Tests reveal some smartphone apps send sensitive user information to Facebook

SAN JOSE, Calif. (KGO) -- Wall Street Journal tests reveal Facebook is collecting sensitive and personal information shared by smartphone users, on completely separate apps.

Fitness, finance and ovulation apps are among the few the WSJ says is sending data to the social media network. It's a practice cybersecurity experts say privacy settings can't correct.

"Facebook provides tools to the apps, and part of that tool is sending back information to Facebook," Ahmed Banafa said. "So, we have to be more technical to understand how that goes."

Banafa is a Cyber Security Expert with San Jose State University.

The WSJ reported none of the apps they've identified provided users with any apparent way to stop the information from being sent to Facebook.

RELATED: Early Facebook investor Roger McNamee discusses new book criticizing social media company

Referring to the WSJ findings, Banafa said, "They did not test that by themselves only, they asked other firms to confirm their result and it came back to the same result. Which is, information is being sent back to Facebook and used to 'improve user experience.'"

Banafa continued, "The words 'improve user experience' means, 'we're going to use this information to know and understand you more, whether you like it or not.'"

The WSJ tested more than 70 popular apps in Apple's iOS store. Specifically, apps which are known to handle sensitive user information.

It found at least 11 apps either sent exact data or potentially sensitive details to the social media giant. Shared data included weight, height, pregnancy, problems and other notes not meant for Facebook's keeping.

According to WSJ, the big issue is an analytics tool Facebook offers developers, allowing them to see statistics about their users' activities. The goal, to target users with Facebook ads.

"It's all really private information. So that does kind of concern me," San Jose resident, Celia Pulcifer said. "It makes me a little wary of what I'm putting out there on the internet, and my social media and things like that."

However, the information being shared with Facebook isn't meant for the masses, and people don't need to have a Facebook profile to be impacted.

The WSJ found one app called Flo Period & Ovulation tracker recorded and reported a user's last logged period. When the info is communicated to Facebook, a "custom app event," is created. This is possible through Facebook software inside Flo. The app is able to alert the user that she may be ovulating.

"It's definitely just inappropriate that all of this stuff is happening," San Jose resident, Madison Martinez told ABC7 News. "It's just crazy."

The WSJ specified, Flo Health's privacy policy says it won't send "information regarding your marked cycles, pregnancy, symptoms, notes and other information that is entered by you and that you do not elect to share" to third-party vendors.

Flo wrote the WSJ, saying it doesn't send "critical user data" and that any data sent to Facebook is "depersonalized" to keep it private and secure.

However, the Journal's reports its testing showed sensitive information was sent with a unique advertising identifier that can be matched to a device or profile.

A spokesperson with Flo responded and said the company will "substantially limit" its use of external analytics systems while it conducts a privacy audit.

Cybersecurity expert, Ahmed Banafa said in the world of social media, data collection is more valuable than cash.

"The less you share, the better. That's the main concept," Banafa said. "And you don't have to tell everybody about every food you have, every animal you like. You don't have to tell them about this, because they build on this. They build a profile."

The WSJ says Facebook is now telling flagged apps to stop sending data users might find sensitive.

You'll remember Facebook is already under pressure over its data collection.

"You cannot just have the data just floating somewhere. Facebook can't say, 'Well, we just received the information, we didn't know anything about it,'" Banafa said. "You should not have received that information. That's the bottom line."

Privacy experts who reviewed the WSJ's findings say the practices may be in violation of that law. "For the sensitive data, companies basically always need consent-likely both the app developer and Facebook," Frederik J. Zuiderveen Borgesius, a law professor at Radboud University in the Netherlands told the WSJ.

ABC7 News has reached out to Facebook for comment. The web article will reflect the social network's response when it is received.

Check out more stories and videos about Facebook.
Copyright © 2019 KGO-TV. All Rights Reserved.