At the 35th Chaos Computer Club conference (35C3) in Berlin, Frederike Kaltheuner and Christopher Weatherhead of Privacy International demonstrated that by offering integration into Facebook, 61% of Android apps share data with FB - whether you like it or not.
Through FB's Business Tools offering of APIs and analytics services, developers can quickly integrate with the Zuckopticon. The tradeoff, of course, is that user data is sent to Facebook - irrespective of whether the user has logged in, and even whether the user has a FB account.
Here's the talk.
The apps analysed by the team all had a minimum install base of 10 million users, so there will be many known to you: perhaps Candy Crush Saga, Dropbox, Spotify, and even the Opera browser.
Facebook's default position, as you would expect, is for applications to send data to it, and for the developer to assume all responsibility in terms of if or how that data is managed. However, the talk raised a bug report, filed last summer, where developers were complaining as to the behaviour of Facebook's services.
When integrating the Facebook login SDK into android we realized, that when initializing the SDK a request is sent to the Graph API server, which includes an App-ID and an Advertising ID.
Unfortunately this isn't compliant with the GDPR Guidelines, because the users haven't yet agreed to the privacy terms when starting the app. This is also the case, when the automatic events are deactivated. At the moment we have to avoid the
problem with a workaround, which however leads to crashes. [...] Please help us as soon as possible, as otherwise we are not allowed or able to use the Facebook SDK to login into our Android app.
Facebook's response was to introduce a delay between the APIs being accessed and data being sent to it - but note that this is not a withdrawl of such an ability, just a delay.
PI's advice to developers is, basically, not to touch anything involving the Facebook suite; advice to users is to stop installing apps that contain such integration. But, this is a post-event choice; such is the free-for-all on Google Play, you cannot make any kind of judgement as to what an app contains, and keeping such a list would be practically impossible. And, even then, companies might be using services such as Dropbox with their staff, making such a personal rejection very difficult to administer.
The grey area of such services, both in terms of ethics and law (particularly regarding GDPR) is hazy. Facebook is exploiting the law - and exploiting you - precisely because it is hazy.
The full slide deck is here.