A team of Pakistani researchers at the University of Iowa and Lahore University of Management and Sciences (LUMS) has caught as many as 16 Facebook apps secretly sharing user data with third-parties.

Using a technique named CanaryTrap in conjunction with Facebook’s ad transparency tool, the study used ‘honeytoken’ emails to install Facebook apps and observe if the inboxes received any unsolicited emails from unknown senders.

Honeytokens are fictitious data, tokens, or files that IT experts plant into legitimate databases to track data and detect any malicious activity. If data is stolen or leaked, honey tokens allow administrators to identify who it was stolen from or how it was leaked.

In the context of the CanaryTrap study, unique email addresses served as honeytokens using which the academics registered new Facebook accounts.

On Facebook’s platform, there are hundreds of thousands of third-party apps that have access to potentially billions of accounts containing information like email addresses, dates of birth, gender, and likes.

In most cases, it’s almost impossible to detect data misuse by these apps as their data is stored on servers that are often beyond even Facebook’s own reach.

In the CanaryTrap study, the researchers created Fcaebook accounts using honeytoken emails, installed a Facebook app and used it for 15 minutes, and then uninstalled it from the accounts.

In the second step, they observed their honeytoken email inboxes for any new traffic; if they received any unsolicited emails, it would mean that their data was shared with a third-party.

The CanaryTrap study tested 1,024 third-party Facebook apps out of which 16 were caught to be sharing the user data with third-parties as researchers received emails from senders they didn’t know.

Of these 16 apps, nine accepted they had an association with the email sender while six denied sharing data with any outsiders.

The apps that disclosed data sharing revealed the relationship to be usually with an unrelated affiliate website or business partner. But what’s interesting and more complex is that the emails received were usually not related to the app at all.

The types of emails received ranged from sextortion threats, spam, to other email scams. The CanaryTrap authors say that 1,024 apps is a small sample size and if more apps are tested, more instances of unauthorized data sharing will come to the fore.

About the apps that denied data sharing, researchers were not sure how the data leak happened; according to them, it could be a security incident such as an exposed server or a hacker meddling.

“In our study of the 1,024 third-party Facebook apps, we made many other startling findings,” informs Shehroze Farooqi, CanaryTrap’s lead author who is a PhD student at the University of Iowa. Other co-authors include Zubair Shafiq (The University of Iowa), Maaz Musa (The University of Iowa/Lahore University of Management and Sciences), and Fareed Zaffar (Lahore University of Management and Sciences).

“We found that 61 apps did not have links to their privacy policy, 13 continued sending emails even after acknowledging data deletion, and 42 apps did not respond to our data detection requests,” he adds.

But, according to Shehroze, it is not just Facebook but, unfortunately, app developers are also often clueless. “One of the developers told us that they had no idea what their app even does so they deactivated it right away. Thus, the onus is on both Facebook and app developers to protect user data,” he shares.

It’s not that Facebook is unaware of such ‘rogue’ app developers. In fact, the social media giant has also taken palpable measures to rid its developer base of such elements. In addition to suing numerous developers in the recent past, Facebook is also set to bring into effect new updates to its Platform Terms and Developer Policies.

“Our study discovers the misuse of user data shared with third-party apps on Facebook since we only implement CanaryTrap for Facebook,” Shehroze informs.

“It is possible that the potential misuse of user data is happening on other platforms like Twitter and Instagram as well as various Google products (such as Gmail and GSuite marketplace),” he adds.

Shehroze and his team believe the existing application of CanaryTrap can be tweaked with reasonably minimal changes to monitor misuse of user data on other platforms too. They are convinced that the very approach can not only be adopted by these platforms, but also independent watchdogs or regulators like FTC to monitor misuse of user data by the third-party apps.