To Facebook, your privacy is worth a $20 gift card
The company paid users in exchange for complete access to their data.
Another day, another Facebook controversy. The latest backlash follows a TechCrunch report that the company was secretly paying teenagers to access their data and basically monitor their every move on the web. Facebook was asking people to install a VPN app called Facebook Research that gave it full access to a user's phone and internet activity. That, according to security expert Will Strafach (who helped TechCrunch with the investigation), gave the company the ability to continuously collect "private messages in social media apps, chats from in instant messaging apps (including photos/videos sent to others), emails, web searches, web browsing activity and even ongoing location information."
And what did these teens get in exchange for giving up every last illusion of privacy? Twenty dollars in e-gift cards per month. For a company that's been involved in countless data-privacy scandals in recent months, Facebook has a lot of nerve. Rather than changing its approach to collecting people's personal data, especially in the wake of the Cambridge Analytica scandal, Facebook continues to test the limits of what it can get away with.
The Research VPN program seems to be a clone of Onavo Protect, a data-collecting app that was pulled from the iOS App Store last year after Apple said it would violate its privacy policy. According to TechCrunch, Facebook Research was created using the same code as Onavo Protect, but the social network found a way around Apple's restrictions. Through a simple browser link, those who agreed to participate could give Facebook root access to their iPhone, essentially allowing the company to install anything it wanted on their device.
By using its developer credentials to do this, Facebook bypassed Apple's TestFlight beta-testing program and instead let users download it from three other services: BetaBound, uTest and Applause. One of the beta-testing services Facebook used, Applause, went as far as asking users to provide a screenshot of their Amazon purchase history. Which is just shameless.
Given Apple's stance on Onavo Protect, it would appear that asking users for root access to their devices is a clear violation of its privacy policy -- especially since Research was intended for people outside Facebook. As a result of Facebook's actions with Research, Apple has banned the social network from testing iOS apps internally. "We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization," Apple said in a statement on Wednesday. "Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data."
Apple's decision to block Facebook from the Enterprise Developer Program is going to make it difficult to beta-test its various apps, including Messenger and Instagram. Beyond that, Apple CEO Tim Cook hasn't shied away from criticizing Facebook's privacy standards, and this is only going to heighten the tension between him and Mark Zuckerberg.
Facebook might argue that the people who signed up for the Research program (which reportedly targeted users between ages 13 and 35) consented to have their data harvested. But it's not as if the company was being explicit about its involvement, since it was essentially hiding behind BetaBound, uTest and Applause as a "social media study." Per TechCrunch, it wasn't until a minor tried to sign up that a parent-consent form revealed that the data being collected would be provided to Facebook.
Here's how that form read: "There are no known risks associated with the project, however you acknowledge that the inherent nature of the project involves tracking of personal information via your child's use of apps."
Since TechCrunch's investigation came out on Tuesday night, Facebook has said it is shutting down the program for iOS users, though it will still be available on Android. Google has not replied to our request for comment, but TechCrunch is now reporting that it, too, has a data-collecting application (called Screenwise Meter) that sidesteps Apple's App Store.
Meanwhile, in a statement to Engadget, Facebook disputed the TechCrunch story on its Research program, saying that "key facts" are being ignored. "Despite early reports, there was nothing 'secret' about this; it was literally called the Facebook Research App," Facebook said. "It wasn't 'spying' as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms."
Still, as Facebook is already under heavy scrutiny for mishandling user data, the revelation about the existence of the Research app couldn't come at a worse time. It shows, yet again, Facebook's carelessness and inability to read the room. If lawmakers were concerned before and felt Facebook was in need of tougher regulation, surely this is only going to add more scrutiny.
Yes, users got paid for their data, and they agreed to share it. But that doesn't explain why Facebook went behind Apple's back and found a way to basically recreate Onavo Protect, which it had been warned would violate the iOS App Store's user privacy policy. As if it makes the situation any better, Facebook said that out of the users who installed the Research VPN app, "less than 5 percent" were teenagers.
But even if that small percentage did have permission from their parents to participate in the program, and assuming those parent signatures weren't faked, most companies would draw a line at exploiting children. Facebook's ruthlessness, however, appears to have no boundaries.
