oops

Apple Disables Facebook Apps Following News of Shady Research Project

Photo: Justin Sullivan/Getty Images

Because Facebook operates free of charge to its users, it’s tough to put an exact price on all of the data that it has on each one of us. What’s your name, location, and browsing history worth to Facebook? Ten bucks? A thousand bucks? Who knows. There is at least one case, though, in which Facebook has put a price on your data. In exchange for the ability to monitor all of the data on your smartphone, Facebook will pay you the princely sum of $20 a month.

In a lengthy report published yesterday, TechCrunch showed how Facebook used its privileged access as a developer, along with third-party research firms, to recruit users for a research program. That program required participants to allow access to data on their phone typically out of reach for developers, and to use a VPN that tunneled all of their traffic through Facebook’s servers. The program is a more elaborate version of Onavo Protect, a Facebook-owned app that helped the company collect data on which apps were popular or growing in use, and which they used to help make business decisions, such as their $19 billion acquisition of WhatsApp.

From TechCrunch:

Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android “Facebook Research” app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook’s involvement.

Facebook gained this privileged phone access by advertising a “social media research study” that did not mention Facebook by name. It then required participants to accept a “certificate,” a digital authenticator that allows the Facebook Research app to collect all sorts of data. Will Strafach, a cybersecurity expert, told TechCrunch that, “If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps — including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.” Whether users technically knew what they were signing up for is in dispute, but has anyone ever actually read the terms of service?

The program functioned on iOS and Android. Because Android is less tightly controlled, users can sideload apps, installing them from sources other than Google’s official Play store. On iOS, installing apps not approved by the App Store requires developers to have special permissions. Those permissions can be obtained by being a part of Apple’s Enterprise Developer Program, allowing companies to develop iOS apps for internal use without going through the App Store approval process. Using that program to run a widespread research project that gives a company root access to consumer iOS devices is clearly a violation of that policy.

In a statement, Apple said that Facebook “using their membership to distribute a data-collecting app to consumers” is “a clear breach of their agreement with Apple.” The certificates enabling root access were revoked last night, immediately disabling the ability to sideload apps on iOS and preventing current apps from functioning.

Facebook said it would stop its Facebook Research program on iOS last night, without mentioning that Apple had already forced them to do so. Last year, Apple removed the Onavo app from the App Store, citing Onavo’s collection of data as a function not necessary for the app’s stated function as a VPN.

Apple Disables Facebook Apps Used for Invasive Research