How Tinder, Airbnb, TripAdvisor, and Bumble could leak even more Facebook Data than Trump’s Consulting Firm Cambridge Analytica

AppSecurity

The data analytics firm that helped Donald Trump get elected president” was suspended from accessing Facebook’s Ads platform this weekend. The penalty was not because their data was stolen from Facebook, but because they “paid to acquire the personal information through an outside researcher“. In 2015, a Cambridge University researcher used features of Facebook’s platform to get 270,000 users to surrender the data of 50 million total users, simply by quietly asking for permission to access the information of their “friends”. The only reason this data violated their terms of service was that the data was illicitly transferred from the researcher to Cambridge Analytica (unrelated to the university).

It is true that Facebook no longer allows apps to request that you hand over the likes, photos, and location of your friends, but a relevant current question is this: In 2018, are there Facebook-connected apps that could leak even more personal data than Cambridge Analytica acquired? That answer seems to be a resounding yes. While the permissions are tightened, the growth of mobile apps and social sign-in have grown as well.

Here are 4 popular apps (and there are certainly many more) that need to be very clear with users how their data is being protected and how it will be used in the future:

1. Tinder – 100+ million users at risk

This online-dating juggernaut understandable asks you to login with Facebook to establish your identity, and uses your friends , photos, and “likes” to match you with potential interests. If you grants these permissions even once, any of these apps can collect all of this data, forever, until you disconnect the app. Tinder is owned by media conglomerate IAC, which gives it ample temptation to use this user data to sell ad targeting similar to Trump and Cambridge Analytica.

2. Airbnb – 90+ million users at risk

Travel bookings site Airbnb also uses social logins to help establish your identity to keep you safe. They ask for access to your photos to help you share details of your trips, and likely use your interests to try and help you find lodging. Airbnb has no obvious reasons to misuse this data, but they clearly have access to a lot, and if they were hacked, or acquired by a more diversified company, that story could change.

3. TripAdvisor – 70+ million users at risk

This travel review mainstay also asks for permanent access to your likes and photos. Similar to Tinder, they are owned by Liberty Media, which owns everything from Sports teams to SiriusXM Radio to 1/3 of LiveNation/Ticketmaster. This is a tremendous amount of data to protect against external threats as well as internal temptations to monetize this data for advertisers.

4. Bumble – 27 million users at risk

A rising star in the online dating space, Bumble has the same reasonable reasons to ask for “likes” and photos as Tinder, and the same challenges. Bumble is majority-owned by Badoo & their owner, “secretive Russian entrepreneur Andrey Andreev“. Considering the ongoing concerns about Russia’s interest in using social media data to target ads and influence elections, this site’s rapidly growing dataset is interesting, especially since it sits further away from the reach of U.S. regulation.

Now What?

This is a challenging situation. We all want our apps to be easy to use, and to have access to details of our lives that improve the app experience. Most of us don’t even mind if some personal data is used to show us ads we like instead of ads we don’t like.

A few next steps that could help this situation:

  • Apps using these permissions should make their intentions abundantly clear. Will this data be used for anything other than directly serving user needs within the app? Should the platforms even allow that? Could they prevent it with certainty?
  • Facebook and similar sites should consider adopting less permanent access, where users who haven’t visited the site recently are not still subjects of data harvesting
  • Less “friendly” permissions processes. It’s extremely easy right now to give an app nearly-permanent access to every picture or interest you ever post to Facebook. Now that image recognition is cheap and easy, this is data is too revealing to be granted trivially.

For Media Inquiries about Facebook Advertising Strategy around the U.S. Presidential Election and other Advanced Digital Marketing Tactics and Measurement, please contact Rob Kischuk at 404.663.9945rob@convergehq.com, or @rkischuk / @GetConverge

As a Marketing Reporting Automation and Analytics company, Converge is committed to responsible and ethical data collection practices that protect the privacy of individuals and the data policies of the data sources we connect to.

(Methodology: in the case of Bumble and Tinder, since these apps require social login, actual total app downloads were used. In other cases, we used March 2018 actual Monthly Active Users, and assumed at least 2/3 user attrition over the past 90 days)

Leave a Reply

Your email address will not be published. Required fields are marked *