 And now welcome to the last talk of the day and it's very close to night and it's time to tell spooky campfire stories except this one is 100% real, spooky as it is. It is a talk on shadow profiling and on how Facebook attracts you even if you don't have a Facebook account. So let's give so hello and here comes the talk to how Facebook tracks users on Android via Facebook user on Android. This talk will be translated from ploy and parkward. Hello together. It's very cool that I can be at the congress. It's my first congress. So it's really my dream of mine. I really like it to be here. I mean that wouldn't be possible at all. This whole congress without the translators, without the Engels, without the Heralds. Please give an applause for them. So raise your hand if you're an Android developer. Yeah, maybe about five or so here. And how many of you have used the Facebook SDK? Somehow a handful. Okay. So I'll go over to Frederike. She makes the beginning. So this year we have reached the threshold to go to different farms. That's the company. That's the data broker, credit assessment companies. And the reason why we focused on these companies, which normal people don't know at all is because for many people it is impossible to find out how they get tracked and who has the data from the people. So part of this survey I asked Comcast. So I mean, you may not have heard of it, but this company heard from you. I received all of my data from this company. So this is now a processed and soft version of my browser history. So you can see timestamps, device information. So it's pretty sensitive data. And there's also data that's been sent out, like if I have children, my gender, my income. So different data dealers place me in some kind of weird categories, like drinking alcohol at home or interested in baby products and windy. Very exciting in these data. There are a lot of them and some are pretty wrong. So what's fascinating is that all these data come from one cookie from a browser from one of my devices. And that's why today we have a research result publicly about how a company user from Android abstract and in particular we have looked at Facebook people on Android track who don't have Facebook account. So earlier this year research from the University of Oxford showed that 22% of the apps can share data with Facebook. And what's interesting is that Facebook is the second largest tracker after the Google company, Spitze Alphabet. So let's take a look at how it looks like, especially for people who don't have Facebook account. So the reason why we chose Facebook is because of things like a period tracker or a pocket lamp. So data with Facebook part is pretty amazing for a lot of people, especially people who made a conscious decision not to be on Facebook. So that's what we did. We took this paper from Oxford University. They gave us a list of apps that they searched. So somehow top 5000 apps that need a Facebook account. So that's a few of the biggest ones. And then we have a few apps selected that somehow have sensible data with religion or with health. So a little bit of utility apps. Because they might have information about other apps in it. So those are the 34 apps that we selected. Here you can see very big things like Spotify and very small things that are more like indie developers like games or so. And all these apps have at least 10 million installs. So we actually just wanted apps with further spread because it's actually less about the apps or the developers themselves. So we don't want to criticize the developers about how they make apps. Here it's about SDK and how the data is transmitted with or without user input. So let's talk about methodology. So we took a Nexus 5 with Android 8.1, with a virtual machine on which Man in the Middle Proxy runs, the traffic is blocked and so the whole traffic between the app and Facebook went over this virtual machine. So for the first time 61% of the apps that we tested automatically on Facebook. So just as soon as you open the app, so 21 out of 34 apps directly transfer data to Facebook as soon as you open it. For example this Kayak app. So as soon as you tap on the app icon, you see here that a lot of data is sent to different companies. So I mean, you can let it run a little bit more and in the end you come to the home screen. And the funny thing is here it says, don't worry, we never share data with someone without your understanding. So let's take a look at it. So let's take a look at what's a little bit more in detail. That's pretty standard. That's now VK, a Russian social network. So that's now typical of how SDK is implemented and probably in the standard setting. So when the app starts and initializes, the SDK is initialized and when the app is in front of the ground, a message is sent. When it goes to the background, something is sent there. When it's closed, it's sent. So you can use the account profiles over how long you can use an app. So you have a unique ID in there. So that means it's already personal, because that's part of your copy of the app. So there's also which version of Android you have running, what kind of a country your keyboard is set on. So I mean, we don't need much to have more detailed stuff. So certain apps usually send pretty sensitive data on Facebook. So I mean, we had news about the Baby Plus app. And in the past week, there was still the Pregnancy Plus app. And we'll show you some more examples that we found. So the top example is Kayak. So every time you look for something in that app, it's sent to Facebook. And it's not just the content of what's being searched, but where the users go. So it's like a search ID is sent there and various other stuff. Here you can still see something with the King James Bible app. There Facebook is even allowed to track it inside the app. So they've changed a little bit. It's less detailed, but in the original version, Facebook knew exactly which part of the Bible you read. And the last part is the actual advertising data. And this is an application to the advertising network. And there are a lot of interesting things that come here. You can see how much the battery is charged and this is a good example of how far it goes. And the data like you have on your phone, the Solorometer. And the app has also decided that I'm not a kid, even though I've never been asked. And it's important to remember that it doesn't matter if you're a Facebook user or not. The profiles will be created about you, regardless of whether you have a Facebook account or not. Through these apps, a profile will be created. So why is this relevant? Our analysis has only focused on the data that the apps convey. And we can't say for sure how these data are used. But what's interesting is that our first impression is that most apps will be opened as soon as they share the data. And these data, from these data, are given what kind of app will be opened through the app idea. And to know which app will be used is a pretty good insight into the life of a person. So you can see here, for example, a job search app or a child app. So what kind of person is that? That's probably a Muslim, probably female, probably a Muslim, probably looking for a job and probably having a child. So the apps that automatically transmit data and they come automatically with a Google app ID. And these IDs are used by the advertising networks to connect users with each other, i.e. apps with each other to the user. And it's important to know which apps people use and how often they are used. And there are important insights into the Android market. And something like this runs a deep insight into the user behavior. And we have focused on apps that have 10 million, maybe even 500 million installations. So overall, we talk about over 2 billion installations. So we talk about a lot of data here. But why do so many apps share data with Facebook as soon as they are opened? One reason or many reasons for that is Facebook SDK. And the Facebook SDK for Facebook allows developers to integrate their apps with Facebook's platform, with analytics, login or advertising. So that's the reason why many apps choose this SDK. But here it gets a little complicated. Facebook takes all the responsibility on the apps that all the data that is transmitted to Facebook is legal. And Facebook makes sure that the developer can share these data with Facebook legally. Yet, as we observed, the default installation, the standard installation of this SDK is used, where the standard data is sent. And in this standard installation, automated data is transferred. Since May, a lot of developers have made bug reports about this SDK. And this bug report from July has been confirmed that he wanted to install the login, but as soon as the app is opened, data is transmitted and they can't do that. And as soon as the app is opened, it's too late. You can't ask the user if the hydrants are allowed to be transformed at all. So Facebook has released a feature. And that shifts this automatic event login, as they call it, a little later. And that happened in June. And Facebook has confirmed in a written message that developers can send and only as a reminder, the SDK that was initialized gives us strong instructions on what kind of person this app is using. The big question is, of course, that it's not legal at all. And we have a big section about whether it's legal at all. But our analysis says that the answer is definitely a lot more complicated than it is said here. We have made this analysis in the United Kingdom and that is still a member of the European Union and I have to stick to the DSGVO. But we have also looked at the competition and there is a certain answer. So what should Android developers do at all? You should definitely take care of yourself more privately and more privately. At least you should be compatible with the relevant privacy laws. But we also sort of like you have a responsibility like to not transmit data that you don't have to transfer data that you don't have to transfer. And we have automatically sent the data with a developer contact here from 21Apps. And we got very interesting answers from these companies. Some of us had the impression that the SDK did not really understand and what the SDK does when. Some had a different interpretation of what is legal and what is not. Some again understood that this happened and promised to update their apps. And here we should give a little credit to Sky Scanner. They thanked us for our notifications and immediately updated the app and made sure that this no longer happens. And then there is also the weather chat. We haven't really tested that yet. But yes, the answers were different and apps that have a huge user base have really had to give more effort. And I think we now have a little bit of input to overthink third-party tracking. So our legal analysis says the thing is complicated. As soon as you are interested in developing a third-party track, you should take care of that. So ask yourself, do we have to integrate the SDK or can we somehow decide in one case, if you implement it, you also have to be open to the user what exactly you are doing. So, what should Facebook and Google do? Yes, so data protection as a standard setting. And by design, that is also relevant here. So Facebook has written us back that, yes, how the developers can delay the data collection or switch the SDK over or so. But I mean, for us, there is no good visible reason why to send standard data to Facebook. So if you somehow choose the standard setting, then that's not privacy by design. And as a standard setting. So in both answers that we received from Facebook and Google, so the Google did the Oxford research, they said, yes, but other companies also track the people. And Facebook answered the parliamentary hearing this year, which they said, by the way, they all listened to. So Facebook then answered the US Senate hearing in writing. And that was about shadow profiling and tracking of non-users. And Facebook said, that would be a standard feature from the Internet. And Google also said, yes, Amazon does that, Twitter does that. So I mean, in a way, we have to get back to the Internet. There is actually no law that prescribes that all these websites have to send data to large companies. So what can you do? So the answer to Google is, we have two simple things. So you can put the RDD back. So that works something like that. So here you can see with opt-in and with opt-out. A big improvement, don't you think? So even better is here that you can see the flag was set from true to false. So more data is sent than before, but yes, the opt-out doesn't really work here. But I mean, you might have an advantage. So if someone routed the Android phone, then you can just block it. So I mean, maybe there are some that simply make it work. But yes, most of the users don't have routed the device. So what can you do for alternatives? Just install apps without Facebook SDK. And yes, have fun finding out what those are, because you can't look at that somehow. So that means you can at least still minimize how many data are sent. So you can use several profiles in Android for each app. So that the advertising IDs are different. And you can always reset the ID. So it doesn't really solve the problem, but I mean, the profile doesn't always stay fresh. So you just have a small time frame over which a profile can be set. So I will now public my test environment so that everyone can imagine the background that I built here. So that is set on the website of PI. And the documentation is also on the website of PI. So if you want to look at the apps that we have looked at, then as I said, Kayak has tested that the LED flashlight is also pretty cool. Yes, we have looked at the goal. So, do you still have questions for us? Thank you. Thank you Christopher. Thank you very much. For this great day. So we are now going to ask questions. We are going to take a question right now from microphone 2. What did you send to Facebook? What did you send to Facebook? What did you send to Facebook? Regarding the advertising ID, it would be nice to ask Facebook. I asked Facebook with my advertising ID and they answered us too late. So they said they don't have any data, but we are going to hook up again. And Facebook will now publish this Clear History Tool. So I mean, you can see here that it is very, very difficult to execute the data protection rights that you have. So you have to fill out formulas, that's all very complicated. It would be much easier to get the data that a company has over you. Now a question from the internet. Do some of the apps prevent the data from Facebook? No, so from the one I tested, nobody did that. There was no problem sending these data via a man in the middle proxy. Hello, thank you for the talk. Are there any projects that use access to these SDKs but are built with data protection? I'm not aware of that. Would this kind of application or library be allowed by Google or Facebook's Terms of Use? We have read the rules of play, but I can't answer them now. Thank you for the talk. Thank you for the talk, it was very interesting. And I think that most apps that you have tested were free to download. Do you have any kind of integration with apps that are commercial? Very good question. If you talk to companies about third-party tracking, the standard answer is, well, apps have to be monetized or publishers have to monetize. That's why we need so much tracking. But the point is that the argument for a very, very long time and tracking is getting more and more invasive. And the argument is still there that it is necessary to show relevant advertisements. There are opportunities to do analytics, even to show doctors that fair and transparent is against the people. There is such a big gap between what is common in practice and what is meaningful and transparent. That's why I don't buy this company. On Facebook and Google, people have to monetize apps somehow. Microphone? But do you know if paid for apps also... We didn't look at paid apps. But I mean the standard of SDK. So it would be interesting if you could try it out. Thank you for your research. You are focused on Facebook. Do you know if that also works with other companies like the big five? Or if they also offer SDKs that work the same way? But we didn't look at big ones. But I mean, you can see many other tools that developers use regularly. So there is something called Amplitude and Crash Analytics from Google. So I assume that if everyone comes to SDK as well as send the system data, we didn't look at it in detail. I have two questions. There is definitely a legal problem. If you break the law, would you say that there is a chance to complain? And the other question is... What would you say if we automated the process to reset the add ID? We automated the process to reset the personal add ID so that we could just reset the tracking every time. Do you want to answer your first question? So your first question. We will take further steps. Read the legal analysis in our paper. It is difficult to summarize. That's why we left it here. And there are still many questions left open. We have past cases with social plugins and pixels. So the question is, are there any parallels? And the second question is to reset the add ID. So it's not very obvious how to do it. You have to go to the settings. And then you choose to reset Google add ID. And that also sets the Facebook add ID back because that's the same. I mean, these data protection settings from Google and Facebook are not very understandable. And it only works if you remove the manual, this add ID reset. And people don't know what that means. But it's only been published now, so you are the first... One more time to this report. It's only just published. You are actually the first to hear it. So please, applause. So the next question is from microphone 2. Hi. Is there a way to delay... Is there a way to delay... Is there a way to delay... Is there a way to delay... Is there a way to delay... Is there a way to delay... Is there a way to delay... Is there a way to delay... There are different answers to this question. It's a good question. So Facebook says 4.3 or later has built in a delay function. So... And versions from December... We see that it's questionable if it really works. So they offer an API and for that you need a key. An API key. For example WeChat or Dropbox, which we tested. They make their own calls in the FBI and don't go through SDK. That means it's different there. Or a follow-up question. So my point wasn't that... My point wasn't that you simply use this code. But you simply use the Facebook code. But you only use the parts that you actually need for the things you want. I don't know if that works. In terms of the amount of data that is transferred... Does the AdID change any sense at all? Yes. That means it doesn't really change anything but it just sends a signal. So afterwards you have a new profile. And I mean we know how easy it is to connect such profiles. But it just sends a signal that you want to reduce the granularity of the target things. And that you just want to have a new profile. So we were a bit curious. And our analysis didn't test what happens when you put the device back on factory state. And for different Android versions there were different results from Google. So we couldn't understand that. Probably because we had a different testing environment than Google. Do you have any information on how it is on Apple? Yes. So that was just for this one very specific app. That is Sky Scanner. And when we tested it and went through a process, they wanted to know from which city you want to show something. And then it sent data. So I don't know why. It sends more when the ad customization is switched off. So the point is that we asked Google. So if you opt out for ad personalization, then you can no longer use these data for ad personalization. So it was legal. So a restriction on the use. Not just for ad personalization. Would there be any sense, for example, if we do this kind of research and we find that such apps actually hurt the privacy? So there are fdroid and these alternative apps that can be used for ad personalization. So it's not just for ad personalization. It's for ad personalization. So it's not just for ad personalization. So there are fdroid and these alternative app stores. That's a very low privacy area. To actually evaluate the apps and to say it's like doing an fdroid, to do a review of one to five stars regarding how well the privacy is protected with this app. And then you can recommend that a certain app should be installed. Yes, that would be a great feature. And one recommendation from our Google was to implement something similar. So in Google Play Store, I mean, they already show certain characteristics about apps, for example, if it has in-app purchases or why can't they show there too which third party track they built in or so. To add two more things. So in Play Store, of course, there are contract conditions and they always say you have to stick to existing laws. But here there is obviously a discrepancy between these definitions and how the apps are in practice. And here we have only looked at Facebook in this survey. This is one of the trackers that has a lot of apps, but of course there are thousands of trackers from different companies. And it is of course very difficult to see how invasive an app is. So you have to look at how many different trackers have an app. So at Room Binzen from the University of Oxford, they have just looked at how many trackers have apps in them. Hi, I was particularly interested in your communication. I am interested in your communication with the app developers. Is there an option to make this conversation public? It would be very interesting. There would be a possibility to address these problems from the customer's point of view. We had the app developer contact on December 19th with the contact. And we have all the answers that we have received. We will publish the answers that the app manufacturers have sent us. So for each app you can then look at the answer. So many apps have not yet been written back, but if you then write back, we will add that later. Also, to be fair, some said they need more time to... Just to say that, some apps have written to us. They need some time to give us the exact answer. Plus, because there is no answer yet, it is not bad. So, thank you very much. Also everyone who asks questions. You make the day even better. So a round of applause to everyone who has already asked a question. Please do that more often. I have another question related to communication. I have a question about communication with the developers. I am really surprised by the amount of the data that Facebook raises. Have you ever tried to upload a gigabyte of data and see if they just swallow it all? I think that would give our general counsel a heart attack. Yes, I think that would probably give our general counsel a heart attack. So of course it is a very interesting point. Some apps communicate with so many different trackers that some of my test environments were destroyed because it just needs too much RAM to cut the whole traffic. And if you turn off the Earth Personalization, then it seems to be a documented MITM Proxy bug. There is a bug that the Android device, HTTPS, begins to connect to a kind that MITM Proxy simply lets this connection fall and then the log is just full of garbage. Okay, I hope that we will be able to get a talk next year about someone who has tried it effectively. I have a similar idea. Since you have already answered these questions, it would be possible if Freifunk collected the last 1,000 add IDs and added them to all possible profiles to corrupt the data. Yes, of course there are even more GDPR legal questions. Please don't try that at home. Thank you for your lecture. One question. Do you have any experience with how successful Facebook is to connect the add ID to the Facebook account? What happens if you delete this account? Do they still keep any signs about you and do you have any options to find yourself even if you don't have your account on Facebook anymore? In your data protection and cookie policy and the contract conditions for these products, here at the SDK, you explain how to use data, also from people who don't have an account. And also in our conversation with Facebook, you explained how to use it. It's still not quite clear. And for this specific pattern that we observe here, it has a very vague answer. Well, I can't really answer the question because we just have to believe these statements that they have in their contract conditions. But my shadow profiling is actually a problem and these data measures have been maintained for a very long time. So it's very difficult to say what's going on. So, thank you very much for this great talk. Yes, and also here from the translator's office, I say thank you for listening. I'm Pleu.