Emma Feedback Thread / Q&A

anon72173902 · 19 February 2018 20:36

What you mean Facebook will get all your transactions?

anon23935806 · 19 February 2018 20:38

Not all the transactions but pretty sure Facebook does get my name, phone number, the fact that I use Emma and possibly the location (the app requests location, and presumably they use their SDK so nothing prevents from slurping that in the background).

anon72173902 · 19 February 2018 20:43

Hmmm I downloaded just to see what it was about, pissed about FB login to but as I don’t have it it didn’t bother me, also annoyed that I had to use my mobile number.

Agreed does nothing that Monzo doesn’t do so it’s looking like 80% delete in a few days.

anon23935806 · 19 February 2018 20:53

Well I just connected it to Charles Proxy and the app is POSTing usage data to graph.facebook.com every time I open it, and I have no doubts it’s sending a token related to the AccountKit verification and so linked with my identity. To be clear, it is not sending any financial data to them, but the simple usage patterns of the app are already way too much.

Here’s a request I just captured.

URL

https://graph.facebook.com/v2.10/1484184174982173/activities?advertiser_id=00000000-0000-0000-0000-000000000000&advertiser_tracking_enabled=0&anon_id=XZ33C6FB30-EF79-4B97-986C-976BB43939F6&application_tracking_enabled=1&event=CUSTOM_APP_EVENTS&extinfo=%5B%22i2%22%2C%22com.emma-app.prod%22%2C%221.2%22%2C%221.1.9%22%2C%2211.2.5%22%2C%22iPhone10%2C4%22%2C%22en_GB%22%2C%22GMT%22%2C%22EE<censored probable latitude/longitude>Europe%5C%2FLondon%22%5D&format=json&include_headers=false&sdk=ios&url_schemes=%5B%22fb1484184174982173%22%2C%22ak1484184174982173%22%2C%22emma%22%5D

It’s got a JSON object encoded in the URL itself which has info relating to my phone and possibly even my current location.

Multipart-encoded request body

--3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Content-Disposition: form-data; name="custom_events_file"; filename="custom_events_file"
Content-Type: content/unknown

[{"_eventName":"fb_sdk_initialize","core_lib_included":1,"_logTime":1519073177,"share_lib_included":1,"_ui":"no_ui","_app_user_id":"4497","login_lib_included":1},{"_eventName":"Analytics","_logTime":1519072835,"_valueToSum":0,"_app_user_id":"4497","_ui":"no_ui"},{"_eventName":"fb_sdk_initialize","core_lib_included":1,"_logTime":1519072814,"share_lib_included":1,"_ui":"no_ui","_app_user_id":"4497","login_lib_included":1},{"_valueToSum":72,"_eventName":"fb_mobile_deactivate_app","fb_mobile_launch_source":"Unclassified","_logTime":1519072383,"_session_id":"393CE37F-A216-448D-9ED1-74A33C4B7302","fb_mobile_app_interruptions":1,"_app_user_id":"4497","_ui":"RCTModalHostViewController","fb_mobile_time_between_sessions":"session_quanta_1"},{"fb_mobile_launch_source":"Unclassified","_eventName":"fb_mobile_activate_app","_logTime":1519072770,"_session_id":"95D65ABE-7F7C-433F-8209-B0C514BDC9A9","_app_user_id":"4497","_ui":"RCTModalHostViewController"},{"_eventName":"Accounts","_logTime":1519072840,"_valueToSum":0,"_app_user_id":"4497","_ui":"no_ui"},{"_eventName":"Settings","_logTime":1519072841,"_valueToSum":0,"_app_user_id":"4497","_ui":"no_ui"},{"fb_mobile_time_between_sessions":"session_quanta_0","_eventName":"fb_mobile_deactivate_app","fb_mobile_launch_source":"Unclassified","_logTime":1519072878,"_session_id":"95D65ABE-7F7C-433F-8209-B0C514BDC9A9","fb_mobile_app_interruptions":3,"_app_user_id":"4497","_ui":"RCTModalHostViewController","_valueToSum":102},{"_ui":"RCTModalHostViewController","_eventName":"fb_mobile_activate_app","_logTime":1519073178,"_session_id":"8A1FAAF9-98AE-4AD2-8D75-31D417EF46F9","_app_user_id":"4497","fb_mobile_launch_source":"Unclassified"}]
--3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Content-Disposition: form-data; name="anon_id"

XZ33C6FB30-EF79-4B97-986C-976BB43939F6
--3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Content-Disposition: form-data; name="application_tracking_enabled"

1
--3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Content-Disposition: form-data; name="extinfo"

["i2","com.emma-app.prod","1.2","1.1.9","11.2.5","iPhone10,4","en_GB","GMT","EE",<censored probable latitude/longitude>,"Europe\/London"]
--3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Content-Disposition: form-data; name="event"

CUSTOM_APP_EVENTS
--3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Content-Disposition: form-data; name="advertiser_id"

00000000-0000-0000-0000-000000000000
--3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Content-Disposition: form-data; name="advertiser_tracking_enabled"

0
--3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Content-Disposition: form-data; name="format"

json
--3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Content-Disposition: form-data; name="include_headers"

false
--3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Content-Disposition: form-data; name="sdk"

ios
--3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Content-Disposition: form-data; name="url_schemes"

["fb1484184174982173","ak1484184174982173","emma"]
--3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f

Quite concerning for a banking app to let third-parties spy on their users like this.

On the plus side, at least it’s doing certificate pinning on the api.emma-app.com domain, but that doesn’t explain nor excuse the above.

anon44204028 · 19 February 2018 20:55

Initially apps like Emma and Yolt don’t seem to do anything more, but just like Curve combines your Monzo and other cards into one, so Emma etc combine accounts into one place. So if you have multiple accounts, that is when it comes into play.

Yolt have incorporated an international payment option which while Monese have Monzo and Starling don’t. Emma will endoubtedly bolt on other extras too at some point.

edo1493 · 19 February 2018 21:16

That’s called Facebook Analytics, a software used by thousands of apps. I wouldn’t make public claims before verifying things.

anon23935806 · 19 February 2018 21:20

I know it’s Facebook Analytics, doesn’t make it any better in my opinion though. You’re still sending usage data from a banking app to a company who’s business model is to gather every single possible data point on every individual on this planet.

I wouldn’t really appreciate this to be used on any app, but would tolerate it on a “free” throwaway app. Seeing this on a financial app which doesn’t even profit off ads (the the traditional sense) is a bit concerning and disappointing.

I guess if you still don’t understand my concerns, why don’t you put in bold “we’ll let Facebook know every time you interact with the app, and send along your device’s fingerprint, time zone, carrier and maybe even your location” on the onboarding screen?

Sorry to be harsh, but come on, we’re not talking about Candy Crush here, we’re talking about a financial app that tries hard to gain the trust of their users and has a relatively good business model. For all the flak I’m giving to legacy banks, at least their apps don’t send usage info to FB.

edo1493 · 19 February 2018 21:27

The point you keep missing is that anything that Facebook tracks is not related to financial data. We just use it to improve user experience and usage.

anon44204028 · 19 February 2018 21:28

Yet! One high street bank, which will remain nameless, has actually discussed sending analytics data to Amazon or Facebook. They decided against it, but who is to say if this will be revisited or not at a later date.

anon23935806 · 19 February 2018 21:30

Sorry if I didn’t make that clear, but no, I know no financial data is transmitted. But usage data alone is a concern to me. This allows them to cross-reference it with any other data they’re getting (from different apps, or like buttons embedded on the web, etc) and build quite a detailed profile.

The last place I want to be tracked by Facebook is inside a financial app that has a non-advertising business model (at least not the kind of advertising that needs to stalk you around everywhere on the web).

edo1493 · 19 February 2018 21:31

It’s fine. I don’t have a problem with that.

anon23935806 · 19 February 2018 21:36

Fair enough, I respect your opinion, but again, the product is not for me, and if you think it’s so harmless, why not put in bold “we’ll let Facebook know how you use the app” on the onboarding screen? Your conversion rates would drop faster than my bank balance on a Friday night () and that alone should tell you something.

I wish one day the App Store forces apps to disclose every single third-party the app communicates with in a nice and clear list (they already mandate privacy policy links, but those can be made broad and ambiguous on purpose so pretty much useless).

Also, just curious, besides the weather indicator, what do you use the location data for? Do you have any examples of alerts that would benefit from location data? Or is it still a work in progress and currently it’s not used for anything?

alexs · 19 February 2018 21:39

I’m not sure that most people care or understand the implications of sharing this information with Facebook tbh. But GDPR will mean that, that has to be shared anyway

I don’t understand why you’re concerned about this. Yes Monzo is a banking app but Facebook isn’t accessing the app’s data so surely the only difference between them knowing that you’re using Emma vs Candy Crush is that they know whether you like to check your bank account regularly or not?

edo1493 · 19 February 2018 21:40

This is like saying “tell the world you use an analytics tool to improve performance and user experience like 100% of other apps”.

Just weather for now.

edo1493 · 19 February 2018 21:41

I like Nutella, you like Peanut Butter. It’s okay, but doesn’t make it an issue. Have a good evening.

ps: we are working on more cool stuff. We have shipped 1% till now, maybe less.

ps2: we are also hoping to share more news about the future of Emma soon.

edo1493 · 19 February 2018 21:44

Hopefully soon.

anon23935806 · 19 February 2018 21:47

Yep have a good evening too, and best of luck with your app let’s leave this debate at that. By the way, would you mind reporting the minor bugs I raised in my previous post above? Would improve the UX a little bit!

Original reply, started typing it so might as well leave it

But GDPR will mean that, that has to be shared anyway

In an obfuscated form somewhere deep in the privacy policy like it’s already done; nothing will change regarding that. What might change though is that Facebook might be forced to actually allow you to delete your data for good, including data collected within the purpose of such “analytics”.

This is like saying “tell the world you use an analytics tool to improve performance and user experience like 100% of other apps”.

I’d have less of a problem with analytics tools from companies who’s main business model is charging the developer for good insights and leaving it at that. We both know Facebook’s main reason for offering an analytics service. Hint: it’s not to provide insights to the developer, it’s to provide insights to them, just like Google Analytics (why do you think they offer such a powerful tool for free?).

edo1493 · 19 February 2018 21:51

What you think it’s a bug is just a design choice, so again Nutella vs Peanut Butter.

alexs · 19 February 2018 22:15

For the record I’m more optimistic that companies accessing user’s data won’t be allowed to bury the details on how it will be used in a privacy policy because they will have to gain -

According to the Regulation consent means “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;”

Emphasis mine.

Specific meaning consent meaning consent just for the use of the data, which will therefore be much more clearly explained, perhaps a slightly more complex version of the permissions listed when you approve an oAuth connection.

I could be wrong but I’d be surprised if the regulators believe think that the way that ~~type of~~ consent is being requested at the moment ~~that you’ve mentioned~~ is sufficient.

Edits - struck out text deleted & text in italics added.**

j06 · 19 February 2018 22:22

@edo1493 As someone who is naturally very sceptical of Facebook in any form across the internet, and someone who doesn’t understand app/ecosystem interoperability etc. my heart sank when I downloaded Emma and saw I had to align with Facebook for some reason to simply log in.

My instinct tells me Facebook wants to know as much about me as possible, so I had the suspicion before I saw this exchange that Emma passes some kind of data back to Facebook, even if it isn’t financial. This makes me uneasy.

You’re not open to the layperson about why I need to be linked to Facebook in some way (we’re not all coders or security geeks) and this makes me more nervous that at some point your Ts&Cs might subtly change to pass financial data back.

Your slightly snarky, defensive responses on here are also what I (as a Monzo user) am trying to get away from in the banking world. You’d never find Monzo speaking to customers like this on this forum.

Am seriously considering my continued use of Emma. And I’m the type of customer you’ve got to convince to use your app if you want to succeed.