On Friday, the Wall Street Journal ran a gobsmacking story:
"Millions of smartphone users confess their most intimate secrets to apps, including when they want to work on their belly fat or the price of the house they checked out last weekend. Other apps know users’ body weight, blood pressure, menstrual cycles or pregnancy status.”
The picture painted is one of a digital advertising ecosystem out of control. It goes on to point out that 11 popular health apps, serving tens of millions of users, are (or were) spewing data towards Facebook’s servers with little indication to the user of what is going on.
Worse still, this was happening, the WSJ reported, whether or not the person using the app was even a member of Facebook at all. Imagine that - you’ve decided not to join Facebook, for whatever reason, but Mark Zuckerberg’s company is still receiving information about what you had for dinner last night, and how you’re planning to have sex tomorrow because you’re trying for a baby.
Like I said: gobsmacking. It wasn’t long until New York governor Andrew Cuomo declared he had ordered an investigation into how "Facebook is secretly accessing personal information”.
Let’s take a little step back.
My colleague Rory Cellan-Jones wrote recently about whether Facebook was being somewhat hard done by in the press lately because of the fall-out from Cambridge Analytica. His conclusion, a view I share, is that some Facebook stories are being at least mildly overblown. But, he wrote, a company that makes billions of dollars from our data deserves scrutiny and criticism at every turn - even if it feels like it is being unfairly singled out.
So where does this story land on a scale of Facebook’s recent scandals? The answer to that question depends on how you assign blame.
The apps in question used a Facebook-provided tool called App Events to collect and send the information back. Data from App Events is used to power Facebook’s advertising algorithms, though the company insists it wouldn’t use sensitive data for this (we can’t verify that, of course). Developers would use App Events to track how users use their app - something which can be used to power target advertising.
For example, say you use a shopping app to look at a particular t-shirt, but you don’t actually buy it. Next time you browse the web, you might see an ad that’s trying to tempt you into going back and buying that shirt. In order for that process to work, developers need to feed Facebook the information about what the user is doing. In its statement, a Facebook spokesperson said this was "how mobile advertising works and is industry standard practice”.
Where this story gets murkier is in how a selection of apps were using App Events to gather sensitive data, which in turn was being funnelled to Facebook.
The company has a standard list of App Events that it provides to every developer that wants to use them. On top of that, developers can also create Custom Events, tailored to their app’s specific needs. In Facebook’s policies for how to use Custom Events, it states that developers shouldn’t use Custom Events to gather and send back sensitive data.
But, that’s what those 11 apps supposedly did, according to the Wall Street Journal's testing. One of them, Flo Period & Ovulation Tracker, was collecting and sending data about women’s ovulation cycles, periods and whether or not they were trying to become pregnant. Of course, women were willingly putting this information into the app - as that was its purpose - but most were surely unaware of how it was being passed on.
It’s reasonable to agree with Facebook when it says it does not have the ability to monitor what third party developers do. It doesn’t (nor should anyone want that).
Furthermore, the firm said if it ever does find sensitive data send in via its developer tools, it deletes it - and it pro-actively looks out for instances of this.
If a developer captures sensitive data and sends it to Facebook’s servers, it could be argued that the foul has been committed not by Facebook, but by the developer - in the same way that someone might send you something offensive in the post, even if you've asked them not to.
Could Facebook do a better job of enforcing its policies? Always. Could it be tougher on apps that break those rules? Most definitely.
Should it have foreseen some of the weaknesses in its system and chances for exploitation? As has been said over and over and over again: yes.
But in this instance, the company seems to be on solid ground with its defence.
There is of course a bigger ethical consideration to be made about whether this kind of surveillance is fully understood by most people, and whether these practices should be allowed full stop.
But to go over a well-trodden point - this is why Facebook is free.
Follow Dave Lee on Twitter @DaveLeeBBC
Do you have more information about this or any other technology story? You can reach Dave directly and securely through encrypted messaging app Signal on: +1 (628) 400-7370