hello Karl,  reply below without signature, as it is embedded HTML:


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, October 5, 2021 12:57 PM, Karl <gmkarl@gmail.com> wrote:

there was a report recently that a huge number of apps are somehow uploading data to facebook's servers without facebook being installed

it looked legitimate to me but I do not have a link and could have been in an altered state of mind.  would be interested in trying to dig it up if anyone values the potential factoid more than as an unverified viewpoint.


see:
https://hackernoon.com/how-facebook-tracks-you-on-android-even-if-you-dont-have-a-facebook-account-pv2u3zt4

How Facebook tracks you on Android (even if you don't have a Facebook account)

Suppose you’ve picked up an Android phone on the street and you saw the 4 apps above. Can you guess the profile of the phone user?


Your guess is likely to be that the user is a ‘she’, her religion is Muslim, perhaps looking for a job recently, and she’s either a mother or someone who is into virtual cats.


Yes, in essence, that’s how Facebook profiles you if you own these apps in your Android phone. Now, let’s talk about the ‘how’.


Cut to the chase

  1. Facebook is able to track you because Android developers of 3rd party apps (example: Indeed Job Search) implement Facebook’s Software Development Kit (SDK).
  2. SDK is a collection of tools that eases the creation of software. By using Facebook SDK, developers can do advanced analytics without the need to code it from scratch. SDK is like a Swiss Army Knife. With it, you can start your job immediately instead of having to build your own scissors, knife, corkscrew etc.
  3. This article is written based on the research conducted by Frederike Kaltheuner and Christopher Weatherhead. You can watch the full video here. The official study can be found here.

Purpose of this article

I wrote this article with the end in mind to educate the general public on how these tech companies collect our data and how we can protect our digital privacy. My job is to “de-jargonise” the research, not to be 100% technically accurate (although I will do my best to be). 


Just a head’s up, I am not an expert in the data privacy domain; I just consider myself more of an intermediate developer. So if you have detected any technical inaccuracies, please point it out and I will send you a 💌.


Outline

  1. Anatomy of the Google Play Store
  2. How the tech works (without going too much on the tech)
  3. What’s our defense?

Anatomy of the Google Play Store

According to Privacy International, research done by the University of Oxford has suggested that approximately 42.55% of the free apps in the Google Play Store could share data with Facebook. 


image

Out of the 42.55%, this study picked 34 apps, based on the fact that they have either a huge number of installations, or they involve sensitive information such as religion and health, or they are simply utility apps (You know, torchlight, QR code scanner, fart sound etc).


image

Here’s a zoomed-in version. Found any app that’s installed on your phone right now?


Out of the 34 apps, over 61% of them automatically transfer data to Facebook the moment a user opens the app


“…the moment a user opens the app”. That means, there is no chance for the app to ask permission from the user to grant/deny the sharing of personal data.

How the tech works (without going too much on the tech)

App #1: Kayak


Take Kayak for example. If you are unsure what’s Kayak, it’s a travel metasearch engine. It allows you to search for flights, hotels, and cars if you are going on holiday.


Action 1: You tap on the application icon.


What happens: The application is initialized and the following data is sent to Facebook immediately.


image

The highlighted word “anon_id” stands for anonymous id. Basically, you are identified as XZdfd5f00f-9271–4e82-a8ce-6cea1d38b6d3. Facebook does not know your actual name, and that doesn’t matter. There’s a term for that; it’s called shadow profiling.


It’s comical to know that Kayak confidently declares this message “Don’t worry, we’ll never share anything without your permission” at its login screen even though it shares data the moment you open the app. In Kayak’s defense, the SDK is built by Facebook, so Kayak should not shoulder the entire blame here. To be fair, Kayak no longer shares data instantaneously with Facebook as of this writing.


image


Action 2: You search for a flight with 1 economy passenger from London (Gatwick) to Tokyo on the 2nd December, returning on the 5th
What happens: The search is initialized and the app sends the following to Facebook.

image

In a span of a minute or two, Facebook took notice of this random person who wants to travel from London to Tokyo in December and he’s traveling alone. This data is harvested from a single person with a single device at a single search. 


Imagine you close the Kayak app and switch to (say) “Amazon”. Facebook knows that you have these 2 apps and it will probably start to put you into categories like “preparing for holiday” or “affinity for winter clothes”.


The bottom line is that Facebook harvests billions of data points every single day, even from users who made a conscious effort to stay away from Facebook. That’s how creepy it is.


What’s our defense?

Stay in a cave. 


I’m joking. 


Well, half-joking. 


The best defense is, of course, getting yourself off the internet. That means, no Facebook, no Google search, no YouTube, don’t hang out with friends who love to take selfies, and buy airline tickets at the booth. But we all know that that’s kind of impractical at this day and age. But there are certain ways to limit the reach of these tech companies into your personal life. 


Here are 5 suggestions.


1. Reset your advertising identifier (Very simple)


Every device has an advertising identifier (aka ad id). You can’t stop Facebook or Google from tracking you but you can make their tracking difficult by frequently resetting your ad id. If you reset it, in theory, Facebook and Google algorithms will view you as a different person in your next online activity. 


Android Phone: Go to settings > Google > Ads > Reset advertising identifier


iPhone: Go to settings > Privacy > Advertising > Reset advertising identifier


2. Limit ad personalization (Very simple)


In theory, this should limit the amount of data collected by the companies. However, this study showed that we can end up sharing more data to companies if we limit ad personalization. But I will not go into the details of that.


Android: Go to Settings > Google > Ads > Opt Out of Personalized Advertising


iPhone: Go to settings > Privacy > Advertising > turn on ‘Limit Ad Tracking’


3. Review permissions (Very annoying)


Did you notice that apps these days have been asking for permissions before you carry out a simple task like importing a photo or opening a map? Yeah, it’s irritating but it’s crucial. This allows you to have greater control of your privacy. Not perfect, but at least it helps to a certain extent.


4. Use Brave browser to surf & use DuckDuckGo to search (Simple)


Brave (as opposed to Google Chrome) is a web browser which focuses a lot more on data privacy. 


DuckDuckGo (as opposed to Google Search) is a search engine which distinguishes itself from other search engines by not profiling its users.


5. Educate yourself / your parents / your children on how the Internet works (Not so simple)


Education is the most powerful weapon. There are tons of articles and YouTube videos explaining how computers and network works; go read them up. However, if the content is too complex, especially for the older generations and the newcomers (aka your children), you can check out Potato Pirates -Enter The Spudnet. It’s a board game that’s developed to teach cybersecurity and internet piracy without computers.


Closing Remarks

After the Facebook-Cambridge Analytica data scandal, people are starting to take notice of the importance of digital privacy and the government has been implementing measures after measures to curb the big companies from being overly intrusive in terms of data collection. One prominent move is the implementation of the General Data Protection Regulation (commonly known as GDPR) in the EU. It basically sets a compliance framework that companies need to comply with. While it’s heartening to know that the government has made progress to protect us, we need to do our part as well.


I hope this article is useful to you. Do drop me a response if you would like to discuss this topic further.