Facebook has been secretly paying users – teens included – to install a “Facebook Research” app which tracked and collected the users’ phone and web activity via third-party beta testing services. This was revealed in a TechCrunch investigative report published yesterday.

The service is similar to Facebook’s controversial Onavo Protect VPN app, which Apple banned from its App Store last year over privacy violations.

Further reading: These Confidential Charts Show Why Facebook Bought WhatsApp

According to the TechCrunch report, Facebook has been paying users aged 13-35 years up to $20 per month via gift cards since 2016 to install the iOS and Android app. The app was originally called “Facebook Research” when launched in 2016, but was changed to “Project Atlas” in mid-2018, “when backlash to Onavo Protect magnified” and Apple changed its App Store rules, resulting in the fencing out of Onavo.

TechCrunch’s key findings

  • The app requires users to ‘Trust‘ (an “agree” button of sorts) it with access to private messages in social media apps, web browsing activity, photos, emails, and location tracking apps
  • The app was provided via three third-party services to disguise Facebook’s involvement; ads were floated on Instagram, Snapchat and other apps to recruit users, and to get them to download the app
  • Facebook even asked users to upload screenshots of their Amazon order history, presumably to tie phone & web activity with purchase behaviour
  • TechCrunch reported that Facebook designed installation steps in a manner which disguised its own involvement. For instance, ‘Applause’, one of the beta-testing services used by Facebook, does not mention Facebook in its sign-up, unless the user was a minor
  • Another beta-testing service ‘BetaBound’ mentioned Facebook only in the instruction manual for installing Facebook Research, but does not do so during sign-up

Circumventing Apple

Meanwhile, Facebook seems to have “purposefully avoided” Apple’s official beta-testing system, which involves an oversight system by Apple. Instead, users downloaded the app from another beta testing service and were told to install an Enterprise Developer Certificate and a VPN and “Trust”(an “agree” button of sorts) Facebook with root access to their phones.

This was reportedly in violation of Apple’s rules: an Apple spokesperson explained to TechCrunch that Apple’s Enterprise Developer Program is designed solely for internal distribution of apps within an organization, and not for apps to be downloaded publicly. The spokesperson added that:

Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.

After the report was published, Facebook said that it would shut down the iOS version of its Research app. But Apple had blocked the app before Facebook voluntarily pulled it off of iOS. Facebook’s app will continue to run on Android.

Even by Facebook’s standards, this development comes as a surprise, especially since it involved minors and hiding its own involvement. This is hardly good news, given that Facebook has already been hit by data breaches,US Senate hearings, a threat to remove Zuckerburg as CEO, criticism over its role in the killings of Rohingya Muslims in Myanmar, data deals with phone manufacturers, Cambridge Analytica (of course), and threats (see 1, 2, 3) to election integrity world-over.

*

Further reading:

Image Credit: www.thoughtcatalog.com, (Flickr) under CC BY 2.0