An investigation from Privacy International found various period-tracking apps with millions of downloads were sharing extremely sensitive and detailed data with Facebook and other third-parties.
Two apps in particular, Maya and MIA Fem, shared details as personal as when users last had sex.
Following the report Maya told Privacy International it was removing the Facebook Software Development Kit (SDK) that was facilitating this data sharing.
A Facebook spokeswoman told Business Insider the platform's terms of service "prohibit developers from sending us sensitive health information and we enforce against them when we learn they are."
An investigation from privacy advocacy group Privacy International found that period-tracking apps downloaded by millions of users shared alarmingly sensitive data with Facebook and other third-parties, including users' drinking habits, medical symptoms, and when they last had sex.
Privacy International's report identified five apps which shared data with Facebook. It focused on two apps in particular — Maya and MIA Fem — which the report said were sharing alarming amounts of detail.
Maya has over five million downloads on the Google Play Store, while MIA Fem has one million.
Both apps had Facebook's Software Development Kit (SDK). SDK lets apps use certain features, for example allowing users to log in via Facebook, and helps the apps manage their data. In return, the apps feed data back to Facebook.
Once users start using the apps, incredibly specific and sensitive information was also passed along. Both apps shared data to other third-parties as well as Facebook, Privacy International said.
Here is the data that Maya passed on:
If users reported symptoms such as cramps or breast tenderness.
Whether they were on contraception, e.g. the pill.
Moods e.g. whether they were feeling "sexy" or "anxious."
When users last had sex, and whether they used protection.
Here is the data that MIA Fem passed on:
Whether users were using the app as a regular period-tracker, or as a fertility-tracker because they were trying to get pregnant.
The date of users' last period and the duration of the cycle.
Whether users have been drinking coffee and alcohol.
What feminine hygiene products users were using.
Medical symptoms e.g. constipation and diarrhea.
MIA Fem also passed on inferable data about users' sex lives because it takes data, e.g. whether they had masturbated recently, and recommends users articles based on this.
Privacy International found MIA Fem passed on which articles had been shown to users, for example one entitled "Masturbation: What You Want to Know But Are Ashamed to Ask." The report repeatedly voices the concern that any and all of this data could potentially be used by advertisers.
Eva Blum-Dumontet, who led the investigation, told Business Insider that even people without Facebook accounts were having their information relayed to the social media giant.
"Regardless of whether you're a user or not Facebook gets this information, and it's tied to your unique advertisement ID so it's really tied to your identity," she said.
"On some of the apps we've looked at it's tied to your email address, so they can really trace you regardless of whether you have an account or not."
After Privacy International got in touch with Maya's developer about its report, the company's CEO replied saying it had "removed both the Facebook core SDK and Analytics SDK."
Blum-Dumontet told Business Insider she was extremely pleased with this outcome.
Maya was not immediately available to comment when contacted by Business Insider.
MIA Fem did not immediately respond to a request for comment from Business Insider, but provided a detailed statement to Privacy International, which Privacy International then shared with Buzzfeed. When it did so, MIA Fem threatened legal action against Privacy International and asked Buzzfeed to delete the response, Buzzfeed reported.
The statement made by MIA Fem referenced has not been made public by Buzzfeed or Privacy International.
A Facebook spokesperson told BuzzFeed the company requires app developers to be clear with users about what data they're gathering, and have a "lawful basis" for gathering it.
"We have systems in place to detect and delete certain types of data such as Social Security Numbers, passwords, and other personal data, such as email or phone number. We have begun looking at ways to improve our system and products to detect and filter out more types of potentially sensitive data," the spokesperson said.
The company also said it had got in touch with the apps in question about potential violations of its terms of service.
A Facebook spokeswoman told Business Insider: "Contrary to Buzzfeed's reporting, our terms of service prohibit developers from sending us sensitive health information and we enforce against them when we learn they are. In addition, ad targeting based on people's interests does not leverage information gleaned from people's activity across other apps or websites."