Popular Health and Fitness Apps Found Secretly Sharing ‘Intensely Sensitive’ Personal Info with Facebook

Facebook has been at the centre of so many privacy controversies over the years that nobody should have any reason to believe that what they do on the social media network, or through any of its apps, is in any way private. What’s more surprising, however, is that despite Apple’s efforts at protecting user privacy, many apps that have no visible connection Facebook have also been discovered to be sharing users’ activity and personal information with the social media giant.

An investigation by The Wall Street Journal has revealed that a number of popular iOS apps are reporting everything from real estate listings that a user is looking at to health and fitness data such as workout schedules, body weight, blood pressure, menstrual cycles, and pregnancy status.

In its report, the Journal identified 11 apps collectively downloaded tens of millions of times that have been sharing sensitive data entered by users into those apps with Facebook without the users’ knowledge, and often even without the user having any actual connection to Facebook. “Intensely personal information” is often shared with Facebook “just seconds after users enter it” and not only are the apps not asking users for permission to share this information, but don’t even provide any obvious disclosure that this is happening.

While it’s been known for years that Facebook tracks users’ visits to many sites and even their usage of certain apps on their mobile devices, the Journal’s investigation reveals a level of data collection that is considerably deeper and more insidious. Testing showed that personal data was being sent to Facebook even if the user wasn’t otherwise logged onto Facebook on their device, and for that matter even for users who aren’t members of Facebook at all.

Specific apps identified by the Journal include Instant Heart Rate: HR Monitor, by Azumio, which sent users’ heart rates to Facebook immediately after they were recorded. Flo Period & Ovulation Tracker regularly supplied Facebook with information on when a user was having her period or indicated that they were trying to conceive. The real-estate app Realtor.com also shared locations and prices of listings that a user views along with identifying any listings a user marks as favorites within the app.

None of the apps reviewed by the Journal provided any obvious disclosure that this information was being sent to Facebook, nor any way to allow users to opt-out of this data sharing.

To be clear, despite Facebook’s culpability in creating its own invasive research app, in this case it’s the developers of the individual apps that are to blame for sharing this data with Facebook. The apps in question incorporate an analytics tracking component designed to allow developers to collect statistics on how users are engaging with their apps — and perhaps more importantly to target their users with Facebook ads.

In fact, this isn’t the first time we’ve seen tools designed to provide developers with insight into user behaviour getting misused. Earlier this month, another investigative report uncovered a collection of popular apps that were secretly recording users screen activity. In that case, the tool was primarily designed to allow developers to analyze user interactions and thereby improve the user experience, but in many cases personal data like credit card numbers was being hoovered up as part of the recordings.

In the case of Facebook’s analytics tool, the goal seems to be to profile users for market research and ad targeting, however Facebook not only disavows this kind of personal data collection, but notes that it’s already against the terms of its agreement with developers, which prohibit them from sending “health, financial information or other categories of sensitive information.” A Facebook spokesperson told the Journal that it has asked the developers of the apps identified by the journal to “stop sending information its user might regard as sensitive” and has promised to “take additional action” if the apps don’t comply. “We require app developers to be clear with their users about the information they are sharing with us,” a Facebook spokeswoman told the Journal, who also noted that Facebook itself does not use any of this data for other purposes, despite th company’s terms providing it with the ability to do so.

While most of the apps claim that the data they are sending is “depersonalized,” the Journal noted that the information is still often flagged with a unique advertising identifier that could still be used to match it to a specific device or user profile. In their end user disclosures, many apps either deny that they send any personal information out to third-party vendors, or just obliquely mention the fact that data “may be shared with third parties” without specifically mentioning Facebook.

On Apple’s part, the company’s App Store Review Guidelines make it clear that apps are required to “secure user consent” for the collection of data and provide an “easily accessible and understandable way to withdraw consent.” Developers are also required to clearly describe how any collected data is used, by the developer itself or by any third parties, and must only collect and share data that is “required to accomplish the relevant task” in the app.

In the Journal’s investigation, it didn’t find any finance apps that were sending sensitive information to Facebook, but it did identify at least six of the top 15 health and fitness apps in the U.S. App Store that “sent potentially sensitive information immediately after it was collected.”