Mobile apps built with Facebook's SDK secretly shovel mountains of personal information into the Zuckermouth
If you need to build an app quickly and easily, you might decide to use Facebook's SDK, which has lots of bells and whistles, including easy integration of Facebook ads in your app's UI.
The quid pro quo is that your app will send all your users' sensitive data to Facebook, and Facebook stores that data forever and uses it in every conceivable way.
That means that menstruation-tracking apps like Flo Period and Ovulation, real estate apps like Realtor, and fitness trackers like Instant Heart Rate send incredibly sensitive personal data to Facebook, with unique identifiers that allows Facebook to track individuals across different apps, even when those individuals don't have Facebook accounts.
Notably, none of these apps' privacy disclosures mention Facebook. When called by the Wall Street Journal, the companies behind the apps had a variety of responses, from denial to lying to shock and horror. Facebook -- predictably -- blamed the app vendors for not understanding that the apps they built would spy on their users on Facebook's behalf. Apple and Google -- who distribute these apps -- threw up their hands and blamed everyone except themselves (of course).
A Facebook spokesperson told CNBC, "Sharing information across apps on your iPhone or Android device is how mobile advertising works and is industry standard practice. The issue is how apps use information for online advertising. We require app developers to be clear with their users about the information they are sharing with us, and we prohibit app developers from sending us sensitive data. We also take steps to detect and remove data that should not be shared with us."
A spokesperson for Flo, the period-tracking app, said in a statement it has already started an audit on data privacy that "will cover an exhaustive spectrum of all external analytical tools, not limited to Facebook Analytics." The spokesperson emphasized, "Facebook Analytics' insights are utilized for internal analytics purposes only," but said until the audit is finished, it has limited its use of external analytics programs and released iOS and Android updates that won't send custom app events to any external analytics systems, including Facebook Analytics.
The other two app developers did not immediately return CNBC's requests for comment.
Facebook reportedly gets deeply personal info, such as ovulation times and heart rate, from some apps [Lauren Feiner/CNBC]