Millions of smartphone users confess their most intimate secrets to apps, including when they want to work on their belly fat or the price of the house they checked out last weekend. Other apps know users' body weight, blood pressure, menstrual cycles or pregnancy status. Unbeknown to most people, in many cases that data is being shared with someone else: Facebook Inc.

The social-media giant collects intensely personal information from many popular smartphone apps just seconds after users enter it, even if the user has no connection to Facebook, according to testing done by The Wall Street Journal. The apps often send the data without any prominent or specific disclosure, the testing showed. It is already known that many smartphone apps send information to Facebook about when users open them, and sometimes what they do inside. Previously unreported is how at least 11 popular apps, totaling tens of millions of downloads, have also been sharing sensitive data entered by users. The findings alarmed some privacy experts who reviewed the Journal's testing.

Facebook is under scrutiny from Washington and European regulators for how it treats the information of users and nonusers alike. It has been fined for allowing now defunct political-data firm Cambridge Analytica illicit access to users' data and has drawn criticism for giving companies special access to user records well after it said it had walled off that information.

In the case of apps, the Journal's testing showed that Facebook software collects data from many apps even if no Facebook account is used to log in and if the end user isn't a Facebook member. Apple Inc. and Alphabet Inc.'s Google, which operate the two dominant app stores, don't require apps to disclose all the partners with whom data is shared. Users can decide not to grant permission for an app to access certain types of information, such as their contacts or locations. But these permissions generally don't apply to the information users supply directly to apps, which is sometimes the most personal. In the Journal's testing, Instant Heart Rate: HR Monitor, the most popular heart-rate app on Apple's iOS, made by California-based Azumio Inc., sent a user's heart rate to Facebook immediately after it was recorded. Flo Health Inc.'s Flo Period &Ovulation Tracker, which claims 25 million active users, told Facebook when a user was having her period or informed the app of an intention to get pregnant, the tests showed. Real-estate app Realtor.com, owned by Move Inc., a subsidiary of Wall Street Journal parent News Corp, sent the social network the location and price of listings that a user viewed, noting which ones were marked as favorites, the tests showed.

None of those apps provided users any apparent way to stop that information from being sent to Facebook. Facebook said some of the data sharing uncovered by the Journal's testing appeared to violate its business terms, which instruct app developers not to send it "health, financial information or other categories of sensitive information." Facebook said it is telling apps flagged by the Journal to stop sending information its users might regard as sensitive. The company said it may take additional action if the apps don't comply. "We require app developers to be clear with their users about the information they are sharing with us," a Facebook spokeswoman said.

At the heart of the issue is an analytics tool Facebook offers developers, which allows them to see statistics about their users' activities -- and to target those users with Facebook ads. Although Facebook's terms give it latitude to use the data uncovered by the Journal for other purposes, the spokeswoman said it doesn't do so. Facebook tells its business partners it uses customer data collected from apps to personalize ads and content on Facebook and to conduct market research, among other things. A patent the company applied for in 2015, which was approved last year, describes how data from apps would be stored on Facebook servers where it could be used to help the company's algorithms target ads and select content to show users. Apple said its guidelines require apps to seek "prior user consent" for collecting user data and take steps to prevent unauthorized access by third parties. "When we hear of any developer violating these strict privacy terms and guidelines, we quickly investigate and, if necessary, take immediate action," the company said. A Google spokesman declined to comment beyond pointing to the company's policy requiring apps that handle sensitive data to "disclose the type of parties to which any personal or sensitive user data is shared," and in some cases to do so prominently.

Before Alice Berg began using Flo to track her periods last June, she checked the app's terms of service. The 25- year-old student in Oslo says she had grown more cautious about sharing data with apps and wanted to ensure that only a limited amount of her data would be shared with third-parties like Facebook. Now Ms. Berg said she may delete the app. "I think it's incredibly dishonest of them that they're just lying to their users especially when it comes to something so sensitive," she said. Flo Health's privacy policy says it won't send "information regarding your marked cycles, pregnancy, symptoms, notes and other information that is entered by you and that you do not elect to share" to third-party vendors.

Flo initially said in a written statement that it doesn't send "critical user data" and that the data it does send Facebook is "depersonalized" to keep it private and secure. The Journal's testing, however, showed sensitive information was sent with a unique advertising identifier that can be matched to a device or profile. A Flo spokeswoman subsequently said the company will "substantially limit" its use of external analytics systems while it conducts a privacy audit. Move, the owner of real-estate app Realtor.com -- which sent information to Facebook about properties that users liked, according to the Journal's tests -- said "we strictly adhere to all local, state and federal requirements," and that its privacy policy "clearly states how user information is collected and shared." The policy says the app collects a variety of information, including content in which users are interested, and may share it with third parties. It doesn't mention Facebook.

The Journal tested more than 70 apps that are among the most popular in Apple's iOS store in categories that handle sensitive user information. The Journal used software to monitor the internet communications triggered by using an app, including the information being sent to Facebook and other third parties. The tests found at least 11 apps sent Facebook potentially sensitive information about how users behaved or actual data they entered. Among the top 10 finance apps in Apple's U.S. app store as of Thursday, none appeared to send sensitive information to Facebook, and only two sent any information at all. But at least six of the top 15 health and fitness apps in that store sent potentially sensitive information immediately after it was collected. Disconnect Inc., a software company that makes tools for people to manage their online privacy, was commissioned by the Journal to retest some of the apps. The company confirmed the Journal's findings, and said Facebook's terms allowing it to use the data it collected were unusual. "This is a big mess," said Patrick Jackson, Disconnect's chief technology officer, who analyzed apps on behalf of the Journal. "This is completely independent of the functionality of the app." The software the Journal used in its tests wasn't able to decipher the contents of traffic from Android apps. Esther Onfroy, co-founder of cybersecurity firm Defensive Lab Agency, conducted a separate test showing that at least one app flagged by the Journal's testing, BetterMe: Weight Loss Workouts, was in its Android version also sharing users' weights and heights with Facebook as soon as they were entered.

BetterMe Ltd. didn't respond to email and social-media inquires from the Journal. On Feb. 16, after being contacted by the Journal, it updated its privacy policy, replacing a general reference to Facebook's analytics to one that says it shares information with Facebook so it can determine "the average weight and height of our users, how many users chose a particular problem area of their body, and other interactions."

Apps often integrate code known as software-development kits, or SDKs, that help developers integrate certain features or functions. Any information shared with an app may also be shared with the maker of the embedded SDK. There are an array of SDKs, including Facebook's, that allow apps to better understand their users' behavior or to collect data to sell targeted advertising.

Facebook's SDK, which is contained in thousands of apps, includes an analytics service called "App Events" that allows developers to look at trends among their users. Apps can tell the SDK to record a set of standardized actions taken by users, such as when a user completes a purchase. App developers also can define "custom app events" for Facebook to capture -- and that is how the sensitive information the Journal detected was sent. Facebook says on its website it uses customer data from its SDK, combined with other data it collects, to personalize ads and content, as well as to "improve other experiences on Facebook, including News Feed and Search content ranking capabilities."

But a spokeswoman said Facebook doesn't use custom events -- the ones that can contain sensitive information -- for those purposes. She said Facebook automatically deletes some sensitive data it might receive, such as Social Security numbers. She said Facebook is now looking into how to search for apps that violate its terms, and to build safeguards to prevent Facebook from storing sensitive data that apps may send.

1. Identify Facebook's primary problem. How is app users' privacy violated?

2. Critically evaluate and articulate both the advantages and disadvantages of Facebook's decision to offer encrypted and ephemeral (vanishing) messaging services

a. Identify the pros and cons of switching from an advertising business model to a payments and e-commerce business model? Please ensure you use statistical data to support your analysis

b. How will the strategy affect Facebook customers? Will it assuage their privacy concerns?

c. What is the likely effect on regulators?

3. What recommendations would you make to Facebook management to ensure the success of the private messaging platform in the long term?