Medical app told Facebook when users were on their periods, investigation finds

An app designed to help users get pregnant was reportedly sending their data to Facebook - Getty Creative

Health and fitness apps are sending Facebook sensitive information about their users' body weight, menstrual cycles and pregnancies in ways which would allow it to be used for targeted advertising, according to reports.

An investigation by the Wall Street Journal found that 11 popular apps with millions of users between them routinely shared sensitive data with the social media giant even if users had not chosen to link the apps to their Facebook accounts in any way. 

Information such as body weight, blood pressure, pregnancy, heart rate and real estate searches was reportedly sent to Facebook along with unique identifying numbers which could be used to target them with ads on Facebook itself.

One app, a period tracker designed to help women get pregnant, appeared to do so despite a prominent vow in its privacy policy never to share data about "cycles, pregnancy [and] symptoms" that its users did not "elect to share". 

The data was collected as part of Facebook's software development kit, which helps other app makers gather information about their users' behaviour but which also collects information for Facebook's own use.

It comes after US trade regulators accused Facebook of leaking users' medical data by "nudging" them to join Facebook groups related to diseases they suffered and then failing to properly secure the groups' membership lists. 

Damian Collins, head of the UK House of Commons select committee for digital affairs, said the report showed "how totally out of control" Facebook's advertising system was.

"I'm sure most users had no idea personal information about their heart rate, pregnancy planning and even period dates was shared with Facebook," he said.

A spokeswoman for Facebook confirmed that the company does receive data from app makers who use its tools and that such data is sometimes used to target adverts at users.

But, she said, app makers are required by Facebook's terms of service to "provide clear explanations" about what data they collect and who they share it, and they are prohibited from sending "sensitive data", including medical data.

"It's common for developers to share information with a wide range of platforms for advertising and analytics," she said. "We require app developers to be clear with people about the data they share with us and other third parties.

"We also prohibit app developers from sharing sensitive data with us, and we take steps to detect and remove data that should not be shared with us."

She said that Facebook users can opt out of such targeting by adjusting their personal settings to block advertisers' ability to target them using data from other apps or websites.

She also said that although Facebook's terms of service give it the right to use such data to help other companies target ads at its users, it does not do so with tmore personal types of data unless the app makers say it can.

But privacy advocates have argued that it merely knowing a user had downloaded and opened a certain app would tell Facebook plenty about who they are, citing Muslim prayer apps, period trackers or parenting apps as examples. 

At issue is the ability of app makers who use Facebook's tools to record and analyse "events", such as when users buy an item, start a free trial or start a paid subscription. Doing so helps them see how their app is being used and track their users' behaviour.

In addition to the standard events provided by Facebook, app makers can define their own events. A medical app might want to track when its users entered their medical details, while a travel app might want to know when its users searched for cheap flights.

What many users may not know is that such events, including custom events, are also shared with Facebook, whose terms of service allow it to use them "to improve [its] ad targeting and delivery capabilities, as well as improve other experiences on Facebook" such as search ranking.

In December, Privacy International warned that even the most basic data from certain apps could give Facebook "a fine-grained and intimate picture of people's activities, interests, behaviours and routines... including information about people's health or religion". 

Some apps, it said, also sent more detailed information, such as travel apps which tell Facebook which cities its users are searching for, when they are hoping to travel and where they are hoping to go.

It criticised the company for not being transparent enough about how it used such data, adding that Facebook had not given developers the ability to pause data sharing in order to secure users' consent until 35 days after strict new European privacy laws came into force. 

The Journal's analysis found that some apps makers have created even more sensitive custom events. Flo, a period-tracking app, told Facebook when a user was having their period or had told the app tat they wanted to get pregnant, while HR Monitor, the most popular heart rate app on the iPhone, sent heart rates to Facebook within seconds of recording them.

Flo's privacy policy mentions Facebook by name, but excludes "information regarding your marked cycles, pregnancy [and] symptoms... that you do not elect to share". The company told the Journal that it will "substantially limit" its use of third-party analytics while it investigates the issue.

HR Monitor's privacy policy does not mention Facebook specifically, saying only that usage data is mixed together and cannot identify individual users. Neither app, the Journal said, offered users the ability to opt out of data sharing.

The Facebook spokeswoman stressed that it was app makers' choice to share this data with Facebook, saying they must manually write the code to send it their custom app events.

She said that Facebook only allows data from custom events to be used by app makers to target Facebook ads at their own users unless they specifically agree to allow other advertisers to target them as well.

An app maker might use such information to advertise subscriptions to people who have downloaded their app but not yet paid any money for it, or even to  sell them products that their app behaviour suggested they might want.

After the Journal's report, Flo said that it was removing Facebook's developer tools immediately from its app and that it would ask Facebook to delete all the data it had been sent. A spokeswoman said that Flo had "already initiated a comprehensive external privacy audit".

"Flo has never sold any data points to Facebook and has  never used sensitive data from Facebook Analytics for advertisement," she said. 

"We utilised Facebook Analytics, as many other apps do,to ensure our app offers the best experience for our users. Any use of these tools was for internal development only to improve our functionality and service. We also adhere to all legislation around data privacy and security."

One health app developer, who asked not to be named, told the Telegraph that many companies are lured into sharing their users' information with Facebook because its analysis tools are provided for free.

"It's very expensive to build analytics tools, so they have to monetise your data somehow," she said. "Otherwise you have to pay a lot of money for a tool that is not sharing your data.

"Users are giving a lot of information to these developers, who then give Facebook that information, which is really unfair to the users. But a lot of developers are trying to make a quick buck and they just don't care."

The developer said that many advertisers were interested in medical data, but that her company uses a paid analytics tool and only integrates with Facebook as far as is necessary to let users log in to the app using their Facebook accounts.

Even that function, however, which is very widely used, gives Facebook some data about who has opened each app, which it could use to improve its ad targeting or to spot rival apps before they become a threat. 

"Every app developer knows this trade-off," she said. "There are many benefits to being part of the Facebook ecosystem." 

Facebook's own policy forbids developers to send it "health, financial information or other categories of sensitive information", and stipulates that they must have a "lawful basis" for all the data they collect and share.

It does, however, say that Facebook can use the event data to help target other adverts, to personalise content for its users and to "promote safety and security", though it does promise that Facebook will never let ads be targeted at users based on event data alone.

"Facebook does not want you to send them that information," said the anonymous developer, citing the USA's strict healthcare privacy regulation. "But are they going to prevent you from doing that?"

Antonio García Martínez, a former Facebook employee who helped build its ad targeting team, defended Facebook's practices, saying that the social network was merely providing "plumbing" for app makers and that blaming it for their actions was like "blaming the ruler for what gets measured".

Custom ad events, he said, are not stored by Facebook in a form that it could easily use for advertising, and attempting to use them for that purpose would endanger its relations with thousands of developers.

Instead, he argued, users should be concerned about the data collected by app companies, who could choose not to gather it or to encrypt it before sending it to Facebook.