Exposed! Facebook pays teenagers to install app that harvests personal data
ROOT-CERTIFICATE APP SUCKED UP PHONES’ PRIVATE DATA AND WEB BROWSING ACTIVITY.
Facebook exposed paying teenagers to install app that harvested personal data
Since 2016 Facebook has been paying users aged 13-35 up to $20 per month to install an app which has almost unlimited limitless access to their smartphones and most sensitive data.
Reporters at TechCrunch exposed the scheme which saw users install a “research” app capable of scoop up:
private chat messages, including photos and videos
emails
web-browsing activity
a list of which apps were installed on the device, and when they were last used
the user’s physical location history
data usage
According to the report, the app is similar to the Onavo Protect VPN app that Facebook was forced to withdraw from the iOS App Store after Apple determined that it was breaking its data-collection policies.
From the sound of things, Facebook is installing the offending app using the enterprise provisioning features that Apple provides for companies who wish to roll out their own enterprise certificate-signed versions of apps to employees, rather than the official iOS App Store.
They do this by asking users to install a root certificate which has almost unlimited access to the phone. The enterprise provisioning feature is intended for employees of a company, not 13-year-old users of a social media website. In short, Facebook has again breached Apple’s rules.
Facebook research app
It seems to me that Apple would be well within its rights to revoke the certificates. Whether Apple will be prepared to take that ballsy step remains to be seen, but it would certainly see tensions between the two companies flare up.
Josh Constine at TechCrunch writes:
“The strategy shows how far Facebook is willing to go and how much it’s willing to pay to protect its dominance — even at the risk of breaking the rules of Apple’s iOS platform on which it depends. Apple could seek to block Facebook from continuing to distribute its Research app, or even revoke it permission to offer employee-only apps, and the situation could further chill relations between the tech giants. Apple’s Tim Cook has repeatedly criticized Facebook’s data collection practices. Facebook disobeying iOS policies to slurp up more information could become a new talking point.”
Within hours of TechCrunch’s report being published, Facebook moved from a position of defending its behaviour on the grounds that participants consented (it’s unclear how Facebook confirmed 13-year-olds received their parents’ permission) to announcing that they would be halting the research program on Apple devices.
According to a BBC News report, when it posed as a 14-year-old boy during its own test, it was able to download the app without any request for parental consent.
For now there is no indication that Facebook is planning to stop the “research” on Android phones.
I can’t imagine why anyone would trust Facebook with its personal profile information, let alone installing apps which can read their private chats and emails or track their web browsing.
more
Project Atlas”
To get the miserly $20 gift cards, Facebook asked iOS and Android users to install a virtual private network that sends outgoing data streams through a third party. That could potentially give Facebook “nearly limitless access to a user’s device,” security expert Will Strafach, who works for firewall app maker Guardian Mobile Firewall, told TechCrunch.
“Most users are going to be unable to reasonably consent to this regardless of any agreement they sign, because there is no good way to articulate just how much power is handed to Facebook when you do this,” Strafach told TechCrunch.