Revolut is sharing your data with Facebook. Here’s what you need to know.
Did you know that Revolut, one of the most popular Fintechs in Europe, is sharing sensitive data with Facebook, like your IP Address, Device Name, Network Carrier Name, Timezone, and a unique identifier that tracks you? And *YES*, this happens whether you have a Facebook account or not.
As Privacy International presented at 35th Chaos Computer Congress, 61% of popular Android Apps automatically transfer data to Facebook the moment a user opens the app. This transfer happens independently, even when you never used Facebook on your device, or you don’t have a Facebook account anyway.
Facebook gathers information about you regardless if you are signed in or do not have an account, and builds your profile based on every interaction that you have with their business partners, through apps installed on your device. This data is then correlated, aggregated, and shared back to Facebook partners.
Even when you don’t have a Facebook Account, it builds a shadow profile about you and your habits and preferences, aggregating information provided by your devices and apps. This is called Off-Facebook Activity.
It isn’t just Zoom, as revealed in the past weeks. Other well-known apps like Revolut share your data with Facebook, for purposes that you didn’t explicitly consent. Unfortunately, this became a common practice that is mining our Digital Privacy Rights.
How and why is this happening?
Facebook routinely tracks users outside its platform through Facebook Business Tools. Application Developers share data with Facebook through Facebook’s Software Development Kit (Facebook SDK), a set of development tools that help software companies tracking their users and getting analytics about their profile. All data is typically shared with a unique identifier (Advertising Id), to allow advertisers to link data about user behavior from different apps into a comprehensive profile.
By integrating the SDK in their apps, developers can take advantage of automatically logged events, like App Install or App Launch. Developers can also extend this information with custom application events, sharing additional information with Facebook, resulting in sometimes disclosing even more sensitive information, like data stored inside apps, as Privacy International found before.
How Revolut is sharing your data — app version 6.35
After seeing the Internet community surprise about the Zoom’s usage of Facebook SDK, I decided to take a look at some popular financing apps, like Revolut. If the community is so surprised about this practice with a Video-Conference platform, what about a company one should trust money?
When you start Revolut for the first time, Revolut contacts several trackers, including Facebook. This communication happens even if you don’t own a Revolut account, and before you accept Terms and Conditions (more on this later):
When initially starting the application, the SDK gets invoked several times, but one particular invocation sends an Application Install event to the Facebook Graph API detailing:
- Your IP Address, allowing Facebook to Geo-Reference your location and correlate your device with other devices using the same IP Address ;
- Your Advertiser_id, a unique identifier shared across all applications installed on your device, that allows advertisers to link data about you, and correlate most of your data;
- Your Device Model, Screen Resolution and system language;
- Your Carrier Name and Timezone, allowing Facebook not only to know your location through IP Address, but also if you are traveling or roaming;
- The origin of the application (or the App Store), allowing Facebook to collect if you installed this app from the Manufacturer’s store or other alternatives;
All these details contribute to fingerprinting your identity. Even if Advertiser_id gets changed, the correlation of additional information can highly help to identify you and tag you as a known user.
After the initial boot, I decided to log into my account and investigate what other info Revolut was sharing. As you can see in the below picture, Revolut was calling Facebook Graph API on application login and start.
Drilling down on the data that Revolut is sharing, one can see that a “Deferred_app_link” event is being sent to Facebook, indicating that you opened up the app and are using it. This event allows Facebook to keep a log of the App Usage, including the date and time, frequency, location, and device you use it. This manner, Facebook can keep track of your app usage habits and profile you accordingly.
I’d like to mention that I specifically opted-out social media & advertising platforms on the Privacy section of Revolut, as available in the app settings. Even though that didn’t prevent Revolut to contact Facebook and share information about me and my device.
Is Revolut’s data sharing with Facebook complying with GDPR?
Most of the events I was able to capture on my research are automatically collected by Facebook when developers use its SDK inside an application. This behavior is active by design, and Facebook argues on their Data Policy that it is the Developer’s sole responsibility (Revolut in this case) to make sure they can collect this data:
So when your device apps use Facebook SDK, you are also accepting Facebook’s data policy that explicitly mentions:
Facebook handles your data in accordance with our Data Policy. This information can be used to improve our ads targeting and delivery capabilities, as well as improve other experiences on Facebook, including News Feed and Search content ranking capabilities.
https://developers.facebook.com/docs/app-events/faq#faq_118334958591299
Following European Data Protection (GDPR) adoption, Facebook SDK started to allow developers to disable and delay automatically logged events, until users accept Terms and Conditions, delegating in App Developers the sole responsibility to ask the users permission to collect this data. Developers can change this behavior through the Application Manifest, or programmatically, according to the SDK’s documentation:
Unfortunately, Revolut doesn’t seem to have implemented it, as I have analyzed on my research environment, including analyzing their App’s Android Manifest.
This lack of control appears to challenge several policies in GDPR: to collect, store, and share user data without the user’s consent. Revolut should not collect any information before asking the user’s permission, according to GDPR.
Revolut can eventually argue that this was misconfiguration. Still, apart from automatically logged events, I was also able to capture Custom Events in my research, clarifying that Revolut’s developers are intentionally using the SDK and collecting information with its usage. In this case, it seems to log an activity that I need to verify my picture before logging in:
What is Revolut’s Privacy Policy saying about this?
I always tend to read the Privacy Policy or Terms and Conditions of services I use. I read a lot of Data Privacy Policies as part of some of my researches on Digital Privacy, Digital Footprint, and its use on Pandemic controls (spoiler alert), and Revolut was no exception.
First, all collected details that I mentioned above are detailed by Revolut on its Data Privacy Policy. When you agree with Revolut’s Terms and conditions, you agree that Revolut can collect technical information, including IP Address, device type you use, device IMEI, unique identifier, and mobile network information.
Revolut also explicitly mentions that it can collect photos or videos from your device, as detailed:
Considering social networks, Revolut mentions that it can collect information about you on Facebook or similar online services, but if you explicitly allow it.
Even though, Revolut is having an entire section in their Privacy Policy dedicated to sharing your information with external parties, and this is where things get interesting. That section explicitly mentions that Revolut may share your information with their advertising partners.
Please note that the Privacy Policy doesn’t mention opt-in capabilities. As a Privacy best practice, applications should implement user opt-in, instead of opting-out. This pervasive practice is an anti-privacy principle.
By design, Revolut reserves the right to share your information with social networks, including Facebook, for legitimate interests.
Interestingly, Revolut’s privacy policy indicates that the social media platform can “check if you also hold an account with them,” and if you do, send you Revolut adverts to you or similar profiles. What Revolut doesn’t mention is that even if you don’t have a Facebook account, a shadow profile is being built by Facebook with the contributions of apps on your device that misbehave (like Revolut). That data is being collected by Facebook to fingerprint and track you.
Is Revolut sharing data only with Facebook?
No. While I am writing this article focusing on Facebook data sharing, Revolut uses at least nine trackers, according to this Exodus report, including Branch, Facebook, and Google.
What data is Facebook collecting about me?
After changes in the European Laws, Facebook implemented the capability to see your activity Off-Facebook, also integrating with “Download my info.” This tool allows you to view and download some information that Facebook is collecting through the usage of their service, apps, and business partners.
As one can see above, Facebook was able to correlate the usage of Revolut with a specific Facebook profile, and in that way, guess who’s the user of that Revolut account. Facebook can connect this info through Advertising Id, and it’s sharing across apps on your device. If you happen to sign in at *any* app with your Facebook login, it detects that you are the owner of previously collected metadata and completes your advertising profile with all data shared by your apps.
As you can see, this report is deficient in data, and in the case of Custom Events, you can’t even drill down to the detail of that event. It also doesn’t mention the information sent to Facebook, like device and personal data, which doubly complies with the Right of Access in GDPR.
It gets creepy: Facebook knows my washing machine program finished, while I was not at home
While conducting this research, I tested a lot of apps and devices. One of the apps tested was a connected-appliance App that allows me to interact with a washing machine remotely. That App does not mention Facebook at all, but apparently, it contacts Facebook every time the washing program ends.
The correlation between that event and the Facebook account was possible because App developers are sharing data with Facebook, without my notice. In this research, I was able to detect more than a hundred apps and sites that proactively share information with Facebook. By sharing this data, Apps enable Facebook to build a very detailed profile of a user that could include his interests, religion, ethics, financial relationships, location, or even relationships with other users.
How to take action
While regulators need to improve current legislation to make sure that Service Providers act more responsibly with User Data, you can take several measures that will reduce the amount of data that Facebook is collecting about you:
- If you use the latest OS versions on your mobile devices, make sure you reset your advertising id frequently and opt-out advertising. On Android you can do this by navigating to Settings > Google (Services & Preferences) > Ads;
- Periodically check data that social networks are collecting about you. Delete it and opt-out when possible from data collection. On Facebook, you can do it here;
- Make sure you use a browser that blocks trackers (ex: Brave), including in your Mobile device;
- Avoid native Social Network applications, if possible. If you need to interact with Facebook or any other social network, do it in a (privacy-focused) browser instead;
- When feasible, download your apps from App Stores that display integrated reports about trackers, like the mentioned Exodus report. Aurora Store is an exciting alternative for Android, but you should judge what the best option for your Devices is;
- Take a look into Exodus reports before installing an App;
- If you are an advanced user, take a look at Pi-hole and implement it at your network, if possible. Pi-hole is an Ad-Tracker blocker that increases your Digital Privacy while browsing the internet;
And, please read Privacy Policies before accepting a new service, namely on services that are Banking or Financial related.
A final word and disclaimer about Revolut
I was an early adopter of Revolut. By the time I am writing this article, I am still a Revolut Premium Customer, and in the past, I heavily relied on Revolut while traveling. Revolut is a new service that challenged the way traditional banks were working and democratized access to financial services. I’ve been seeing traditional banks reengineering their products and processes to compete with Revolut, which I think favors innovation in Financial Services.
But Digital Privacy should be non-negotiable. The recent Privacy Policy Changes and practices don’t demonstrate a Privacy By Design approach, where the user needs to opt-in for privacy challenging practices. This type of strategy usually tags the Consumer as the Product, which is not a Digital Privacy practice one should advocate (especially on the Financial and Health Industries).
About Me
I am Digital Privacy and Security Advisor, working as a Freelancer. As a strong advocate of Digital Privacy Rights, I am currently studying and investigating the new Digital Privacy challenges created by the globalization of social networks, particularly in the area of Sharenting and its impact on future generations through their Digital Footprint.
Thanks for taking the time to read, and please leave any comments or thoughts, and I’ll try to reply when possible. If you liked this article, don’t be shy and demonstrate your appreciation. Thanks!
