This data included things like weight, BMI, menstrual cycles, alcohol consumption, food consumption, heart-rate, blood pressure and calories burned during exercise – including in one case the category ‘sexual activity’ …
The privacy policies of the apps concerned do not make clear the extent of the data-sharing, often not mentioning Facebook at all.
The state’s Department of Financial Services on Wednesday sent a series of letters seeking information and documents from Facebook and the developers behind the at least 11 apps mentioned in the Journal’s reporting, according to a person familiar with the investigation.
One letter, addressed to Facebook Chief Executive Mark Zuckerberg, requests information about all companies that have sent Facebook data about mobile application users via software provided by the social-media giant in the last three years, the person said. It also asked the company to provide the categories of data that were shared and a list of all New York state residents whose data were included, the person added.
The 11 apps sending sensitive data were:
- Flo Period & Ovulation Tracker
- Weight Loss Fitness by Verv
- BetterMe: Weight Loss Workouts
- Lose It!
- GetFit: Home Fitness & Workout
- Instant Heart Rate: HR Monitor
- BetterMen: Fitness Trainer
- Realtor.com Real Estate Search
- Trulia Real Estate: Find Homes
- Breethe: Sleep & Meditation
- Glucose Buddy
These include six of the top 15 health and fitness apps in Apple’s US App Store. All but the last have been downloaded millions of times in the past year.
The WSJ listed the information the apps were found to be sending. Some ceased to do so after the paper contacted them, while others continue to send data.
A popular food- and exercise-logging app, Lose It! stopped sending Facebook sensitive personal information, Sunday’s test showed. In earlier tests, the app had been sending Facebook the weight users logged, along with how much they had gained or lost, and the caloric content of every food item they logged. It also sent the caloric value of every exercise logged: When a user entered having completed 45 minutes of “sexual activity” during one test, the app sent that information to Facebook along with an estimate of how many calories the activity burned: 46 […]
BetterMe was found in Journal testing to be sending Facebook data on users’ weight and height, workouts completed and their selection from among the app’s menu of problem areas to work on, such as “belly fat” or “saggy breasts.”
Facebook said that it is reviewing the letter sent by the regulator, New York state’s Department of Financial Services.
“It’s common for developers to share information with a wide range of platforms for advertising and analytics,” the spokeswoman added. “We require the other app developers to be clear with their users about the information they are sharing with us, and we prohibit app developers from sending us sensitive data. We also take steps to detect and remove data that should not be shared with us.”
A separate European investigation into the same same issue is underway in Ireland.
A spokesman for the Ireland’s Data Protection Commission said that the regulator is in touch with Facebook about how apps share data with social-media company. “We are at fact finding stage to ascertain what is happening which will help us make decisions in respect of any further actions that may be required,” the spokesman said.
We’ve reached out to Apple for comment, and will update with any response.