SAN FRANCISCO — Popular apps that help users measure their heart rate, track their menstrual cycle or search for a home are sending some of that sensitive information to Facebook within seconds of the data being recorded, The Wall Street Journal reported Friday.
It is the latest in a series of recent examples of technology companies sharing personal data without the explicit permission of their users, adding to mounting privacy concerns and spurring a movement to push the firms to be more transparent.
The Journal reported that at least 11 popular smartphone apps, with tens of millions of downloads among them, have been sharing sensitive data with Facebook, even if the user has no connection to Facebook.
The apps are sharing the data so they can use a Facebook analytics tool that allows developers to measure how people use their apps and potentially target them with personalized ads, often without any prominent or specific disclosure, the newspaper said.
The data transfers were confirmed by two sources at Facebook familiar with the company's developer system, who spoke to NBC News. The sources were not authorized to speak publicly.
The apps included Flo Period & Ovulation Tracker, which claims 25 million active users, the Journal reported. Initially, the app told the newspaper that it doesn’t send “critical user data” to Facebook, but when the Journal found that menstruation information was sent to Facebook with a unique advertising identifier that can be matched to a device or profile, Flo said it would “substantially limit” the use of external analytics systems and conduct a privacy audit.
Flo said in an additional statement Friday that it used Facebook's analytics tool "for internal analytics purposes only: to study user behavior, provide users with the best possible experience and develop a product." Usage of analytical systems is a common practice for all app developers, the company said.
New York Gov. Andrew Cuomo said in response to the report that he was directing state agencies to investigate what he called an “invasion of consumer privacy” and asking federal authorities to help end the practice.
“This practice, which in some cases clearly violates Facebook’s own business terms, is an outrageous abuse of privacy,” Cuomo said in a statement.
There is no evidence that Facebook intended to collect the sensitive data. Rather, the apps in question were using a set of tools, known as a software developer kit, that was produced by Facebook and used by software engineers. Facebook’s SDK is among the most widely used such kits.
Facebook said it did not seek out the personal information, and that it deletes such data in cases where it detects it.
“For these specific apps, we will reach out to them and notify them that the data they’re sharing can be perceived as sensitive by their users, so they should stop sending it. Again, should they refuse to comply, we may take further action where warranted,” Facebook said in a statement.
Sen. Ron Wyden, D-Ore., said in an emailed statement that the news was another mark against Facebook.
"I’m sick of hearing Facebook make excuses for its repeated privacy invasions," Wyden said. "The allegations in the Wall Street Journal are the latest in a long list of deeply troubling reports about the company’s practices. The FTC should add the latest report to the long list of things they’re investigating."
Wyden added that the story provided another example of the need for increased regulation of tech companies.
"This story proves, again, that Americans simply cannot trust companies like Facebook to protect our privacy," he said. "Americans need strong privacy legislation with teeth, like my plan, or else these incidents will never end.”