Apple Bans Facebook Market Research VPN App That Mined Teenagers’ Device Data

Facebook has been criticized for operating a secretive market research project which paid teenage users in return for unfettered access to their personal data.

According to a new report from TechCrunch, Facebook has been quietly recruiting users from 13 to 35 and asking them to install a “Facebook Research” app that — albeit with opt-in consent, and a legalistic disclaimer — bypasses typical security features on iOS and Android. The app is then capable of collecting data on everything from their browsing history to their encrypted phone conversations and even their Amazon order history.

The app in question installed a root certificate, which allows for more granular access to a phone’s software and network traffic. According to Apple’s Developer Enterprise Program License Agreement, these certificates must be used for “specific business purposes” and are “only for use by your employees”. It is not clear that market research would be an acceptable reason for installation of the root certificate.

The app, which has been available since 2016 and is also referred to as “Project Atlas”, enables Facebook to collect data by enabling root access to a user’s device; it’s similar to Facebook’s Onavo Protect app that Apple banned from the App Store back in June.

Developer Will Strafach described the move on Twitter as “the most defiant behaviour I have ever seen by an App Store developer… I still don’t know how to best articulate how absolutely floored I am by Facebook thinking they can get away with this.”

Addressing the issue of consent, Strafach acknowledged that Facebook said users were provided with “extensive information about the type of data we collect and how they can participate,” but argued that “they do not inform users of the massive amount of access you hand them when hitting ‘Trust’ on their root certificate. I do not think users can reasonably consent without this knowledge.”

In a statement, the social network giant said: “Key facts about this market research programme are being ignored. Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear onboarding process asking for their permission and were paid to participate. Finally, less than 5pc of the people who chose to participate in this market research programme were teens, all of them with signed parental consent forms.”

After TechCrunch‘s article was published, Facebook said it would pull the version of its app for Apple devices, though it will presumably still be available for Android phones.

Apple responded this morning by revoking Facebook’s enterprise license and said: “We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”

P.S. Help support us and independent media here: Buy us a beer, Buy us a coffee, or use our Amazon link to shop.