagainruledthatFacebookviolatedprivacylaws(seelegalanalysisbelow)bydeployingtechnologysuchascookiesandsocialplug-instotrackusersacrosstheweb.ThecourtorderedFacebooktotrackingBelgians’webbrowsinghabitsanddestroyanyillegallyobtaineddata.missionfacebook-proceeding.In2017,FacebookwasalsofinedbytheFrenchDataProtectionAuthority(CNIL)fordifferentprivacyviolations,amongthem“unfair”trackingofusersandnon-usersastheybrowsethe,withoutofferinguserssufficientwarning./content/10f558c6-3a26-11e7-821a6027b8a20f2323Venkatadri,
G.,Lucherini,
E.,Sapiezynski,P.andMislove,
A.,2019.InvestigatingsourcesofPIIusedinFacebook’stargetedadvertising.ProceedingsonPrivacyEnhancingTechnologies,1,p.18.24Hill,
K.(2018)‘FacebookIsGivingAdvertisersesstoYourShadowContactInformation’.Gizmodo,26September,Availableat:ess-to-your-shadow-co-1828476051(essed:1December2018).
9 HowAppsonAndroidShareDatawithFacebook Asdescribedinmoredetailinthepaper’sdatacollectionandmethodologysection:“Upondownload,eachAPKwasunpackedanddecodedusingAPKTool25toobtaintheapp’sassets,inparticularitsicon,bytecode(intheDEXformat)andmetadata(inXMLformat).Finally,permissionrequestswereparsedfromtheXMLandhostswerefoundinthebytecodeusingasimpleregex.”26 Inanextstep,referencestohostsweremappedwithlistsofknowntrackers:“Hostnamesinthetrackerlistswereshortenedto2-leveldomainsusingthepythonlibrarytldextract4(e.g.for‘’,thedomainname‘example’-leveldomainsuffix‘’werekeptandanysubdomainswereomitted).Trackerhostswerethenmatchedtohostsidentifiedinappbytecodewitharegularexpres-sionwhichexcludedmatchesthatwasfollowedbyadotoranalpha-beticcharacter(matching‘’to‘/somepath’butnot‘.domain’or‘ing’).”27 Aninherentlimitationofthismethodology,asexplainedatlengthinthepaper,isthatitisimpossibletoknowifthepresenceofcoderelatingtoorreferencingtoknowntrackerhostsalsomeansthatthesehostsareevercalled.Inotherwords:thepresenceofcodeisindicativeoftisuse,butdoesn’tactuallymeanitisevercalledbytheapplication.Toconfirmifappsactuallysharedata,andtofurtherunderstandwhatkindofdataissharedwhen,weselected34appsforfurthermanualanalysisfromtheoriginallistof1,000apps(seeAppendix1).Wechooseappswhosepurposesuggestspotentiallysensitivedata(health,faithetc.)andappsthatareeitherwell-known,orhavealargeinstallbase. Analysis PrivacyInternational'sponentsconsistedoftheponents: •ArunningaVirtualMachine(usingOracle’sVirtualBox)withmitmproxyin"transparent"mode(meaningthattheconnectionisbeinginterceptedwithouttheknowledgeoftheclient).Alongwiththenecessarytoolstocreateaworkesspoint.TheVirtualMachineisrunningDebian10(Buster/Unstable)duetotherequirementsofmitmproxyusingpython3.6.4orlater. •ANexus5AndroidPhone,RunningAndroid8.1(Oreo)–weusedLineageOS,builtfromtheAndroidOpenSourceProject(AOSP),inordertorunlaterversionsofAndroidonthedevice. •Adevice()toruntheAndroidDevelopmentBridge(ADB)inordertoinstallthemitmproxycertificateintotheSystemsTrustStore(asopposedtotheUsersTrustStore)duetosecurity 25Taylor,
V.F.andMartinovic,
I.,2017,April.Toupdateornottoupdate:Insightsfromatwo-yearstudyofandroidappevolution.InProceedingsofthe2017ACMonAsiaConferenceonComputerandCommunicationsSecurity(pp.45-57).ACM.26Binns,
R.,Lyngs,
U.,VanKleek,
M.,Zhao,
J.,Libert,T.andShadbolt,
N.,2018.ThirdPartyTrackingintheMobileEcosystem.arXivpreprintarXiv:1804.03603.27Ibid. 10 HowAppsonAndroidShareDatawithFacebook constraintsintroducedinAndroid728,andtoscreenrecordactivesundertakeninappsusingthe"screenrecord"functionalityofADB.AlldatabeingtransmittedbetweenFacebookandappsisencryptedintransitusingTransportLayerSecurity(TLS,formallySSL).OuranalysisconsistedofcapturinganddecryptingdataintransitbetweenourowndeviceandFacebook’sservers(socalled"man-in-the-middle")usingthefreeandopensourcesoftwaretoolcalled"mitmproxy",aninteractiveHTTPSproxy.Mitmproxyworksbydecryptingandencryptingpacketsontheflybymasqueradingasaremotesecureendpoint(inthiscaseFacebook).Inordertomakethiswork,weaddedmitmproxy'spublickeytoourdeviceasatrustedauthority.Thedataexistsonourworkattimeofdecryption. AnewGoogleountwassetupforthesolepurposeofthisresearchandafullphone"nandroid"backupwastakensothedevicecouldquicklybereturnedtoaknownstate,particularlyconsideringthatwhensomeappsareinstalledandrun,theycontinuetoruninthebackgroundpotentiallypollutingtheresults. Allsessiondatathattraversedmitmproxy("flows")whererecordedandstored,sotheycouldbeanalyzedfurther. •Allsessiondatathattraversedmitmproxy("flows")whererecordedandstored,sotheycouldbeanalyzedfurther,andsharedlatershouldtheneedarise. •ThescreenandinteractionswhererecordedasvideousingtheAndroidsDeveloperBridge(ADB)allactivitythattakesplaceonthescreenoftheAndroiddeviceisrecorded •TheoutputsofeachtestswherethenstoredinPrivacyInternationalsinternalknowledgemanagementsystemwithmentsontheactivityobserved. Oncethispletedandappropriatesettingwithinthephonewhereselected(pertainingtoWi-Fi,certificatetrust,securitysuchasPINandscreenlockoutanddevelopertoolssuchasshowingtouches)afullphone"nandroid"backupwastakensothedevicecouldquicklybereturnedtoaknownstate,particularlyconsideringthatwhensomeappsareinstalledandrun,theycontinuetoruninthebackgroundpotentiallypollutingtheresults. •Aftereachwipethefollowingstepswhereundertaken•Connecttoanon-interceptingWi-Fi•DownloadtheApplicationfromtheGooglePlayStore•ConnecttomitmproxyVM(viaWi-Fi),andcreateanewflow 28Android7Nougatandcertificateauthorities.Availableat:essed:1December2018). 11 HowAppsonAndroidShareDatawithFacebook •StartScreenRecordingusingADB•Opentheapp,anddovariousactivitiesforupto320seconds(iftheapprequiressignuptouse, Googleountcreatedatthestartoftheprocess)•Savescreenrecordingoffthephoneandtheflowinmitmproxy•Reboottorecoveryandrestorethenandroidbackup,readytorestarttheprocess•Rebootthedevice Findings Observation1–atleast61percentofallappstestedautomaticallytransferdatatoFacebookthemomentauseropenstheapp OftheAndroidappstested,amajorityautomaticallytransmitdatatoFacebook.ThishappenswhetherpeoplehaveaFacebookountornot,orwhethertheyareloggedintoFacebookornot.Typically,thefirstdatathatisautomaticallytransmittediseventsdatamunicatestoFacebookthattheFacebookSDKhasbeeninitializedbytransmittingeventsdatasuchas"Appinstalled”and"SDKInitialized."TheeventsdatathatissharedcontainsinformationabouttheversionoftheSDKused,theuser’suniqueGoogleadvertisingID(AAID),aswellastheapp’suniquenameintheGooglePlayStore.Italsoincludesextraneousdatasuchastheappversion,thedevicename(e.gNexus5),theversionofAndroid,thescreenresolutionandinformation,suchastheinputLanguageofthedevice(en_GB)andthedevicetimezone[Europe/London].Aftertheapphasbeeninitialized,weobservedthatappsshareothereventsdatasuchas"Appclosed"or"AppOpened".Ourfindingsindicatethat23outof34appsmunicatedthefollowinginformationtoFacebookaboutuserswhodonothaveaFacebookount(orthatareloggedoutoftheplatform):•Thefactthatauserisusingaspecificapp•Everysingletimethatuseropensandclosesanapp•Informationaboutthenatureofthedevicetheuserowns,andtheuser’ssuspectedlocationbased onlanguageandtimezonesettings 12 HowAppsonAndroidShareDatawithFacebook Observation2–ThedatathatFacebookreceivesislinkedtotheGoogleadID,auniqueidentifier Inouranalysis,appsthatautomaticallytransmitdatatoFacebooksharethisdatatogetherwithauniqueidentifier,theGoogleadvertisingID(AAID).Aswehavementionedabove,knowledgeofanyfourappsinstalledonusers’smartphonesisenoughtoessfullytrack95%ofusers.29However,sincethedatathatisreceivedisalreadylinkedtoauniqueidentifier,itwouldbeespeciallyeasybinedataaboutauser’sbehaviorfromdifferentappsintoaprofile. TheGoogleadvertisingID(AAID)isaunique,user-specificIDforadvertising,providedbyGooglePlayservices,thatisautomaticallyassignedtoeachAndroiduser.30TheprimarypurposeofadvertisingIDs,suchastheGoogleadvertisingID(orApple’sequivalent,theIDFA),istoallowadvertiserstolinkdataaboutuserbehaviorfromdifferentappsandwebbrowsingintoprehensiveprofile.InPrivacyInternational’plaintsagainsttheadpaniesQuantcast,CriteoandTapad,forinstance,wedescribehowpaniescollectuseridentifiersforthepurposeoflinkingdifferentbrowsersandmobileapps(sometimescalled“IDsyncing”).31Criteo,forinstance,specificallymentionsinitsprivacypolicythatitiscollectingmobileadvertisingIDs(suchastheGoogleAAID)forthepurposeofIDsyncing.32 bined,datafromdifferentappscanpaintafine-grainedandintimatepictureofpeople’sactivities,interests,behaviorsandroutines,someofwhichcanrevealspecialcategorydata,includinginformationaboutpeople’shealthorreligion. Forexample,anindividualwhohasinstalledthefollowingappsthatwehavetested,"QiblaConnect"(aMuslimprayerapp),"PeriodTrackerClue"(aperiodtracker),"Indeed"(ajobsearchapp),"MyTalkingTom"(achildren’s’app),couldbepotentiallyprofiledas: •Likelyfemale•LikelyMuslim•Likelyjobseeker•Likelyparent SinceAugust2014,GooglerequiresthatallservicesrelatedtoadvertisingtargetingandtrackingonAndroiduseAAIDinlieuofotheridentifiers,suchaspersistentdeviceIDs.33Googleallowuserstoreset 29Achara,
J.P.,Acs,G.andia,
C.,2015,October.Ontheunicityofsmartphoneapplications.InProceedingsofthe14thACMWorkshoponPrivacyintheElectronicSociety(pp.27-36).ACM.30PlayConsoleHelp–AdvertisingID.Availableat:/googleplay/android-developer/answer/6048248?
hl=en(essed:1December2018).31PrivacyInternational(2018).SubmissiontotheInformationCommissioner–RequestforanAssessmentNotice/ComplaintofAdtechDataBrokers.Availableat:/sites/default/files/201811/08.11.2018%20Final%20Complaint%20AdTech%20Criteo%2C%20Quantcast%20and%20Tapad.pdf
(essed:1December2018).32Ibid.33AndroidDevelopers–AdvertisingID.Availableat:(essed:1December2018). 13 HowAppsonAndroidShareDatawithFacebook (andtherebychange)theirAdvertisingIDintheirphones’Googlesettings34.However,wefoundthatunlessauseractivelychangestheirAdvertisingID,itstayspersistent.Forinstance,wefoundthattheAdvertisingIDdoesn’tchangewhenadeviceisresettoitsfactorysettingsiftheuserlogsintotheAndroiddeviceusingthesameGoogleount.Inane-mailtoPrivacyInternationalon29December2018Googlestated: “Thisisurate.WewouldexpectthatafactoryresetofthedevicewouldhavetheeffectofgeneratinganewAdvertisingID.Wetestedacoupleofdeviceswehadonhand,andconfirmedthattheAdvertisingIDwaschangeduponfactoryreset,regardlessofwhethertheusersignedinwiththesameGoogleountornot.Ifyouareseeingotherbehavior,itwouldbeusefultoknowtheprecisespecificationsofthedeviceandversionofAndroid.Ingeneral,theAdvertisingIDdoesremainthesameuntilitisresetbytheuser—whichtheusercandoatanytimeforanyreason.”PrivacyInternationalwasunabletoindependentlyverifyGoogle’stestsondifferentdevices.Ifurate,itcouldmeanthatthebehaviorweobservedisspecifictoourtestingenvironment.WehaveshareddetailsaboutourtestingenvironmentwithGoogle. Observation3–SomeappsroutinelytransmitadditionaldatatoFacebook,someofwhichishighlygranular WealsofoundthatsomeappsroutinelysendFacebookdatathatisincrediblydetailedandsometimessensitive.Again,thisconcernsdataofpeoplewhoareeitherloggedoutofFacebookorwhodonothaveaFacebookount.Aprimeexampleisthetravelsearchandparisonapp"KAYAK",whichsendsdetailedinformationaboutpeople’ssearchbehaviorontheapptoFacebook.Forexample,whensearchingforflightsbetweenLondonandTokyo,theappsharesthefollowinginformation,including:•Timestampofthesearch•Nameoftheapp•GoogleadvertisingID•Departurecity 34Ibid. 14 HowAppsonAndroidShareDatawithFacebook •Departureairport•Departuredate•Arrivalcity•Arrivalairport•Arrivaldate•Numberoftickets,includingnumberofchildren•Classoftickets(economy,businessorfirstclass) Anumberofotherapps,suchasDuolingoorInstantHeartrate,sharehowtheappisused,whichmenustheuserhasvisited,andotherinteractioninformation.Thisisinadditiontothedatatransmitted,asdescribedinObservation2. Observation4–ItisdifficulttoavoidbeingtrackedbyFacebookbyappsonAndroid Facebook’sCookiesPolicy35describestwowaysinwhichpeoplewhodonothaveaFacebookountcancontrolFacebook'suseofcookiestoshowthemads: “Youcanoptoutofseeingonlineinterest-basedadsfromFacebookandotherpaniesthrough[…]theEuropeanInteractiveDigitalAdvertisingAllianceinEuropeorthroughyourmobiledevicesettings.Pleasenotethatadblockersandtoolsthatrestrictourcookieusemayinterferewiththesecontrols.”36 PrivacyInternationalhastestedbothopt-outsandfoundthattheyhadnodiscernibleimpactonthedatasharingthatwehavedescribedinthisreport. Androiddevicesettingsdon’tpreventdatasharingwithFacebook DevicesrunningAndroid6.0andupafforduserscontroloversomeofthedatathateachappispermittedtocollect.37Thesesettings,however,donocontroltheautomatictransmissionofthedatawehavedescribedinthisreport.Googlealsoallowusersto"OptoutofAdsPersonalization"38onAndroid,whichwillapplyacrossbothGoogleadsservices(ex:Searchads)andthe2+millionwebsitesandappsthatpartnerwithGoogleto 35Facebookdefinescookiesbroadly,including“identifiersassociatedwithyourdevice,andothersoftware,areusedforsimilarpurposes”.36FacebookCookiePolicy(DateofLastRevision:4April2018).Availableat:/policy/cookies/printable,(essed:1December2018).37Thisincludesthingslikelocationandesstocontacts,butnotthingslikeadevices’batteryleveland,crucially,esstothedevices’currentadID.38Dependingonyoursmartphonemodel,thiscanbefoundintheGoogleAdsettingsinthemainSettingsmenuorhiddenawaysomewhereelse. 15 HowAppsonAndroidShareDatawithFacebook showads.Optingoutofadspersonalization,however,doesnotnecessarilymeanthatusersoptoutofthird-partytracking.WehavetestedthesettingfortheSkyscannerapp,theKAYAKappandShazamandfoundthattheappsstillsharethesameamountofdatawithFacebook,regardlessofwhetherthissettingisturnedonoroff. Inane-mailtoPrivacyInternationalon29December2018Googlestated: “Thisisurate.Ifauserdisables“adspersonalization”inthedeviceAdvertisingIDsettings,noapporadvendormayusetheadvertisingidentifierforcreatinguserprofilesforadvertisingpurposesorfortargetinguserswithpersonalizedadvertising.ThisistrueforGoogleapps,likeGoogleSearch,MapsandYouTube,butitisalsotrueforallotherappsinstalledonthedevice.ThisrequirementisestablishedviathePlayDeveloperterms. Separately,GoogleuserscandisableadspersonalizationviaacontrolintheGoogleountcontrols.ThiswillGoogleadvertisingservicesfromcreatinguserprofilesforadvertisingpurposesorfortargetinguserswithpersonalizedadvertising.OptingoutofadspersonalizationviatheGoogleountcontrolwillautomaticallyapplyonanydevicewheretheusersignsintohisorherGoogleount.” PrivacyInternationalbelievesthatthisstatementabovedoesnotcontradictourfindings.Appsmaynotbeallowedtousetheadvertisingidentifierforcreatinguserprofilesfor“advertisingpurposesorfortargetinguserswithpersonalizedadvertising”(emphasisadded),butthatdoesnotpreventthemfromtrackingusers,thatiscollectingthedatainthefirstplace,orforusingthisdataforotherpurposes. TheEEDAoffersnotoolthatpreventsthetrackingwehavedescribedinthisreport TheEuropeanInteractiveDigitalAdvertisingAlliance(EEDA)isaself-regulatoryinitiativethatoffers“controlsolutions”throughitswebsitewebbrowsersandassuch,isunabletoblocktrackingonappsthatisdonethroughtechnologiesliketheFacebookSDKinsteadofcookies. OtheralternativestopreventtrackingviatheFacebookSDKonAndroid End-userswithappropriateexpertisecouldmanuallyblockonworklevel(viatheirrouter)orevenonthedevice(usingafirewallsuchasAFWall+orNetGuard).Boththesesolutionsrequirealevelofexpertiseandunderstandingastotheimplicationsofmakingsuchchanges,andalsomaynotfullydatabeingsenttoFacebook. 16 HowAppsonAndroidShareDatawithFacebook Observation5–Facebookpliedwithourdatasubjectessafterseveralfollow-ups DataprotectionlawintheEU(theEUGeneralDataProtectionRegulation“GDPR”)providesthatindividualshaveanumberofrightsinrelationtotheirpersonaldata,includingtherighttoinformationabouthowtheirdataisprocessed,therighttoesstheirdata,togetherwiththerightstorectify,erase,restrict,portandobjecttotheprocessingoftheirdata. •OnOctober29,2018,amemberofstaffsubmittedanessrequestviatheonlineformthatFacebookprovidesfornon-usersofitsplatform39,requestingesstoallpersonaldatarelatingtotheGoogleadvertisingIDthatwasusedinconductingthisresearch.TherationalebehindthisessrequestwastogainfurtherunderstandingaboutthewaysinwhichFacebookusesthedataitreceivesfromappsandforhowlongitisbeingstored. •FacebookautorespondedonOctober29,2018,askingtheusertoconfirmthattheydon’thaveaFacebookount,askingwhethertheusershashadapreviousountassociatedwiththeiremailaddress,aswellasadetailedexplanationoftheinformationtheuserisrequesting. •OnOctober29,2018thememberofstaffconfirmedthattheiremailaddressisnot(andhasneverbeen)associatedwithaFacebookandrequestedallpersonaldatathatisassociatedwiththeirGoogleAdvertisingID. •OnOctober30,2018Facebookresponded:“wecouldn’tfindaFacebookountassociatedwiththeemailaddressyou’reusingtocontactus.IfyouhaveaFacebookountassociatedwithadifferentemailaddress,pleasesubmitanewreport.”(emphasisadded) •OnNovember29,2018thememberofstaffsentareminder.•OnDecember6,2018,thestaffmembersentanotherreminder.•OnDecember20,2018Facebookrespondedthattherewere“unabletolocateanypersonaldata processedaboutyoubyFacebook,otherthaninconnectionwiththisrequest.” Wewillfollowuponthisrequestin2019. Discussion WhydosomanyappssharedatawithFacebookthesecondtheyareinitialized?
ThedefaultimplementationoftheFacebookSDKisdesignedtoautomaticallytransmiteventdatatoFacebook.ThisisclearlystatedinFacebook’sAnalyticsQuickstartGuideforAndroid,whichstates: 39/help/contact/3 17 HowAppsonAndroidShareDatawithFacebook “WhenyouusetheFacebookSDK,someeventsinyourappareautomaticallyloggedandcollectedforFacebookAnalyticsunlessyoudisableautomaticeventlogging.”40 Facebookplacesthesoleresponsibilityonappdeveloperstoensurethattheyhave“thelawfulrighttocollect,useandshare[people’s]databeforeproviding[Facebook]withanydata”.41pany’sBusinessToolTerms42furtherrequiredeveloperstonotifyindividualswhentheyareusingFacebooktechnology(includingpixels,SDKs,andAPIs)thatenablesFacebooktocollectandprocessdataaboutthoseindividualsandobtaintheirpriorinformedconsentforthedevelopers’useofsuchtools: “IfyouuseourpixelsorSDKs,youfurtherrepresentandwarrantthatyouhaveprovidedrobustandsufficientlyprominentnoticetousersregardingtheCustomerDatacollection[…]Injurisdictionsthatrequireinformedconsentforstoringandessingcookiesorotherinformationonanenduser'sdevice(suchasbutnotlimitedtotheEuropeanUnion),youmustensure,inaverifiablemanner,thatanenduserprovidesthenecessaryconsentbeforeyouuseFacebookBusinessToolstoenableustostoreandesscookiesorotherinformationontheenduser'sdevice.”(emphasisadded) WhileFacebookacknowledgesthatusingtheSDKrequiresuserinformedconsentandalsodemandsthatdeveloperstoobtainthisconsent,developershavebeenfilingbugreportsonFacebook’sdeveloperplatform,raisingconcernsthattheFacebookSDKautomaticallysharesdatabeforetheyareabletoaskuserstoagreeorconsenttotheprocessing. Forinstance,onMay29,fourdaysaftertheGDPRenteredintoeffectintheEU,adeveloperposted: “Hiall.WeworkactivityofFacebookSDKforUnityandfoundthatonapplicationstartitsendssomerequeststo.ItseemstobeviolationofGDPR:wecannotsendanythingaboutauseruntilheallowsustodothat.Couldyoupleasefixthatorstronglyconfirmthattheserequestsdon'tviolateGDPR”43 AFacebookemployeerespondedthatthedeveloper“shouldnothavetoworryaboutthisspecificrequest.”44 OnJune8,2018,thesamedeveloperopenedanotherbugreport,repeatingtheirconcerns,thistimeabouttheiriOSAppusingUnitySDK7.12.2: 40FacebookAnalyticsQuickstartGuideforAndroid.Availableat:/docs/analytics/quickstart-list/android/(essed:1December2018).41FacebookPrivacyPolicy(Dateoflastrevision:19April2018).Availableat:/about/privacy/update/printable(essed:1December2018).42FacebookBusinessToolTerms(Effectivedate:25May2018).Availableat:/legal/terms/businesstools(essed:1December2018).43/support/bugs//?
disable_redirect=0(essed:1December2018).44Ibid. 18 HowAppsonAndroidShareDatawithFacebook “Wecan'tsenduserIDFAandotherpersonalinfountilitispermittedbyuser,butwecan'tpreventitbecauseFBSDKsendsitonappstart.ThisrequestneedstobemovedtoSDKinititalizationwhichiscalledafterausereptslicenseagreement.”45 Inresponsetothethread,onJune18,2018,anotherdeveloperconfirmedthatIDFA(Apple’sadID)isalsobeingreportedtoFacebookpriortologinonAndroid.46 AthirdbugreportwasfiledonJuly24,2018,byadeveloperwhonotes: “WhenintegratingtheFacebookloginSDKintoandroidwerealized,thatwheninitializingtheSDKarequestissenttotheGraphAPIserver,whichincludesanApp-IDandanAdvertisingID.Unfortunatelythisisn'pliantwiththeGDPRGuidelines,becausetheusershaven'tyetagreedtotheprivacytermswhenstartingtheapp.Thisisalsothecase,whentheautomaticeventsaredeactivated.Atthemomentwehavetoavoidtheproblemwithaworkaround,whichhoweverleadstocrashes.FromourpointofviewtheFacebookSDKshouldbeinitializedatalaterstageortherequestshouldonlybesentaftertheuseragreedtotheterms.Pleasehelpusassoonaspossible,asotherwisewearenotallowedorabletousetheFacebookSDKtologinintoourAndroidapp.”47 OnJuly25,2018anemployeeofFacebookrespondedtothethirdreportthattheissuehasbeenresolvedthroughanewSDKfeature.ThevoluntaryfeaturewasreleasedonJune28,2018andshouldallowdeveloperstodelaycollectingautomaticallyloggedeventsuntiltheyacquireuserconsent.DevelopersneedtoupgradetothelatestFacebookSDKversion,eitheriOSSDKv.4.34orAndroidSDKv.4.34tousethisfeatureandtheeventsthatareincludedare:appinstallandapplaunches.48 Thefeaturewaslaunched35daysafterGDPRtookeffect.Weassumethatpriortothereleaseofthisvoluntaryfeature,manyappsthatuseFacebookSDKintheAndroidecosystemwerenotabletodelaycollectingautomaticallyloggeddatabeforetheyacquireduserconsent. InanemailtoPrivacyInternationalFacebookhasstatedon29December2018(seeAppendix): “Anappdevelopercangetauser'sconsenttocollectandprocesstheirdata(includingsendingittoFacebookviatheSDK).Theycanalsochoosetodisableautomaticeventlogging.Earlierthisyear,wealsointroducedanewoptionthatallowsdeveloperstodelaycollectionofappanalyticsinformation.[…]inJuneofthisyearweintroducedanotheroptionforbusinessesthatwanttouseourauto-eventloggingfeatureiftheychoosenottouseapre-installmechanismforobtaining 45/support/bugs/8/?
disable_redirect=0(essed:1December2018).46Ibid.47/support/bugs/4/?
disable_redirect=0(essed:1December2018).48FacebookAdsNews–NewPrivacyComplianceandProtectionsforGDPR.Availableat:plianceprotections-gdpr/(essed:1December2018). 19 HowAppsonAndroidShareDatawithFacebook thepriorconsentcontractuallyrequired.Thelegalandcontractualobligationisonthedeveloper(datacontroller)togetconsentasrequiredfromtheirusersbeforesharingpersonaldatawithFacebookviatheSDK,andwewantedtoprovideanothertoolinthetoolboxtohelpdevelopersfulfilltheirlegalandcontractualobligations,whilealsoprovidingagoodexperiencefortheirusers. […]Priortoourintroductionofthe“delay”option,developershadtheabilitytodisabletransmissionofautomaticeventloggingdata,exceptforasignalthattheSDKhadbeeninitialized.FollowingtheJunechangetoourSDK,wealsoremovedthesignalthattheSDKwasinitializedfordevelopersthatdisabledautomaticeventlogging. InJunewealsointroducedanotheroptionforbusinessesthatwanttouseourauto-eventloggingfeaturepliancewithourBusinessToolsTerms.Today,anappdevelopercaneitherchoosetouseapre-installedmechanismforobtaininganend-user'spriorinformedconsent(astheycouldinthepast),orusetheSDKdelayfeature.”(emphasisadded). This“signal”isthedatathatweobserveinourfindings.Weassumethatpriortothereleaseofthisvoluntaryfeature,manyappsthatuseFacebookSDKintheAndroidecosystemwerethereforenotabletopreventordelaytheSDKfromautomaticallycollecting
声明:
该资讯来自于互联网网友发布,如有侵犯您的权益请联系我们。