Apple kicks Facebook’s snoopy Research app out of the App Store
For three years, Facebook has been secretly paying volunteers – including teens – to install a virtual private network (VPN) app called Facebook Research that plants a root certificate on their phones, according to Tech Crunch.
That certificate gets the company “nearly limitless access” to the device, Tech News reports.
It’s unclear exactly what data the Facebook Research app is sniffing for, but Will Strafach, a security expert with Guardian Mobile Firewall, said that it can get anything it wants:
If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.
When the BBC visited one of the app’s sign-up pages, it stated that Facebook would use the information to improve its services, and that there are “some instances” when the data is collected “even where the app uses encryption, or from within secure browser sessions”.
Yes, this is for real, Facebook says, but it was so not secret. The app’s name had “Facebook” in it, the company said in a statement:
Key facts about this market research program are being ignored. Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms.
As far as enrolling teens goes, when BuzzFeed’s Ryan Mac tried to sign up, he found that the parental consent process was a bit of a joke: all it required was an email address and a click.
I tried signing up and here’s the screen you get. Interestingly the study specifically asks if you have the Amazon… twitter.com/i/web/status/1…
Ryan Mac (@RMac18) January 30, 2019
And as far as “how secret is it when it says Facebook in the name” goes, the page that the BBC came across stated that participants had to agree…
…[not to disclose] any information about this project to third parties.
The report from Tech News’s Josh Constine is very detailed and very much worth a read, but here are some of the takeaways:
Oh no, here we Onavo go again
If news about a snooping VPN app from Facebook is giving you déjà vu, it’s because Facebook Research is a kissing cousin to the company’s Onavo VPN. It was Strafach who detailed, in March 2018, how Onavo Protect was snooping on users even when the VPN was turned off, telling Facebook:
- When users’ mobile device screens were turned on and off
- Total daily Wi-Fi data usage in bytes
- Total daily cellular data usage in bytes
- How long the VPN was connected to Facebook even when a user’s screen was on or off.
As the Wall Street Journal had reported in 2017, Facebook had used the Onavo-supplied data to track its competition and scope out new product categories. Private, internal emails from Facebook staff that were published last month revealed that Facebook had relied on the Onavo data when it decided to purchase WhatsApp, for example. The company also used the Onavo data to track usage of its rivals and to block some of them – including Vine, Ticketmaster, and Airbiquity – from accessing its friends data firehose API.
In August 2018, Apple politely suggested that the privacy-violating app shove off. Facebook agreed and pulled it out of the App Store.
That was good for the privacy of iOS users, but the past few weeks have brought new revelations about Android apps secretly sharing data with Facebook, even when users are logged out or don’t even have a Facebook account.
Tech News reports that it got a tip that Facebook was paying users (up to $20) to sideload a similar VPN app after Apple gave Onavo the boot.
Sure, Apple banned Onavo, but that didn’t cure Facebook’s data thirst. Tech News’s investigation found that starting in 2016, Facebook had been working with three app beta testing services to distribute Facebook Research: BetaBound, uTest and Applause. Following the Onavo backlash, since at least mid-2018, the company’s been calling Facebook Research “Project Atlas.” It had yet another similar program called “Project Kodiak.”