DFS investigation finds Facebook did little to prevent apps from sharing sensitive user data

Legislative Gazette photos by Allison Vasquez

Gov. Andrew Cuomo received a report from the Department of Financial Services earlier this month that details the transfer of sensitive user data by third-party application and website designers to Facebook.

The report is the result of an article published by the Wall Street Journal in Feb. 2019 which found that third-party app developers who downloaded Facebook’s Software Development Kit (SDK) sent their users’ data to the social media giant. Personal data shared includes health diagnoses, blood pressure readings and fertility data. 

The SDK is part of the company’s free online data analytics services and this data-sharing is in violation of Facebook’s policy and terms of service.

“Large Internet companies have a duty to protect the privacy of their consumers – period,” Cuomo said in a press release. “A lack of universal standards and online regulation has led to unsolicited and predatory data collection and sharing which has compromised the privacy of countless New Yorkers and we’re taking steps to hold these bad actors accountable and to create the strongest privacy protections in the nation.”

The state Department of Financial Services report follows a report published in Oct. 2020 that details how Twitter lacked cybersecurity protections that allowed the accounts of cryptocurrency firms and well-known public figures, like Barack Obama and Jeff Bezos, to be hacked. The hackers proceeded to tweet to users urging them to send Bitcoin payments, thinking they will be paid back double the amount they sent. The scam resulted in more than $118,000 worth of Bitcoin stolen from consumers.

One of the tools offered in Facebook’s SDK, called “App Events,” allows developers to integrate Facebook with their app or website by transmitting data to be analyzed automatically. The app will then send information, such as IP addresses and time of use, to Facebook to build a user’s marketing profile for targeted advertisements.

The app will also send information to Facebook about certain actions taken by the user called “events,” like which things they click on and pages they view. 

Information will also be sent to Facebook about “custom events,” or things searched for by a user. This helps app developers understand how people use their service and can be used for marketing and advertising purposes that will create profit both on and off the app.

In response to the DFS investigation, Facebook implemented a screening system that identifies and blocks sensitive information before it enters Facebook’s system. Facebook also expanded app developer education to better inform developers of their obligations to avoid sending sensitive data, and took steps to allow users more control over data that is collected about them. 

DFS recommends solutions on how to better protect consumer privacy in their report, stating Facebook can begin to track whether app developers are violating its policies and take action against developers who do.

The report continues by urging Facebook to “meaningfully” ensure that developers are aware of its prohibition on sharing data and recommends doing more to prevent developers from transmitting data to begin with. This can be done by taking additional steps to police its rules and providing consequences to those who violate them.

Federal regulatory oversight may also be necessary as current laws have not kept up with the technological advancements of the big tech industry.

The report went on to voice support for Gov. Cuomo’s proposal to enact NYDATA, a data privacy law that would enhance privacy protections for New Yorkers. The law would mandate any entity to disclose why user data is being collected and limit the amount being collected.

“New Yorkers appreciate the value and convenience that technology has afforded their lives, but progress does not need to come at the expense of basic privacy,” said Cuomo in his Jan. 2021 State of the State Address. “In a world where we are reliant on technology to work, learn, and even see our family, New Yorkers deserve transparency and accountability from the companies who collect and use their information. New York will act to pass a strong privacy law that safeguards New Yorker’s personal information and continues to encourage innovation.”

Consumer protection is at the center of everything we do at DFS, and data privacy is increasingly important to consumers. Facebook instructed app developers and websites not to share medical, financial, and other sensitive personal consumer data but took no steps to police this rule,” said Superintendent of Financial Services Linda Lacewell, about the DFS report. 

“By continuing to do business with app developers that broke the rule, Facebook put itself in a position to profit from sensitive data that it was never supposed to receive in the first place. Consumers deserve better.”