These apps are stealing your most private data and it should be a crime

Some of the most popular apps in some of the most popular catagories are stealing your most personal, private data and handing it over to Facebook, Google, and other "analytics" companies.

Don't want to read? Watch the video version —Just hit play, above!

That's according to Sam Schechner and Mark Secada, writing for the Wall Street Journal:

Millions of smartphone users confess their most intimate secrets to apps, including when they want to work on their belly fat or the price of the house they checked out last weekend. Other apps know users' body weight, blood pressure, menstrual cycles or pregnancy status.Unbeknown to most people, in many cases that data is being shared with someone else: Facebook The social-media giant collects intensely personal information from many popular smartphone apps just seconds after users enter it, even if the user has no connection to Facebook, according to testing done by The Wall Street Journal. The apps often send the data without any prominent or specific disclosure, the testing showed.

Which apps are doing this?

In the Journal's testing, Instant Heart Rate: HR Monitor, the most popular heart-rate app on Apple's iOS, made by California-based Azumio Inc., sent a user's heart rate to Facebook immediately after it was recorded.Flo Health Inc.'s Flo Period & Ovulation Tracker, which claims 25 million active users, told Facebook when a user was having her period or informed the app of an intention to get pregnant, the tests showed.Real-estate app, owned by Move Inc., a subsidiary of Wall Street Journal parent News Corp , sent the social network the location and price of listings that a user viewed, noting which ones were marked as favorites, the tests showed.

And just like with the last abuse, when Facebook was found to be using Apple's Enterprise Distribution system as an end-run around a banned iOS app, paying people, including teens, for quote-un-quote research but spying on them with root access well beyond any reasonable expectation, Google was almost immediately found to be running similar analytics. And others as well.

Security analyst Will Strafach, writing on Twitter:

Period Calendar (#32 in Health & Fitness, 35,000 ratings) communicates often with Google Analytics. what data it sends is a bit harder to judge precisely, because some of the content they send to appears to be obfuscated or in an odd format.My Calendar - Period Tracker (#174 in Health & Fitness) sends more granular information to Google Analytics, such as mood and intercourse entries (as specific as whether protected / unprotected)Dot Fertility Tracker sends Flurry Analytics information about what contraceptive methods are used, if recently pregnant, and other bits of info. this occurs even if the age is set to be under clue if this is just extreme carelessness on the developer's side or what. either way, pretty weird to have that sort of data stored with a third party, in my opinion.[The Wall Street Journal] highlighted Facebook's role, but tracking is really a wider issue, Facebook just plays a part in it.

Why are they doing this? Because the Facebooks and Googles are pressuring and bribing them to, so they can better fill out our profiles and shadow profiles, and better bundle us up for their data exploitations businesses. But it doesn't really **** matter why they're doing it. It's abhorrent and egregious enough simply that they're doing it.

What the companies are saying

"We require app developers to be clear with their users about the information they are sharing with us."

That's what a Facebook spokeswoman said in response to the article.

"When we hear of any developer violating these strict privacy terms and guidelines, we quickly investigate and, if necessary, take immediate action."

That's what Apple said.

What did Google, which runs both a data harvesting business like Facebook and one of the biggest software markets in the world, like Apple?

A Google spokesman declined to comment beyond pointing to the company's policy requiring apps that handle sensitive data to "disclose the type of parties to which any personal or sensitive user data is shared," and in some cases to do so prominently.

Apple has spoken more emphatically about data collection in the past.

Back in 2010, Steve Jobs, famously, harangued Flurry Analytics on the All Things Digital stage:

"One day we read in the paper that a company called Flurry Analytics has detected that we have some new iPhone and other tablet devices that we're using on our campus. We thought, what the hell?"

And, to cut it out, Apple added this to their App Store Developer Guidelines:

"The use of third party software in Your Application to collect and send Device Data to a third party for processing or analysis is expressly prohibited," said the added text.

Much more recently, earlier this year, Tim Cook wrote an impassioned open letter in Time magazine:

Meaningful, comprehensive federal privacy legislation should not only aim to put consumers in control of their data, it should also shine a light on actors trafficking in your data behind the scenes. Some state laws are looking to accomplish just that, but right now there is no federal standard protecting Americans from these practices. That's why we believe the Federal Trade Commission should establish a data-broker clearinghouse, requiring all data brokers to register, enabling consumers to track the transactions that have bundled and sold their data from place to place, and giving users the power to delete their data on demand, freely, easily and online, once and for all.

For now, though, Apple is sticking to policies. Facebook is sticking to deny, dissemble, deflect, and Google is… either apologizing when they get caught or hiding and hoping our attention span is too short for them to face any consequences.

What can we do?

Privacy lawyers say the collection of health data by nonhealth entities is legal in most U.S. states, provided there is sufficient disclosure in an app's and Facebook's terms of service. The Federal Trade Commission has taken an interest in cases in which data sharing deviates widely from what users might expect, particularly if any explanation was hard for users to find, said Woodrow Hartzog, a professor of law and computer science at Northeastern University.Some privacy experts [in the European Union] who reviewed the Journal's findings said the practices may be in violation of that law. "For the sensitive data, companies basically always need consent—likely both the app developer and Facebook," said Frederik J. Zuiderveen Borgesius, a law professor at Radboud University in the Netherlands.

It's disappointing if not surprising this activity isn't expressly illegal everywhere. Data theft is still theft and this type of stuff happens so frequently, even with policies, even with fines, that the only way to stop it seems to be by making sure it's criminal. That if you fail to disclose what data you're taking and who you're sharing it with, you'll face charges. You'll go to jail.

That the penalty will be so severe that if a founder, CEO, or developer even dreams of violating it, they'll wake up screaming to delete the code.

And until that happens, the platform owners, Apple, and Microsoft, and yes, even and especially Google needs to hold every app and every developer accountable.

Require them to disclose, as part of the store page, what data is collected and who it is shared with. In a place that's as easy to see as the price, the compatibility, and parental guidance.

For example, this app collects the following data, including how often you have sex, and whether it's protected or not, and shares it with Facebook and Google.

Then do a deeper inspection to detect what, if any, information is being sent to the developer and any quote-unquote analytics they may be using, and if it doesn't match the disclosure, reject their ass… I mean apps, over and over again, or if willfully and intentionally deceptive, remove their apps and delete their accounts.

And if any developer is the least bit concerned that would have a chilling effect on downloads or a deleterious affect on their business, then they shouldn't be doing it.

There have been so many scandals, so frequently, that it's easy to become numb to them. To normalize them. But they're not normal. They're so far from normal.

I've quoted it before and I'll keep quoting it until something, everything changes.

We're at the point with privacy now that we were with security back in the virus-strewn days of Windows XP. We, the industry, made a change then. We, the industry, can make a change now.

We, everyone, just need the will and attention span to do it.

○ Video: YouTube
○ Podcast: Apple | Overcast | Pocket Casts | RSS
○ Column: iMore | RSS
○ Social: Twitter | Instagram

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.