13 votes

You Give Apps Sensitive Personal Information. Then They Tell Facebook.

6 comments

  1. [6]
    Deimos
    Link
    New York's governor has ordered an investigation in response to this:...
    4 votes
    1. [3]
      sublime_aenima
      Link Parent
      This is the disgusting part. What do they need my info for if I don't have a facebook account and never plan on using any of their platforms? They have no reason to be collecting data for people...

      The report said that the company can access data in some cases even when the user is not signed into Facebook or does not have a Facebook account.

      This is the disgusting part. What do they need my info for if I don't have a facebook account and never plan on using any of their platforms? They have no reason to be collecting data for people that refuse to use their services.

      8 votes
      1. [2]
        masochist
        Link Parent
        As I commented in response to Deimos, this really seems like a HIPAA violation in the US, and is also a violation of Apple's guidelines. Apple have recently taken steps against Facebook for...

        As I commented in response to Deimos, this really seems like a HIPAA violation in the US, and is also a violation of Apple's guidelines. Apple have recently taken steps against Facebook for misbehaving on the App Store, so this would just give them yet another reason to keep them off of the store entirely.

        3 votes
        1. patience_limited
          (edited )
          Link Parent
          I've commented elsewhere that since Facebook or the app providers aren't "covered entities" as recognized under HIPAA, they're not subject to the substantial fines (up to $50k per record) that...

          I've commented elsewhere that since Facebook or the app providers aren't "covered entities" as recognized under HIPAA, they're not subject to the substantial fines (up to $50k per record) that health care providers seeing you as a patient would face for any breach.

          As mentioned here, in the U.S, Facebook is in violation of a 2012 Federal Trade Commission consent agreement concerning exposure of "consumer health information" like this, that might cost them real money.

          Edit: here's the announcement of the original consent agreement. If anyone in the Federal Trade Commission was paying attention right now, I'd say an administrative law judge would shred Facebook a new one.

          3 votes
    2. [2]
      masochist
      Link Parent
      How is this not a HIPAA violation (i.e. highly illegal)?! Beyond that, even if it's not just a HIPAA violation, if it's on the iOS App Store, it's a direct violation of section 5.1.3(i) of the app...

      The WSJ reported that several apps share sensitive user data including weight, blood pressure and ovulation status with Facebook.

      How is this not a HIPAA violation (i.e. highly illegal)?! Beyond that, even if it's not just a HIPAA violation, if it's on the iOS App Store, it's a direct violation of section 5.1.3(i) of the app store review guidelines on health and health research data. Apple will not be pleased.

      2 votes
      1. Deimos
        Link Parent
        It's not something I have enough knowledge about to be confident on, but the article does include: The problem is most likely that there's little or no disclosure that it's happening (which will...

        It's not something I have enough knowledge about to be confident on, but the article does include:

        Privacy lawyers say the collection of health data by nonhealth entities is legal in most U.S. states, provided there is sufficient disclosure in an app’s and Facebook’s terms of service. The Federal Trade Commission has taken an interest in cases in which data sharing deviates widely from what users might expect, particularly if any explanation was hard for users to find, said Woodrow Hartzog, a professor of law and computer science at Northeastern University.

        The problem is most likely that there's little or no disclosure that it's happening (which will especially make it a GDPR violation for European users).

        3 votes