Facebook's Collection of Sensitive Data Through its Analytics SDK Lands it in Hot Water

Facebook is once again under fire in the press after the Wall Street Journal published a report detailing how a number of popular apps are sharing data with the social network's analytics Platform through its SDK.

In some cases, sensitive health data related to weight, blood pressure and even menstrual cycles was being shared with the company by app makers as part of Facebook Analytics' ability to track custom "app events." As Facebook's developer Documentation details, "Facebook App Events allows you to track these events to view analytics, measure ad performance, and build audiences for ad targeting."

Already, there are calls for investigations and regulation, and a number of the apps the Wall Street Journal identified have reportedly stopped sending Facebook the data in question. And Facebook has responded by asking some app developers to stop sending it this data. The company says it is also working to build automated systems that detect and block SDK users from sending it data that it doesn't want to collect in the first place.

Common Practice

Not surprisingly, much of the regulatory ire is being directed at Facebook, but Antonio García Martínez, a writer at Wired and former Facebook employee, believes that, if anything, consumers should be angry with app developers.

"Facebook is no more responsible for what data gets piped to it via the SDK than Google is the browsing data it receives via Google Analytics (whose pixels, or ones like it, absolutely paper every news outlet you visit). This is blaming the ruler for what gets measured," he wrote on Twitter.

In other words, Facebook is being lambasted for engaging in a common industry practice: the sharing of app data with third-party analytics services.

ZDNet's Catalin Cimpanu echoed the same sentiment, writing "There is nothing special about the Facebook SDK. It's just another SDK like many other mobile analytics SDKs." He suggests that the only reason Facebook is being criticized here is because it's Facebook.

That's not an unfair argument, but there are several issues here.

The first is that developers were collecting highly-personal information about their users. While the collection of, for instance, health data by non-health businesses is legal in most of the US, the revelation that such sensitive data is being shared with Facebook is probably not explicitly known by the vast majority of users of the apps collecting this data. At the least, this raises ethical questions for both app developers and analytics platform operators.

Second, there's a discussion to be had about the policies companies like Facebook should implement for users of analytics SDKs. Again, even if the collection of certain data is legal, does it make sense for Facebook and companies like it to place restrictions on the types of data they accept, and to take action against developers who violate their rules? For example, even if it's just a bean counter so-to-speak, does Facebook really benefit from helping developers track sensitive data about their users' health? Or would it make more sense for the company to aggressively police developers and say "Sorry but we don't want to touch this kind of data" more frequently?

Finally, the reality is that Facebook's failures in recent times have dented consumer trust in the company. The likely reason that nobody is up in arms about similar data being sent to platforms like Google Analytics is that Google and others have not been the central figures in high-profile privacy scandals like Cambridge Analytica. Facebook's inability to do what other companies are doing without scrutiny is a direct result of the fact that large numbers of people simply don't have faith that Facebook is capable of operating in good faith vis-à-vis consumers. This is a reminder to all companies that maintaining trust is everything when you're in the data collection business.

Regulation Coming Soon?

Of course, all companies might lose the ability to operate as they do now because lawmakers, spurred by the headlines about Facebook, are increasingly talking about greater regulation that would apply broadly. In announcing that he was directing state agencies to investigate Facebook, New York Governor Andrew Cuomo called Facebook's practices an "invasion of consumer privacy" and also stated, "I...call on relevant federal regulators to step up and help us put an end to this practice and protect the rights of consumers."

While meaningful action might not happen overnight, the likelihood of action seems to be increasing and it would behoove players in the industry to start preparing for the day when data collection and sharing is more tightly regulated.

Be sure to read the next Analytics article: MeasureOne Announces New Developer Platform for Academic Data