Popular health and fitness apps scrambled to stop sending sensitive personal information to
after The Wall Street Journal reported Friday many were transmitting detailed information about topics including their users’ weight and menstrual cycles.
Since Friday, at least four of the apps that the Journal had identified and contacted as part of its reporting issued updates to cut off transmission of sensitive data to Facebook, a new round of testing showed Sunday. The apps that made the change include Flo Health Inc.’s Flo Period & Ovulation Tracker and Azumio Inc.’s Instant Heart Rate: HR Monitor, the tests showed.
Another popular food- and exercise-logging app, Lose It!, from FitNow Inc., also stopped sending Facebook information, Sunday’s test showed. In a test on Thursday, the app had been sending Facebook the weight users logged, along with how much they had gained or lost and the caloric content of every food item they logged.
The changes came as Facebook itself contacted some large advertisers and developers in response to the Journal’s reporting, telling them it prohibits partners from sending Facebook any sensitive information about users. The company said it is working on new systems to detect and block uploads of such information by apps, according to a person whose company was contacted by Facebook. In at least one message, Facebook directed a major developer to ensure that it had a legal justification for all the user information it sends Facebook in its app via the software-development kit, or SDK, the social network provides for apps, the person said.
“We work with the app developers using our SDK to ensure they adhere to our terms. In cases where we see violations, we work with the app developers to get into compliance and take action as needed,” a Facebook spokeswoman said.
A spokeswoman for Flo Health confirmed Sunday that it had deleted Facebook’s software from its app and requested that Facebook delete all the user data it had previously sent. Azumio and FitNow didn’t respond to requests for comment on Sunday.
The Journal’s testing showed that at least 11 popular apps were using software that Facebook provides to app developers to send the social network intimate information. The Facebook analytics service the apps used allowed their developers to see the sensitive data in an aggregated form—and target their users with ads on Facebook based on that information. Facebook has said that it doesn’t otherwise use that type of app data, although the company’s business terms of service give it latitude to do so. The sensitive information was shared with Facebook regardless of whether the app user was a member of the social network, the testing showed.
New York Gov. Andrew Cuomo on Friday ordered state agencies to investigate apps’ transmission of personal information to Facebook described in the Journal report and urged regulators in Washington to look into the matter as well. In Washington, D.C., Sen. Ed Markey, a Democrat from Massachusetts, called the behavior “a new low in privacy malpractice.”
In the U.K., Damian Collins, chairman of the House of Commons Digital, Media, Culture and Sport Committee, which last week called for more regulation of social media, said on Twitter that the Journal’s reporting “shows how totally out of control the system is.”
The sharing of such intimate data with Facebook provoked a discussion about who is responsible for data shared via SDKs that are built into nearly all mobile applications. Facebook’s is one of the most popular SDKs, but the average app on
iOS includes 19, according to app-analytics firm Apptopia.
Those kits help developers integrate certain features or functions, such as analytics tools like Facebook’s, that allow apps to better understand their users’ behavior or to collect data to sell targeted advertising. SDKs at times send detailed information on what users do inside apps to third parties—some of whom are bound by strict contracts never to use the information, and others which aren’t.
A Facebook spokeswoman said that such data sharing is “industry-standard practice.”
Some in the tech industry said that Facebook wasn’t responsible for the data sharing, even if it built the SDK, because developers decided what data they share with the company using the tool, and it would be impossible for the company to effectively police what it is sent. Others said Facebook should assume responsibility for a system it helped build.
“Every part of this data chain will say, ‘oh look at some other part is doing this or that.’ They’re all correct,” Zeynep Tufekci, an associate professor at the University of North Carolina, Chapel Hill, said on Twitter. “The whole surveillance-industrial complex is corrupt and its mechanisms aren’t clear to ordinary people.”
—Suzanne Vranica contributed to this article.
Write to Sam Schechner at firstname.lastname@example.org