Instead of downloading the app through the App Store or via Apple's own TestFlight beta testing program, users were getting it through three different beta testing services: BetaBound, uTest and Applause. Those three services specifically ran ads on Instagram and Snapchat targeting a demographic of those ages 13-35, saying that it was a "paid social media research study." When signing up for the app, minors are prompted to ask parental permission via a form. One of the forms reads: "There are no known risks associated with the project, however you acknowledge that the inherent nature of the project involves tracking of personal information via your child's use of apps."
Here's the text from a disclaimer when users download the Facebook Research app from Applause (procured by TechCrunch):
"By installing the software, you're giving our client permission to collect data from your phone that will help them understand how you browse the internet, and how you use the features in the apps you've installed ... This means you're letting our client collect information such as which apps are on your phone, how and when you use them, data about your activities and content within those apps, as well as how other people interact with you or your content within those apps. You are also letting our client collect information about your internet browsing activity (including the websites you visit and data is exchanged between your device and those websites) and your use of other online services. There are some instances when our client will collect this information even where the app uses encryption, or from within secure browser sessions."
According to a Will Strafach, a security expert commissioned by TechCrunch, the level of access that the Facebook Research app provided could lead to the company collecting all manner of data that includes private messages, instant messaging chats that include photos and videos, emails, web activity and even location information.
Rather than downloading the app from Apple, users would download it from a separate Facebook URL, told to install an Enterprise Developer Certificate, and allow the company root access to their phone. One program from Applause even asked users to provide screenshots of their Amazon order history. If users kept the VPN running and sent the data to Facebook, they would get paid via e-gift certificates.
Facebook has acknowledged the existence of this program, providing the following statement to TechCrunch: "Like many companies, we invite people to participate in research that helps us identify things we can be doing better. Since this research is aimed at helping Facebook understand how people use their mobile devices, we've provided extensive information about the type of data we collect and how they can participate. We don't share this information with others and people can stop participating at any time."
According to the Facebook spokesperson, the company is not in violation of Apple's rules, as the app was distributed in line with Apple's Enterprise Certificate program. But as the Certificate program is primarily for internal developer use and not as a public beta where users would get paid, it's not clear if this is true.