Of the 187,000 users on whom Facebook collected personal and sensitive device data via the now-defunct Facebook Research app, 156,000 are Indian users. This was revealed in a TechCrunch report. The data included all of a user’s phone and web activity, across all apps, including search history, browsing habits, and content of unencrypted messages.

In a March letter to Senator Richard Blumenthal’s office that TechCrunch got access to (available here), Facebook said that since 2016, it had collected data on 31,000 users in the US, including 4,300 teenagers. The remaining 156,000 users are from India, of which 29,700 users were minors, aged between 13 and 17 years old.

In response to queries from MediaNama, Facebook said, “We ended the Facebook Research App program earlier this year. We have deleted all user-level market insights data that was collected from the app.”

Following were the questions we sent, but did not get specific answers to:

  • How many of the 156,000 Indians affected were minors, that is, under 18 years old?
  • Why were 5x more Indians targeted by the app than Americans?
  • How did the company evaluate minor’s permissions to give up their data? Was parental consent required? If yes, in what form?
  • What kind of data on Indians was collected by the company using Facebook Research?
  • Did Facebook have access to encrypted WhatsApp messages using the Facebook Research app?
  • What all did this data [“all user-level market insights data”] include? Did it include content of WhatsApp messages?
  • Has the aggregated data, not individual data, collected from the app been used for product development at Facebook? Will it be used in the future?

What data?

Earlier this year, the Facebook Research app, through its VPN services, gave the company access to all of a user’s phone and web activity, ostensibly for market research purposes, TechCrunch had reported. This app was basically a repackaged Onavo that Apple had banned from its app store in 2018 for violating its App Store policies.

The Research app stayed undetected for this long because Facebook had sidestepped Apple’s app store and abused its Apple-issued enterprise certificate.

As a result, within a day of TechCrunch’s report on January 29, 2019, Apple had revoked Facebook’s enterprise certificate and blocked all of its internal apps. That led to chaos in Facebook’s internal communications as apps for employees, including those for transportation and collaboration, stopped working, Verge reported. This affected more than 35,000 Facebook employees. However, the enterprise certification was restored after a day, according to a Verge report.

Is Facebook the only defaulter?

Nope! Google had similarly abused its enterprise developer certificate and developed an app called Screenwise Meter. MediaNama found that this app is still available on Google’s Play Store. Apple had similarly revoked Google’s Enterprise Certificate that took down Google’s all of internal iOS apps, affecting more than 94,000 employees. But, the certificate was restored within a day.

Screenshots form an Android phone showing Google's Screenwise Meter

(From L to R): Google’s Screenwise Meter is still available on Google Play Store; the app description establishes that is only for market research and only registered panel participants can access it; and even after downloading the app, it prompts you for your panelist account. Source: MediaNama

What’s Apple’s Enterprise Certificate and how could Facebook and Google abuse it so easily?

On Apple’s App Store, only vetted apps that meet all of Apple’s security and privacy standards are allowed. However, enterprise developers are issued Apple’s Enterprise Certificate to build and run apps that are used internally by employees, on the condition that they aren’t distributed to the public at large. As a result, when an enterprise certificate is revoked, it also affects all apps that are in beta stage and actively being worked on.

Facebook and Google abused their enterprise certificates and made their users manually download the app, that is, via ‘sideloading’. This was followed by configuring the VPN that basically funneled all the data to and from the phone through Facebook or Google.

Since Facebook flouted the rules using its enterprise certificate, Apple does not know how many devices installed the app, according to a letter that Apple had sent to lawmakers in March as per a TehCrunch report.

Were Facebook and Google equally bad?

Simply put, no. Google’s Screenwise Meter could not access encrypted data, including any network traffic protected by HTTPS, as most apps in the App Store and internet websites are.

However, Facebook made users ‘trust’ an additional type of certificate at the ‘root’ level of the phone allowing it to look at off the encrypted traffic flowing out of the device, TechCrunch explained. So all messages, emails, and data that wasn’t protected by certificate pinning was vulnerable to Facebook’s gaze. End-to-end encrypted solutions, such as iMessage and Signal, remained protected. It is unclear if WhatsApp remained secure given that the encrypted messaging service is owned by Facebook. MediaNama sought a clarification from Facebook, but the company did not give a specific response.

Why target India?

On the face of it, there are a few reasons for having targeted India in addition to the US: India is Facebook’s largest market and any insight into its competitors here is extremely valuable. Moreover, it’s worth noting that India does not have a privacy law, and the Personal Data Protection Bill in still in draft stage.

Hold your horses … Facebook just launched another market research app

Despite the backlash that it has faced over Facebook Research from both the industry and the lawmakers, Facebook refuses to learn: just two days ago, it launched its new market research app, Study. It is essentially the same app as Research, but only for Android devices. The company has partnered with the same beta-testing agency for logistical support as it did with Facebook Research — Applause. In response to our queries about whether Applause would have access to users’ data, and who would be responsible for protecting users’ data for this new app, Facebook said, “Our partner [Applause] will collect minimal information like contact details for payment and demographic details including age and country.” They further said, “We’ll retain data in accordance with our Data Use Policy.”

Issues to consider: Our take

  • Privacy in India: Despite reaffirming right to privacy as a fundamental right, India does not have a law on privacy. The data protection bill is yet to be passed as an act. In the absence of any concrete laws, there isn’t any recourse for affected users.
  • Consent from children: As Facebook’s letter to the lawmakers reveals, 34,000 minors’ data was collected by Facebook, of which, 29,700 children are Indians. Despite the company’s claims that underage users had to get consent from their parents, the company did not answer our question about what this consent looks like, and how the platform establishes that parental consent is genuine.
  • Security on Google’s Play Store: Google’s own Screenwise, and Facebook’s new market research app, Study, are both available on Play Store, but not on Apple’s App Store. This is possibly because of Apple’s more stringent rules. Google similarly needs to take a cue from Apple and make privacy and data security a priority.

***Update (June 14, 2019 1:40 pm): We have updated the article with responses from Facebook (in italicised, bold text). Originally published on June 13, 2019.