For three years, Facebook has been secretly paying volunteers – including teens – to install a virtual private network (VPN) app called Facebook Research that plants a root certificate on their phones, according to TechCrunch.
That certificate gets the company “nearly limitless access” to the device, TechCrunch reports.
It’s unclear exactly what data the Facebook Research app is sniffing for, but Will Strafach, a security expert with Guardian Mobile Firewall, said that it can get anything it wants:
If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.
When the BBC visited one of the app’s sign-up pages, it stated that Facebook would use the information to improve its services, and that there are “some instances” when the data is collected “even where the app uses encryption, or from within secure browser sessions”.
Yes, this is for real, Facebook says, but it was so not secret. The app’s name had “Facebook” in it, the company said in a statement:
Key facts about this market research program are being ignored. Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms.
As far as enrolling teens goes, when BuzzFeed’s Ryan Mac tried to sign up, he found that the parental consent process was a bit of a joke: all it required was an email address and a click.
I tried signing up and here's the screen you get. Interestingly the study specifically asks if you have the Amazon app and if you've made a purchase in the last 30 days.— Ryan Mac 🙃 (@RMac18) January 30, 2019
Also the parental consent process is just a simple click that can be bypassed by anyone. pic.twitter.com/Jcoh6kE78B
And as far as “how secret is it when it says Facebook in the name” goes, the page that the BBC came across stated that participants had to agree…
…[not to disclose] any information about this project to third parties.
The report from TechCrunch’s Josh Constine is very detailed and very much worth a read, but here are some of the takeaways:
Oh no, here we Onavo go again
If news about a snooping VPN app from Facebook is giving you déjà vu, it’s because Facebook Research is a kissing cousin to the company’s Onavo VPN. It was Strafach who detailed, in March 2018, how Onavo Protect was snooping on users even when the VPN was turned off, telling Facebook:
- When users’ mobile device screens were turned on and off
- Total daily Wi-Fi data usage in bytes
- Total daily cellular data usage in bytes
- How long the VPN was connected to Facebook even when a user’s screen was on or off.
As the Wall Street Journal had reported in 2017, Facebook had used the Onavo-supplied data to track its competition and scope out new product categories. Private, internal emails from Facebook staff that were published last month revealed that Facebook had relied on the Onavo data when it decided to purchase WhatsApp, for example. The company also used the Onavo data to track usage of its rivals and to block some of them – including Vine, Ticketmaster, and Airbiquity – from accessing its friends data firehose API.
In August 2018, Apple politely suggested that the privacy-violating app shove off. Facebook agreed and pulled it out of the App Store.
That was good for the privacy of iOS users, but the past few weeks have brought new revelations about Android apps secretly sharing data with Facebook, even when users are logged out or don’t even have a Facebook account.
TechCrunch reports that it got a tip that Facebook was paying users (up to $20) to sideload a similar VPN app after Apple gave Onavo the boot.
Sure, Apple banned Onavo, but that didn’t cure Facebook’s data thirst. TechCrunch’s investigation found that starting in 2016, Facebook had been working with three app beta testing services to distribute Facebook Research: BetaBound, uTest and Applause. Following the Onavo backlash, since at least mid-2018, the company’s been calling Facebook Research “Project Atlas.” It had yet another similar program called “Project Kodiak.”
Worming into Apple
Just as Onavo before it, the Facebook Research app also took advantage of Apple to get where it wanted to go. Namely, it circumvented the App Store by using testing tools from Apple that are typically used to install software that’s still in development. Those tools are supposed to be used only in certain, specific cases, such when companies want to install internal apps on iPhones – including, for example, monitoring apps or those that give extra security – that they provide to their employees.
But as the BBC reports, Apple’s Developer Enterprise Program License Agreement makes it clear that the installation of root certificates must only be used for “specific business purposes” and “only for use by your employees”…
…not for people recruited by app beta-testing companies in ads that deeply bury Facebook’s involvement.
On Tuesday, seven hours after TechCrunch published its report, Facebook said it would shut down the iOS version of its Research app. On Wednesday, an Apple spokesperson told TechCrunch that the company had already blocked Facebook Research the day before, before Facebook “voluntarily” pulled the app.
Apple confirmed that Facebook had violated its policies:
We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.
Facebook Research will still run on Android, adding yet more botheration to a month in which some Android users have found that they can’t scrape Facebook off their devices.