At least a half-dozen popular smartphone apps have been sharing sensitive health information with Facebook—even if the user isn't connected to Facebook, and often without disclosing their data-sharing practices, according to a Wall Street Journal investigation.
Since the investigation was published on Friday, several of the apps have reduced or eliminated their data sharing.
These apps have been sending your health information to Facebook
For the investigation, the Journal tested more than 70 of the most popular smartphone apps in Apple's iOS App Store from categories that may require users to input sensitive information, such as health and financial data. The Journal used software to monitor the apps' communications with Facebook and other third parties.
The investigation revealed that at least six of the top 15 health and fitness apps sent potentially sensitive information to Facebook.
Among those apps was Instant Heart Rate: HR Monitor, the most popular heart-rate app on Apple's iOS. The Journal found the app sent a user's heart rate to Facebook immediately after it was recorded.
Initially, in a written statement, Flo said told the Journal it sends only "depersonalized" data to Facebook, but the Journal's testing found that the data included a "unique advertising identifier" that could be matched to a user's device or profile.
The Journal limited its testing to apps in the iOS App Store, rather than in Android's equivalent store, because the software it used in its testing could not monitor communications from Android apps. However Esther Onfroy, co-founder of Defensive Lab Agency, a cybersecurity firm, conducted separate tests that determined the Android version of at least one app tested by the Journal—BetterMe: Weight Loss Workouts—similarly sent users' weights and heights to Facebook.
The Journal also employed Disconnect Inc., a software company that creates online privacy tools, to retest some of the apps. Disconnect confirmed the Journal's findings.
Patrick Jackson, Disconnect's chief technology officer, said, "This is a big mess. This is completely independent of the functionality of the app."
Why are apps sending data to Facebook in the first place?
It may seem unusual that Facebook is receiving private data from these apps in the first place, as the apps generally don't post the information to Facebook. But the app developers appear to be taking advantage of a Facebook analytics tool that allows them to track their users' activities—and target them with Facebook ads, the Journal reports.
Typically, apps integrate code called software-development kits (SDKs) that allows developers to integrate certain functions, the Journal reports. There are a variety of SDKs that allow apps to collect data on their users for personalized advertising or to understand their users' behavior, something a Facebook spokesperson said is an "industry-standard practice."
However, Facebook's SDK includes an analytics tool called "App Events," which allows developers to see trends among their users, the Journal reports. The app can tell Facebook's SDK to record a specific action taken by a user as a "custom app event" that Facebook will capture, which is how a user's private data is sent to Facebook.
Facebook then uses that data to personalize ads and conduct market research. In a statement, Facebook said some of the data sharing uncovered by the Journal violated its business terms and that it is telling apps flagged by the Journal to stop sending sensitive user information. "We require app developers to be clear with their users about the information they are sharing with us," a spokesperson for Facebook said
Apps change their practices
After the Journal began the investigation, a number of apps stopped sending sensitive data to Facebook, including Flo and Breethe Inc, manufacturers of a meditation app of the same name.
Other apps that have since stopped sending sensitive data to Facebook following the Journal's report include:
- Glucose Buddy;
- Instant Heart Rate: HR Monitor; and
- Lose It!
A sign of a 'broader problem'
Generally, the collection of health data by non-health entities is legal in most states, as long as there is sufficient disclosure to users.
Nonetheless, Zeynep Tufekci, an associate professor at the University of North Carolina, Chapel Hill, said what Facebook is doing is indicative of a broader problem in the United States. "The whole surveillance-industrial complex is corrupt and its mechanisms aren't clear to ordinary people," Tufekci said.
Following the Journal's report, New York Gov. Andrew Cuomo (D) ordered state agencies to investigate the apps mentioned in the report and asked that federal regulators also look into the matter (Schechner/Secada, Wall Street Journal, 2/22; Schechner, Wall Street Journal, 2/24 ; Schechner, Wall Street Journal, 2/24 ).
Learn more about patient-generated health data
Learn trends related to patient-generated health data (PGHD), get an outlined vision for connected care, read about different use cases, and get the first steps for how to approach PGHD initiatives in your organization.