Looks like Facebook will leave no stone unturned to get access to your data. And it does not matter if it has been pulled up for its data collection practices in the past, it just seems to find innovative ways to get more and more of your data.
In a new instance that’s come to light, Facebook has reportedly been paying 13-17-year-old teenagers around $20 to install a VPN on their smartphones, which would allow Facebook to get complete access to their phone’s data.
What is Facebook Research?
According to a report by TechCrunch, the name ‘Facebook Research’ was being used by the social media giant to get root access to the phones of users aged between 13-35 years to monitor their mobile and internet activity, in exchange for $20 per month.
Facebook also acknowledged that the app exists and that its purpose was to ‘gain insight on usage habits’. Facebook also mentioned that it does not plan to stop the so-called research. Per the report, the program has been in distribution since 2016 and has been referred to as “Project Atlas” starting in mid-2018.
The app has been found to be similar to Onavo Protect, a Facebook app that was pulled last year due to Apple’s privacy objections. For obvious reasons, the Facebook Research app would then also be in violation of Apple’s policies as most of its program code seems to be taken lock, stock from Onavo’s code.
How does Facebook Research bypass Apple’s App Store?
Since Onavo Protect app was taken off the App Store for violating Apple’s privacy policies, there was no way Facebook Research could be distributed via the App Store. The app wasn’t even available on Apple’s own beta testing service called TestFlight.
Users were reportedly seeing this app through three different beta testing services, ie, BetaBound, uTest and Applause, in order to cloak Facebook’s involvement. These services specifically ran ads on Instagram and Snapchat targeting a demographic of users between 13-35 years of age. These ads asked for a “paid social media research study.”
To download these apps, users were redirected to a separate Facebook URL and asked to install an Apple Enterprise Developer Certificate, in turn allowing Facebook root access to their phone.
For the ones who did end up signing up for this, if they were below 18 years of age, the app would prompt them to ask for parental permission via a form, a part of which read: “There are no known risks associated with the project, however, you acknowledge that the inherent nature of the project involves tracking of personal information via your child’s use of apps.”
Here’s all the data Facebook Research app would send back to Facebook
According to a security expert, Will Strafach, who spoke to TechCrunch, the Facebook Research app would have the ability to continuously access users’ private messages on social media apps and chats from instant messengers, photos and videos sent on mail, web searches, browsing activity, also the location of the user.
Reportedly, one program from Applause even asked users to provide screenshots of their Amazon order history. For this, they lured the user asking if they kept the VPN running and sent the data to Facebook, they would get paid via e-gift certificates.
While it is unclear if Facebook was focused on all or some of the data from the lot, the fact that it had the ability to access all of this is nerve-wracking.
Additionally, while Facebook claims that it does not violate Apple’s privacy policies, we are not so sure about that, considering this ‘research programme’ takes users via Apple’s Enterprise Developer Certificate, which is meant only for internal usage and certainly not against payment to users.
We have reached out to Facebook regarding the same, but we still await their response.
As we have seen in the past, Facebook does not seem to think it is doing anything wrong. In a statement given to TechCrunch, Facebook has said that it is inviting people to participate in ‘research activity’ like many other companies do so that it can identify things that it can do better.
“Since this research is aimed at helping Facebook understand how people use their mobile devices, we’ve provided extensive information about the type of data we collect and how they can participate. We don’t share this information with others and people can stop participating at any time,” says Facebook.
Facebook vs Apple: Round 2?
Facebook had acquired a VPN app called Onavo Protect in 2013, which was found to be collecting user data. Apple removed the app in 2018 as it was found to violate its privacy policies. The data collected via this app was instrumental in telling Facebook that WhatsApp messenger was doing a lot of volume in terms of messages sent as compared to Facebook’s Messenger, prompting a buyout of the app in 2014 for $19 bn. The app also gave Facebook insights into the apps popular with teenagers, which were later cloned on various Facebook properties.
Apple has yet to respond on the matter and take a call if the Facebook Research app violates its policies. Apple and Facebook have not exactly been on the friendliest of terms ever since Tim Cook’s criticism on Facebook and response on the Cambridge Analytica scandal. When asked what he would do if he were in Zuckerberg’s shoes, Cook said that he would never be in this situation. “The truth is, we could make a ton of money if we monetised our customer as if our customer was our product. We’ve elected not to do that,” the Apple CEO had said.
Zuckerberg responded to Cook’s comments, calling them ‘glib’ and followed that up with forcing his employees not to use Apple iPhones.
If Apple indeed revokes the certificate it has allowed the Facebook Research app to issue, then this would be another step against Facebook.
Whether Facebook will learn a lesson and be less creepy in its quest to collect all of the world’s data? Well, that’s another argument for another day. Going by Facebook’s greed for data collection, that seems highly unlikely. Just like the multi-headed hydra, Facebook will most likely come up with some other solution to collect user data — with or without their permission.