Why was Path launched without Facebook integration

Dating, sexual orientation, religion - Facebook uses data from Tinder, Grindr and Co.

With all the sensation that Facebook is getting these days due to repeated data loss or data transfer, it would be easy to forget that the social network itself is busy collecting data from third parties. Apps like Grindr or Pregnancy +, which could reveal some things about the user, pass on data to the social platform directly when they are used. These are used there for the advertising-relevant assessment of interests.

Very personal data goes to Facebook

If you date via Tinder or Grindr, keep an overview of depression on Moodpath, want to quit smoking with the help of Kwit or download Pregnancy +, your data will be passed on to Facebook in the context of using the app. Mobilicher.de reports that around 30 percent of all apps in the Play Store contact Facebook as soon as they are started. This tells the platform which apps are being used by users and when. This also applies to applications that allow conclusions to be drawn about extremely personal circumstances. Whether it is about sexual orientation, illness, pregnancy, questions of faith or dating: Facebook can use the data from the apps to create certain interest profiles.

The provision of this data is even fundamentally documented in Facebook's data policy:

Advertisers, app developers and publishers can contact us via the Facebook business tools they use, including: our social plugins (such as the "Like" button), Facebook login, our APIs and SDKs or the Facebook pixel, send information. These partners provide us with information about your activities outside of Facebook, including: Information about your device, websites you have visited, purchases you have made, the advertisements you see and how you use their services, regardless of whether you have a Facebook account or are logged into Facebook. For example, a game developer could use our API to tell us which games you play, or a company could tell us about a purchase you made in their store. We also receive information about your online and offline actions and purchases from third party data providers who are authorized to provide us with your information.

SDK against user data: developers and Facebook benefit

Developers can therefore integrate Facebook's software development kit into their apps and inform the social network accordingly of usage moments. Since Facebook's services like Facebook Analytics are free and of high quality, their popularity with app developers is also high. In exchange for using the same, the platform then receives the data from the apps. This includes the IP address of the device when using the app, the time of this use, the device type and a user-specific advertising ID. Author Miriam Ruhenstroh gives an example at Mobilprüf.de of which websites are contacted by the “Meine CDU” app when it is started and which data is sent to Facebook, for example.

The transmitted Advertising ID now enables Facebook to track and assess user interests in a very specific way. Because all Android devices that access a Google account provide such an ID. This advertising ID can be reset by the individual user. Incidentally, iOS provides a similar system. Apps can read out this ID and pass it on. Facebook, in turn, can link them to user accounts when they log into the platform with their Android device. In this way, names, email addresses, etc. can be determined using the preferences recognized from the app data.

Who is how anonymous?

The Hamburg data protection officer Dr. Johannes Caspar explained MobilSAFE to:

These data are only anonymous if they cannot be assigned to a specific person, or if this is only possible with a disproportionate amount of effort. Here, however, a specific personal reference is being made by comparing it with existing user profiles on Facebook.

How Facebook now deals with information from users who do not have an account with the social network is not entirely clear. The company's statement says:

Facebook only processes information as needed and doesn't process or retain information for non-FB users in the same manner that it does for users.

At least it does not clearly deny that these data are used for a specific purpose. Irrespective of this, MobilSAFE can now confirm through a statement from the platform that the data received will be used for advertising purposes. The apps only inform their users about the transfer of the data to a limited extent. However, users can opt out of the disclosure of data. Then the data package is still transmitted to Facebook - but with the information that the user has spoken out against its use. Facebook assures that in this case the information will not be used for targeting.

How legitimate is this data collection and its use?

From Facebook's point of view, the receipt of the data is at least somewhat transparent. It is true that users must opt-out to confirm that their information should not be used for advertising purposes on the platform. But at least this option exists and Facebook's data policy discloses the use of third-party data.

However, only the use of specific apps such as Grindr, Tinder, MuslimPro, Kwit or Pregnancy + is a personal user definition. Strictly speaking, the fact that the data for using such apps are transferred to Facebook as soon as they are started and without a click is contrary to the GDPR. The definition of personal data in Article 4, Paragraph 1 corresponds in this context, because they are:

all information that relates to an identified or identifiable natural person (hereinafter "data subject"); A natural person is regarded as identifiable who can be identified directly or indirectly, in particular by means of assignment to an identifier such as a name, an identification number, location data, an online identifier or one or more special features that express the physical , physiological, genetic, psychological, economic, cultural or social identity of this natural person.

According to Article 5, Paragraph 1 of the GDPR:

processed in a lawful manner, in good faith and in a manner that is understandable for the data subject (, lawfulness, processing in good faith, transparency ‘);

which can hardly be guaranteed if the user has not even gotten a glimpse of the app. In addition, there is no mention of the privacy policy for the smoking cessation app, Kwit, Facebook. It also states that the data is only available for Kwit itself:

Personal data collected through the platforms are reserved exclusively for Kwit, who may communicate the personal data of the Persons Concerned in order to provide support, perform satisfaction surveys and carry out statistical studies.

Political groups are also interested in profiling app and social users

Finally, one may wonder how legitimate it is to share and process such sensitive data, even if it does not violate any regulation or directive. One should not be under the illusion that a company like Facebook does not save and use such valuable information as the apps present it to them. Even if you currently reject personalized advertising. Because Facebook's business model is based on data, but not primarily on its security.

This is where the crux for the users begins: this data is just as valuable for other parties and the user data specially generated on the platform are increasingly falling into the hands of other parties. The consequences are initially highly personalized ads or content suggestions. But woe to you, this data is used for other purposes. Political groups are also interested in profiling app and social users. You don't have to hear Mark Zuckerberg or Sundar Pichai testify before the US Congress.