Report on Facebook and Android

The following report was published last week at the chaos computer congress in Leipzig, Germany and makes its way in the general press.

The video from the congress is also worth looking at, also for the questions asked at the end:

The short summary is that Facebook gets private data from a vast number of apps installed on Android phones, even if you do not have a Facebook account and do not have the Facebook app. They do that the moment you open the app, even before you acutally use it.
App developers share data with Facebook through the Facebook Software Development Kit (SDK), a set of software development tools that help developers build apps for a specific operating system. The apps that automatically transmit data to Facebook share this data together with a unique identifier, the Google advertising ID, so that, when combined, data from different apps can paint a fine-grained and intimate picture of people’s activities, interests, behaviors and routines.
Facebook’s Cookies Policy describes two ways in which people who do not have a Facebook account can control Facebook’s use of cookies to show them ads. The authors of the study tested both opt-outs and found that they had no discernible impact on the data sharing that is described in the report.


That sounds like a class action.




The video brushes on the legal aspects. They seem to believe that the ones who would suffer from a legal action would not be Facebook, but the app developpers. But it is not even sure that the action is likely to be won, as a blanquet permission for tranferring the data can be put in the terms of service for using the app. In Europe, however, the practice may be against the gdpr.
But I am not a lawyer, so I don’t really know.


The video also makes it clear that there are several other SDKs, which are also used in apps. It is not only Facebook.

Generally speaking, app developpers are inticed to include advertising SDKs in their apps. It is quite simple and brings them money or statistics about app usage without further effort. It is the same for web sites: they are inticed to use trackers and cookies from advertisers, because it brings them revenue and statistics.

On top of this, android phones generally send all the info they can back to google, because google manages the android operating system for that very purpose. You actually need to accept these terms to be able to start using an android phone, it is in the first pages of settings.

Yes, any app that wants to be able to interact with a social media site is probably going to have to include an SDK for it.

It’s not just advertising, but everything else inside the Faceverse. It might just be sloppiness by the app writers initializing the SDK right away, or not.

1 Like

From the video, it seems that there is some sloppiness by Facebook as well as what data the SDK transmits at initialization is poorly documented…

Slightly off topic, but related.

That “problem” happens with all applications which can be activated from the lock screen.

I found the SDK docs here:

Under point 7, there is a mention of delaying the SDK initialisation and sending of advertiser ID until consent is obtained: “In some cases, you may wish to delay the collection of advertiser_id , such as to obtain user consent or fulfill legal obligations, instead of disabling it.”

Yet, from the complete documentation, it seems that only identified users are of any interest to an app developer. Identifying users across apps or even users known from a web site is what the whole game is about.

Then I found that the most used SDK is google firebase: The tracking functions and uses are more comprehensive that the ones from Facebook.

1 Like

There is an interesting article in the Guardian about surveillance capitalism here:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.