Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

iPhone, Android apps share sensitive health, financial data with Facebook without user's knowledge

Facebook has been accused of taking advantage of its position to violate the privacy of its users, with an investigation claiming apps that deal with sensitive data, including financial and health-related information, is sharing some of that data with the social network.

Following the Cambridge Analytica fiasco and the subsequent government investigations, it would be expected Facebook would be more mindful about the information it compiles on its users. A new report suggests otherwise, accusing Facebook of acquiring information that users would not typically expect to share with the company willingly.

According to tests performed by the Wall Street Journal, Facebook's software collects data from numerous apps within seconds of it being entered by the user, without any sign of a prominent or specific disclosure by the app. In these cases, it was also found the data was transmitted to Facebook if the user didn't log into Facebook for authentication, or even if the user didn't have a Facebook account in the first place.

At least 11 popular apps across both iOS and Android ecosystems were found to report data back to Facebook, with the apps downloaded tens of millions of times in total.

On the iOS side, the app Instant Heart Rate: HR Monitor by Azumio, deemed the most popular heart-rate app in the App Store, sent the user's heart rate straight after a reading is performed. The Flo Period and Ovulation Tracker, said to have 25 million active users, advises Facebook when the user advises they wish to get pregnant, and when a user is having their period.

In another example, the Move Inc-owned Realtor.com sent Facebook the location and price of listings viewed by a user, as well as those marked as favorites.

Facebook claims some of the data sharing activities brought up in the tests seemed to violate its business terms, which asks developers to avoid sending "health, financial information or other categories of sensitive information." The apps were flagged by Facebook to stop sending information that may be deemed sensitive, with the suggestion of additional action if the apps fail to comply with the demand.

A Facebook spokesperson advised "We require app developers to be clear with their users about the information they are sharing with us."

The data shared by apps is usually brought into a Facebook tool that provides statistics about user activities. Facebook also uses the same data to serve advertising and for market research, but while its terms in theory allow for it to be used in other ways, the company insists it does not.

Apple advised to the report it requires apps to acquire "prior user consent" in order to collect data, as well as to move to prevent unauthorized access and usage by third-party firms. "When we hear of any developer violating these strict privacy terms and guidelines, we quickly investigate and, if necessary, take immediate action," a spokesperson told the report.

The investigation is the latest in a string of events where Facebook's attitude to privacy has been questioned.

In August, Facebook pulled its Onavo Protect VPN service from the iOS app store, after Apple found it was violating a number of just-implemented privacy policies, particularly surrounding data collection restrictions.

Another similar incident occurred in January, with the discovery Facebook was offering a Facebook Research app to users that installed a VPN on their iOS devices. Users were paid $20 plus referral fees, in exchange for nearly unfettered access to iOS usage patterns and activity.

In that case, it was also found Facebook was abusing Apple's Enterprise Developer Certificates, which allowed apps to be sideloaded onto devices without having to abide by App Store guidelines, and so avoiding the data collection and privacy rules. The use of the Enterprise Developer Certificates was meant for within a company, not for those outside the organization like members of the public, with Facebook's use violating Apple's terms.

Shortly after reports of the app's nature, Apple revoked Facebook's certificate, reportedly throwing the company into chaos as Facebook's employees were denied access to private versions of internal tools that also used it. Apple restored the certificate roughly 30 hours after it was pulled.

Facebook is currently in negotiations with the U.S. Federal Trade Commission over a privacy violations fine relating to the Cambridge Analytica scandal and its subsequent fallout. The talks, aimed at avoiding legal action, could result in a settlement with the FTC that extends to billions of dollars, far exceeding the current FTC settlement record holder Google's $22.5 million payment.

On Thursday, Facebook advised it will shutter Onavo Protect fully and stop recruiting new users for Facebook Research, as it attempts to move to more transparent paid research programs.