The Facebook logo on a blue background.

  • A new collection of apps have been exposed as sending sensitive user data to Facebook.
  • This data transfer occurs regardless of whether or not the user has an active Facebook profile.
  • Three major apps caught in this scandal are Yelp, Duolingo, and Indeed.


Towards the end of February, an exposé from The Wall Street Journal illuminated how several high-profile iOS apps were sharing sensitive data of their users with Facebook. Even if these users didn’t have Facebook profiles, Facebook was still getting the information.

Now, some new research conducted by Privacy International (via The Verge) shows that other Android and iOS apps are engaged in this practice as well, two of which are household names: consumer reviews site Yelp and language-learning software Duolingo.

Editor's Pick

Privacy International also found that popular job search app Indeed engages in this practice, along with two Muslim prayer apps and a bible app.

As with the previous exposé, Privacy International shows that simply pulling yourself off Facebook doesn’t necessarily mean Facebook isn’t getting data related to your habits.

This quote from the Privacy International article perfectly sums up the gravity of the situation:

This is hugely problematic, not just for privacy, but also for competition. The data that apps send to Facebook typically includes information such as the fact that a specific app, such as a Muslim prayer app, was opened or closed. This sounds fairly basic, but it really isn’t. Since the data is sent with a unique identifier, a user’s Google advertising ID, it would be easy to link this data into a profile and paint a fine-grained picture of someone’s interests, identities and daily routines.

To Facebook’s credit, many of these examples of apps sharing user data aren’t Facebook’s fault, at least not directly. In some cases, the app developers send data to Facebook because Facebook’s tools to examine that data can be better than other systems. The fact that Facebook can now access this data is merely a side-effect of this process.

Facebook argues that the onus is on app developers — not Facebook — to make sure any sensitive data is collected properly and used legally, even if that data is now available for Facebook’s use.

Regardless, it doesn’t make the practice less worrisome from a privacy standpoint, as it should generally be an individual’s choice as to which companies have access to sensitive data about that person. It appears that that simply isn’t the case with many different apps.

NEXT: Long-awaited Facebook ‘clear history’ tool coming sometime in 2019