TripAdvisor Hotels Flights Restaurants Attractions
We retested this app on 17/02/2019. The app still contacts Facebook as soon as the app is opened, but no longer shares your Google advertising ID.
Disclaimer: the tested app may still share data with other third parties. This is outside the scope of this work.
TripAdvisor is a crowdsourced rating app, for services and attractions
From the Groogle Play Store App description:
" Discover helpful travel recommendations and advice from the people and experts you follow and easily save and share ideas to plan and book your perfect trip. With millions of traveler reviews and photos, bookable tours and attractions, and recommended restaurants, it's everything you need to know and go better, every time. "
This documentation demonstrates actions taken by the test user and the apps subsequent responses.
Test user action 1: The user taps on the application icon, which opens the application
Response from app: The application is initialised and the following data is sent and received by the app:
Immediately after the app is opened, the following data is sent to graph.facebook.com (Graph)
format: json
sdk: android
event: MOBILE_APP_INSTALL
advertiser_id: 474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled: true
installer_package: com.android.vending
anon_id: XZ7dc42dfb-bcce-4491-9871-27b857850e4d
application_tracking_enabled: true
extinfo: ["a2","com.tripadvisor.tripadvisor",181119030,"29.0","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,8,"Europe\/London"]
application_package_name: com.tripadvisor.tripadvisor
With the response:
{
"success":true
}
Without any further user action, the app sends the following request to graph.facebook.com
Form data:
format: json
sdk: android
custom_events_file: [{"_eventName":"fb_sdk_initialize","_eventName_md5":"d470d22f237aee69843355edba5a8178","_logTime":1543759203,"_ui":"unknown","_implicitlyLogged":"1","core_lib_included":"1","login_lib_included":"1","places_lib_included":"1","all_lib_included":"1","share_lib_included":"1","messenger_lib_included":"1","applinks_lib_included":"1"},{"_eventName":"fb_codeless_debug","_eventName_md5":"0156d8b3a2fa63d1be3f73ccdbd45aa6","_logTime":1543759203,"_ui":"unknown","_implicitlyLogged":"1","_codeless_action":"sdk_initialized"},{"_eventName":"fb_mobile_activate_app","_eventName_md5":"cb7f3b6cd294afce05ece615d43ea7b9","_logTime":1543759204,"_ui":"TripAdvisorTripAdvisorActivity","_session_id":"f55f7bbb-6220-4689-8923-153623c1a378","fb_mobile_launch_source":"Unclassified()"}]
event: CUSTOM_APP_EVENTS
advertiser_id: 474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled: true
installer_package: com.android.vending
anon_id: XZ7dc42dfb-bcce-4491-9871-27b857850e4d
application_tracking_enabled: true
extinfo: ["a2","com.tripadvisor.tripadvisor",181119030,"29.0","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,8,"Europe\/London"]
application_package_name: com.tripadvisor.tripadvisor
With the response:
{
"success":true
}
Test user action 2: The user is completed the setup process selection currency and language, ultimately the user is asked to sign in and accept the terms and conditions and privacy policy
Test user action 3: The user presses the (x) button rejecting the terms and conditions and privacy policy
A screenshot showing this dialog is show below
Test user action 4: The user makes further interaction with app
Response from app: No futher data is sent to graph.facebook.com
Test user action 5: The user closes the application
Response from app: No futher data is sent or received by the app from graph.facebook.com
Note 1: In the videos below, the clocks between the VirtualBox Virtual Machine and the Phone handset are not synchronised.
Note 2: The phone videos are split into multiple parts due to a 180 second limitation in Android Developer Bridge screenrecord command
TripAdvisor, 24 December 2018 (via E-Mail to Privacy International)
“We write in response to your letter dated 19 December 2018 in which you provide advance notice of a publication regarding third party tracking via the Facebook SDK on Android applications. […] In addition to providing acknowledgement of receipt, we write to advise that we are committed to engaging with Privacy International. Respecting the data protection rights of our users is of utmost importance to TripAdvisor. […] Given the complexity of the technical issues you raise, we respectfully consider the statements you have made to be somewhat oversimplified. […]”
TripAdvisor, 23 January 2019 (via E-Mail to Privacy International)
"To reiterate, as was set out in our original letter, we are keen to engage with Privacy International and thank you for bringing your findings of the investigation into third party tracking via the Facebook SDK on Android Apps to our attention.
We have concluded our preliminary investigation into the matters you raised and write to provide an update as to our own findings and subsequent actions taken.
TripAdvisor uses the Facebook SDK in order to present users with relevant advertising and to enhance their user experience. Our findings indicate that the default setting of Facebook’s SDK triggered the sending of Google Advertising IDs of Android users at the point of TripAdvisor App install or initiation. Upon discovery of this activity, we immediately dedicated a team of specialist resources to customize the SDK signal to prevent the transmission of the user Google Advertising IDs to Facebook until users have been informed about our data sharing practices and have provided their permission. The aforementioned changes took effect in our most recent App update release, which was submitted and subjected to Google Play Store’s internal moderation process during the week commencing 21 January 2019.
In addition to the action noted above, we will continue to monitor how data is transmitted via other operating systems, including iOS, and take appropriate action. We are committed to respecting the data privacy rights of our users and would like to thank you once again for alerting us to this matter, which has provided us with an opportunity to further bolster our data privacy practices."