Greater Boston’s two big online travel services, Kayak and TripAdvisor, could face tough questions from European privacy regulators over claims they share sensitive information with the giant social network Facebook without their users’ permission.
“For most people it’ll come as a big surprise that an app that doesn’t have anything to do with Facebook is sending your data to Facebook,” said Frederike Kaltheuner, a researcher for Privacy International, a British watchdog group that discovered the data-sharing.
Kaltheuner said the practice may be illegal under a new European Union law that requires companies to ask permission before sharing a user’s data with third parties. “It’s definitely a violation of the spirit of the law,” she said.
The practice was reported by the Financial Times over the weekend.
Kayak did not respond to requests for comment.
TripAdvisor issued a response to the report that promised to discuss the issue with Privacy International, while downplaying the group’s criticisms. “The technical issues raised by Privacy International are extremely complex, and we respectfully consider the statements they have made to be somewhat oversimplified,” the company said.
Kaltheuner and her colleagues tested about three dozen popular Android smartphone apps used by millions worldwide. The group found that about 20 of them, including an app from Needham-based TripAdvisor, shared some information with Facebook the moment they were launched. Even if the app user didn’t have a Facebook account, the social network would be notified that the app was running. Facebook would receive a unique code to identify the specific phone running the app. By collecting the data for months or years, Facebook could gain insights into the user’s travel habits.
Kaltheuner said they plan to do the same test with Apple iPhone apps.
But Facebook would learn even more detail from the app for Kayak, which is based in Stamford, Conn., but has its technology headquarters in Cambridge. Kaltheuner found that this software shared the user’s travel dates, which flights and destinations he or she had searched for, whether a traveler flew first-class or economy, and even whether the user was traveling with children.
The information given to Facebook didn’t include the travelers’ names or addresses. But Kaltheuner said that by combining the app data with other information collected by Facebook and by data broker services like Equifax, it would be easy to identify individuals.
However, “we obviously don’t know what Facebook is doing with the data,” she added.
Marc Rotenberg, executive director of the Electronic Privacy Information Center, a Washington, D.C., online civil liberties group, said Kaltheuner’s report shows the futility of expecting consumers to protect their own privacy. “People are increasingly fed up with the expectation they’re somehow able to monitor the privacy practices of these firms,” Rotenberg said. “It’s the Federal Trade Commission’s responsibility.”
Rotenberg believes the data-sharing practices listed in the Privacy International report violate a 2011 consent decree between Facebook and the FTC. The agreement requires Facebook to provide users with accurate information about its data-sharing practices and to set up a comprehensive data-privacy program.
Rotenberg has long argued that Facebook is flouting the consent decree, and he sees the Privacy International study as further evidence. “There’s no question that Facebook engages in deceptive practices to gather user data in violation of the consent order,” he said.
Facebook issued a statement that indicated the app developers, not Facebook, are responsible for protecting user privacy, by writing apps that limit the way data are sent to Facebook.
”Developers can choose to collect app events automatically, to not collect them at all, or to delay collecting them until consent is obtained, depending on their particular circumstances,” the statement said. “We also require developers to ensure they have an appropriate legal basis to collect and process users’ information.“
But Kaltheuner argued that Facebook could take responsibility by accepting personal data only from apps that have permission to share it.
Hiawatha Bray can be reached at firstname.lastname@example.org.