Facebook has stealthily launched a service similar to Onavo Protect, its vampiric psuedo-VPN that claims to protect users’ privacy but actually collects and analyzes their data. This time it’s worse—Facebook is targeting teens to install a similar app via third-party beta testing services, in possible violation of Apple’s rules for enterprise developers.
According to a Tuesday report on TechCrunch, Facebook has used at least three companies to target individuals ages 13-35 for the service, which was originally dubbed “Facebook Research” when it launched in 2016. But it has been conveniently “referred to as Project Atlas since at least mid-2018,” when backlash against Onavo in the tech community was building and Facebook pulled Onavo from the App Store after Apple said it violated data collection rules, TechCrunch wrote.
The app requests permissions that would allow the company to suck up pretty much any data it wants from an iOS or Android device, from private messages and photos to web browsing habits. In exchange, Facebook has been offering small payments to participants ($20 monthly in the form of gift cards, and more for referrals) to keep the service running on their devices and occasionally supplement the data by doing things like taking screenshots of their Amazon order histories.
TechCrunch found that Facebook is working with beta testing services Applause, BetaBound, and uTest via ads on Instagram, Snapchat, and elsewhere to recruit participants. Users under the age of 18 were apparently asked to submit parental consent forms.
Some of the ads asked for individuals ages 13-17 for a “paid social media research study,” while another advertised opportunities for users “Age: 13-35 (parental consent required for ages 13-17).” Facebook appears to have taken steps to obfuscate that they are behind the program, with TechCrunch reporting that some sign-up methods only mentioned its name during installation instructions.
According to TechCrunch, program participants on iOS are asked to sideload the app using an Apple Enterprise Developer Certificate, in likely violation of Apple rules:
Facebook seems to have purposefully avoided TestFlight, Apple’s official beta testing system, which requires apps to be reviewed by Apple and is limited to 10,000 participants. Instead, the instruction manual reveals that users download the app from r.facebook-program.com and are told to install an Enterprise Developer Certificate and VPN and “Trust” Facebook with root access to the data their phone transmits. Apple requires that developers agree to only use this certificate system for distributing internal corporate apps to their own employees. Randomly recruiting testers and paying them a monthly fee appears to violate the spirit of that rule.
“If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed,” Guardian Mobile Firewall security researcher Will Strafach told TechCrunch.
“The fairly technical sounding ‘install our Root Certificate’ step is appalling,” Strafach added. “... There is no good way to articulate just how much power is handed to Facebook when you do this.”
Applause’s site contained language indicating that the amount of data Facebook collects from the program is intense, to put it mildly, TechCrunch wrote.
Applause wrote that installing the Research app gives their “client” permission to “collect information such as which apps are on your phone, how and when you use them, data about your activities and content within those apps, as well as how other people interact with you or your content within those apps,” as well as “information about your internet browsing activity.” In some cases, Applause added, it will collect data “even where the app uses encryption, or from within secure browser sessions.”
Strafach further told TechCrunch that the Research app appears to be a “poorly re-branded build of the banned Onavo app,” as it contains much of the same code as Onavo, sends data to Onavo-associated IP addresses, and contains numerous sections of code that appeared to be lifted directly from Onavo. However, he conceded that it is impossible to tell what Facebook is actually downloading from users from outside the company.
Facebook did not immediately reply to a request for comment from Gizmodo [see update below], but it told TechCrunch that the Research app did not violate Apple policies (without getting into any specifics). It also told the site that the commonalities between Onavo and the newer app are because both were built by the same team, compared the program to a Nielsen-like focus group, and said it had no plans to stop.
It’s clear why Facebook is pushing an Onavo clone. A 2017 Wall Street Journal article detailed that data from Onavo, which it acquired in 2013, had proved crucial in decisions on everything from product design to Facebook’s 2014 acquisition of WhatsApp. Similarly, it’s clear why Facebook wants to monitor the private lives of teens, as reports have suggested that they are leaving the platform in large numbers and engaging more with its subsidiary Instagram as well as competitors like YouTube and Snapchat. (As for that being really creepy, well, it’s Facebook.)
However, if Apple decides that they’re through with Facebook, it could demand they stop distributing the Research app or even revoke its enterprise certificates—and start another PR battle that Facebook can ill afford. The social media giant’s reputation has been suffering as of late from scandals involving everything from reckless data-sharing with third parties and spreading smears about critics to allegations of complicity in literal genocide. Remember, though, if you’re starting not to trust them, CEO Mark Zuckerberg will be more than happy to explain that you’re just clueless.
Update: 1/30/2019, 2:35 a.m. ET: In a statement to Gizmodo, a Facebook spokesperson wrote that the program is being misrepresented, and that there was never a lack of transparency surrounding it:
Key facts about this market research program are being ignored. Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms.
The iOS version of the program is also being discontinued.
The company said the crew was brought on to offer new perspectives and better its approach to privacy.
Dell Cameron contributed reporting.