Not trashing this password manager, but this information it's disturbing at last...
I went on to read the entire thread on
Reddit and found interesting things there,
I'll quote them. Thanks for sharing!
The OP's post is like one of those that begin with a fact or two, and starts bashing the product by adding mere speculations after being irritated. Yet, new findings surfaced. The PM of Myki clarified his queries there.
Myki guy on Reddit >>
Let's talk about Facebook and the 2 ways we use it.
1) We run Ads on Facebook:
We run ads on Facebook in order to increase our reach. It is one of our marketing tools. Now there are things we can do to further enhance those ads, to show them to more relevant people, be less intrusive etc.. for that we need some information about how our users are using the product which brings me to ...
2) We gather anonymous data:
It's important for us on so many levels to know how our users interact with our product. It is one of the most effective ways of measuring success, as well as increasing the performance/efficiency of our ads.
So yes, we do run ads on Facebook and yes, we do use Facebook to track some usage data to make better products and be better at what we do but there is something extremely important about the way we do it, and that is where OP seems to have jumped to conclusions which spreads misinformation about us as product makers but also as people, so I hope I can rectify this with the following clarifications:
All of the data we collect is strictly and unequivocally anonymous. Here's how it goes:
User signs up with their phone number, that phone number is hashed and then stored on our server. Every user gets a unique Identifier or what we call "UserID", that UserID is then associated with the hashed phone number, this way our systems can verify your Myki identity when you create a backup or you restore from one. Beyond that, the phone number is not used for anything else, it is not shared with Facebook, Google or any other party.
Again, we do not share phone numbers. We don't even have them in the first place. There is no cross-referencing because there is nothing to cross-reference. The way they know you used our service is simply because we run ads, that's all. They don't have any identifiable information about you from Myki and they never will.
Anyone can head over to the Privacy Center in our apps and OPT OUT OF ANONYMOUS DATA.
MYKI Privacy Policy >>
We have to hold the details of the people who have requested the service in order to provide it. However, we only use these details to provide the service the person has requested and for other closely related purposes. For example, we might use information about people who have installed the Myki app to carry out a survey to find out if they are happy with the level of service they received. When people do subscribe to our services, they can cancel their subscription at any time and are given an easy way of doing so.
We collect anonymized analytics and usage information in order to improve our services. This information is used in order to provide us with aggregate information to know what features to focus on the most and which features we need to improve.
[ref 1]
Example of information includes:
- How many users come from advertisements that we run
- How many users properly go through the initial onboarding
- How many users purchase pro features
- How many users use the share passwords feature
- How many users use Myki on more than one device
- How many users are backing up their vaults properly
All of this usage information can be disabled from our privacy center page in the Myki app. Opting out of usage analytics will stop sharing any usage information.
Now, I spent some time out of curiosity (and concern), researching on Myki's Privacy Policy, Facebook Business Tools' Terms of Use, Browser extension API and permissions, and reports of Facebook Integration into mobile apps.
Let me highlight some interesting points here ...
regarding User's Mobile Number Tracking
They're using hash to store
mobile numbers, so that they can match (and verify) it again when you try to restore you data on a new phone for example. So they cannot use the actual number themselves or share with a 3rd party like FB.
They also use
salting to make the hash unique, so that the hash (of user's mobile number) cannot be matched with the hash that a 3rd party has, thus preventing user matching by 3rd parties. There's hence
no cross-referencing, unlike as OP claimed.
Myki says that they do
collect data from user, but strictly anonymously. They do this to understand how the user uses the app, get insights into measuring their success and increase performance of their ads >>
regarding App Tracking & FB Activity Tracking
FB offers Analytics Tools SDK to app developers that can basically be included in an app for free.
It serves to analyze app users’ behavior. Facebook Analytics tells the developer what users do in your app – where they click, where they get confused or quit, which functions they prefer.
Refer to the data they're collecting, as mentioned in Myki's Privacy Policy above. Note that they haven't mentioned about collecting your browser history, I'll get back to it soon.
Myki gets this data and stats from FB's analytics tool. From Startups to MNCs, most corporations use such analytics data to increase their market reach and make improvements to their product services. Again, this data is anonymous from Myki's side. They cannot match a particular dataset and map it to a user. That's what they claim about data Myki directly shares with FB.
Now, how does this data that FB collects as a part of Myki's analytics, get mapped to your FB account?
I was almost surprised to see that the Myki guy on the Reddit thread too researched about this in the middle of the conversation. Again, you can check the thread (expand all replies there).
MYKI guy on Reddit
Our users each get a unique userID generated by us that we use to identify them, that userID is never shared with anyone.. it's literally just random anonymous data being shared with FB, and yet they were able to know that you used Myki, how is that even possible? I did some digging and finally found the explanation.
It all boils down to the so called Advertising ID. Android devices create one as soon as you link a Google account and iPhones and iPads do so on the first boot of the device.
The next thing that happens is that as soon as you login to FB from your phone whether it's from the browser or the FB app, that advertising ID is sent and associated with your FB account.
This is obviously not okay with us and we're going to have to think about our next steps.
[ref 2] That explains how FB could map my app events to my own FB account. I downloaded my data from FB today and it indicated my
Activate_App activity of Myki.
For the Reddit OP, it indicated
CUSTOM activity, that is an custom activity named by the app developer (using the FB Business Tools), and this event I believe would be one of the many that are listed in Myki's Privacy Policy I added in a quote above.
You can read through the 'Use of Customer Data' section on
Facebook's Business Tools terms of usage. It's worrisome in general.
Another excerpt about FB Business Tools/Analytics
from
How Facebook knows which apps you use – and why this matters - mobilsicher.de ...
The US-based research “
AppCensus” found that 30 percent of all apps established a connection to Facebook (FB Analytics and other FB services) in a sample of 83,064 apps they analyzed.
The prize for the useful service for devs: The data on user behavior and user journey end up in FB’s hands.
This arrangement – data for free service – does not seem to bother app operators at all. We assume that this is at least partly due to the fact that most of them don’t know what Facebook’s SDK actually does.
From above, I am not inferring that Myki didn't know about FB personally mapping Myki app events to FB ID, though this is what Myki said on Reddit and is likely as said in the above German article.
regarding Extension permission 'Read your Browsing History'
Myki on Reddit said that they do NOT collect browser history and that their extensions are vetted against strict policies like that of Firefox.
Their Privacy Policy also do not state that they collect browsing history.
I have connected to them and expecting a reply, however, having read about browser permissions earlier, I thought to delve deeper into Chrome's permissions and API.
The "read browsing history" permission is too vague a term when describing the activity it is used for.
If you see the below screenshot (1st), it shows that permission "Read your browsing history" is considered when the extension developer (Myki here) uses "
tabs" or "
webNavigation" permission.
... "Read your browsing history" specified in manifest file of extension only if
url,
pendingUrl,
title, and
favIconUrl properties of
Tab ... used by developer to see the last committed tab, the URL the tab is navigating to before it has committed, how the browser navigated to this particular URL etc. These details of your browsing can be attributed to being useful for the password manager to know about page being visited (flow) and their state, how was it visited and hence to identify when and how to handle inputting user credentials on concerned page(s). This is my analysis. I do not know their implementation of course.
Know what,
Myki uses this permission, so do LastPass, Bitwarden and others (see below SS). Now we know why. To improve their extension's handling?!
Know how extensions can really read your browsing history? Using chrome.history (see SS). And if they use that, the extension permission mentioned will rather be "Read and change your browsing history "
TL;DR
What's bad
- FB is able to map your app usage/activity to your FB account (through advertising ID, not through data directly provided by Myki to FB, since the latter is anonymized)
- Using this, FB just adds more data to your profile and can be used in ad campaigns and targeted advertising. Apparently, only app activity (see ref 1 and ref 2) and device+connection details are shared from Myki analytics ID to FB. The type of events that FB collects in this case can be seen in above FB screenshots and screenshot on Startseite - mobilsicher.de link
What's good
- Unlike the OP's assumption on Reddit, Myki does Not store or share user's mobile number info to map data against it
- Unlike the OP's assumption on Reddit, user's browsing history is Not collected by Myki extension, hence not shared with others
- Data Myki collects is anonymous; you can OPT-OUT of the data collection through their app (I had it disabled), and they will be disabling it by default soon
- Myki on Reddit, based on the discussion there, said that they will look for alternatives to FB analytics (though it will be used till they don't switch). And that they'll let users know of the new findings in their PP
- You can disable Facebook receiving Activity from Myki (tracked directly by FB trackers, using Advertising ID generated by your phone) using an option in Off-Activity setting in your FB account.
Why am I sharing such a long post?
Because this is not just a concern about one app, it's a wide privacy phenomenon.
I got to analyse and obtain some contextual findings on what's happening and what's not.
And this, in a broader sense is a privacy concern for sure, as FB and other trackers are not simply visible to the regular user, or any user as the matter of fact.