Skift Take

What's clear from the report is that Facebook and some travel apps are sharing way more personal information than they had admitted to. The backlash will undoubtedly pick up steam, although Facebook seems to have largely escaped condemnation from this latest disclosure.

Travel apps such as Kayak, TripAdvisor, Skyscanner, and Yelp shared extensive user information from their Android apps with Facebook regardless whether or not consumers were Facebook members or were logged off from their accounts, a new privacy report found.

“A prime example is the travel search and price comparison app Kayak, which sends detailed information about people’s flight searches to Facebook, including: departure city, departure airport, departure date, arrival city, arrival airport, arrival date, number of tickets (including number of children), class of tickets (economy, business or first class),” reads the report from London-based Privacy International.

The organization labels the type of data the apps provided to Facebook, including the user’s Google advertising ID in the case of Kayak and Skyscanner, as “personal data,” some of which may arguably be processed in compliance with the new European privacy regulations, GDPR, for example.

However, Privacy International details how some of this data becomes personally identifiable, albeit indirectly.

“The primary purpose of advertising IDs, such as the Google advertising ID (or Apple’s equivalent, the IDFA) is to allow advertisers to link data about user behavior from different apps and web browsing into a comprehensive profile,” the report said. “If combined, data from different apps can paint a fine-grained and intimate picture of people’s activities, interests, behaviors and routines, some of which can reveal special category data, including information about people’s health or religion.”

Privacy International found that TripAdvisor, Skyscanner, Kayak and Yelp had all transferred data to Facebook once users opened their respective apps, but of the four travel-related companies cited, only Skyscanner and Kayak tied the data sent to users’ Google ad IDs. Some 23 of the 34 Android apps the organization tested transferred data to Facebook about when a user opened or closed an app, as well as the user’s device type, location, language and time zone settings regardless whether or not the user had a Facebook profile.

Skift did not receive replies to requests for comment from Kayak, Skyscanner, Yelp or Facebook, but some of the companies are known to be doing app modifications in the wake of the Privacy International report.

Within the report, Skyscanner, which does flight and hotel price comparisons, as do Kayak and TripAdvisor, thanked Privacy International for alerting the company to the issue, and said, “Since receiving your letter, we released an update to our app as a priority which will stop the transmission of data via the Facebook SDK. As a further result of this we will audit all our consent tracking and are committed to making any changes necessary to ensure that travellers privacy rights are fully respected.”

TripAdvisor responded to Privacy International on December 24 after the organization contacted the company about its then-upcoming report, noting that “Respecting the data protection rights of our users is of utmost importance to TripAdvisor. […] Given the complexity of the technical issues you raise, we respectfully consider the statements you have made to be somewhat oversimplified. […]”

TripAdvisor also issued a statement saying it is in the process of investigating the Privacy International report’s findings regarding its use of the Facebook SDK (Software Development Kit.) “We will make a determination about any actions or clarifications once the investigation is complete,” TripAdvisor said.

The report said that Skyscanner and Kayak had been sharing this personal information with Facebook regardless whether the user had opted out of being subjected to ad personalization.

Some 61 percent of the Android apps that Privacy International tested in the last five months of 2018 automatically transferred user data to Facebook when the user logged into the apps, regardless whether they had Facebook accounts or were logged into Facebook, the report found. The tests were not limited to travel apps.

One of the apparent issues in the data sharing is that Facebook launched an update to its developer kit about a month after the European privacy regulations went into effect last year that enabled companies to delay transmitting information data to Facebook until they obtained user consent, but Skyscanner was using an older version of the developer kit.

Some of the data that travel companies send to Facebook relate to logging into their apps using their Facebook log-ins, as well as for advertising, and providing updated pricing information for Facebook’s news feed, for example.

A Web of Scandal

Facebook has been caught up in a series of privacy scandals, including sharing personally identifiable information for perhaps 87 million users. The New York Times reported in December that “Facebook gave Netflix, Spotify and the Royal Bank of Canada the ability to read, write and delete users’ private messages; it gave Microsoft, Sony and Amazon the ability to obtain email addresses of their users’ friends as late as 2017; and it gave device manufacturers such as Apple the ability to build special features that plugged into the social network.”

Some travel companies believe Facebook has been overly aggressive in harvesting user data from their Android apps, and has breached much, if  not all, of the trust that remained.

Uncover the next wave of innovation in travel.
June 4 in New York City
See Who's Coming

Have a confidential tip for Skift? Get in touch

Tags: apps, facebook, kayak, privacy, skyscanner, tripadvisor

Photo credit: A passenger standing in front of the display board for departures at the airport in Munich, Germany, Tuesday Nov. 29, 2016. Privacy International said Android apps such as Kayak's have been sharing users' detailed travel information with Facebook in ways that border on making the user personally identifiable. 208148 / 208148

Up Next

Loading next stories