Shocking Report Reveals Facebook Bribed Teens For Unlimited Access To Their Private Data

Since the Cambridge Analytica scandal broke roughly one year ago, Facebook's manipulative, dishonest and sometimes downright predatory abuses of its users' most sensitive data have at times been almost too outrageous too believe. Whether it's sharing private messages with Netflix and Spotify, or its use of "corporate spyware" to press Facebook users into service as unwitting pawns for the company as it sought to spy on competitors, each revelation is seemingly more brazen in its disregard for user privacy than the last.

But the latest revelation reported by TechCrunch shows that the social media giant has crossed a serious ethical line: Bribing children into sharing almost all of the personal data that can be gleaned from their smartphones (for a small fee) to help the company better understand consumption patterns, generating data that can be used for - what else? - more advanced microtargeting of ads.

After Facebook's Onavo Protect app (the above-mentioned "corporate spyware") was banned from the Apple app store last year, Facebook refused to give up on its ambitions to protect its market dominance by hoovering up as much user data as possible. So, the company devised a new plan. It launched what TC described as "Project Atlas", an independent "research app" offered by third-party beta testing services that offered users $20 per month in exchange for untrammeled access to their data - including private messages from all of their social media apps, texts and IMs, photos and videos, emails, web searches, browsing activity and their location information. The app was targeted at people ages 13-35 (though teens, on paper at least, were required to get their guardians' permission to download the app).

FB

Many of the ads, which ran on Snapchat, Instagram and other platforms, were targeted at teens aged 13-17, and masked Facebook's involvement with the product.

Ads (shown below) for the program run by uTest on Instagram and Snapchat sought teens 13-17 years old for a "paid social media research study." The sign-up page for the Facebook Research program administered by Applause doesn’t mention Facebook, but seeks users “Age: 13-35 (parental consent required for ages 13-17).”

If minors try to sign-up, they’re asked to get their parents’ permission with a form that reveal’s Facebook’s involvement and says “There are no known risks associated with the project, however you acknowledge that the inherent nature of the project involves the tracking of personal information via your child’s use of apps. You will be compensated by Applause for your child’s participation.” For kids short on cash, the payments could coerce them to sell their privacy to Facebook.

We asked Guardian Mobile Firewall’s security expert Will Strafach to dig into the Facebook Research app, and he told us that “If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.” It’s unclear exactly what data Facebook is concerned with, but it gets nearly limitless access to a user’s device once they install the app.

Furthermore, the ads pitched the project as a "paid social media research study".

Ads

In a sign that Facebook intended to deliberately mislead Apple, Facebook apparently avoided offering "Project Atlas" through Flight Test, Apple's beta-testing service.

Facebook seems to have purposefully avoided TestFlight, Apple’s official beta testing system, which requires apps to be reviewed by Apple and is limited to 10,000 participants. Instead, the instruction manual reveals that users download the app from r.facebook-program.com and are told to install an Enterprise Developer Certificate and VPN and "Trust" Facebook with root access to the data their phone transmits. Apple requires that developers agree to only use this certificate system for distributing internal corporate apps to their own employees. Randomly recruiting testers and paying them a monthly fee appears to violate the spirit of that rule.

An analyst hired by TC to analyze the "Project Atlas" app's data-collection habits painted a worrisome picture. "Project Atlas" was apparently ramped up just days after Facebook's "Onavo" was banned by Apple's app store, showing how far the company was willing to go to risk breaking the rules of Apple's iOS platform, on which Facebook depends for much of its user base.

We asked Guardian Mobile Firewall’s security expert Will Strafach to dig into the Facebook Research app, and he told us that “If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.” It’s unclear exactly what data Facebook is concerned with, but it gets nearly limitless access to a user’s device once they install the app.

The strategy shows how far Facebook is willing to go and how much it’s willing to pay to protect its dominance - even at the risk of breaking the rules of Apple’s iOS platform on which it depends. Apple may have asked Facebook to discontinue distributing its Research app. A more stringent punishment would be to revoke Facebook’s permission to offer employee-only apps. The situation could further chill relations between the tech giants. Apple’s Tim Cook has repeatedly criticized Facebook’s data collection practices. Facebook disobeying iOS policies to slurp up more information could become a new talking point. TechCrunch has spoken to Apple and it’s aware of the issue, but the company did not provide a statement before press time.

[...]

TechCrunch commissioned Strafach to analyze the Facebook Research app and find out where it was sending data. He confirmed that data is routed to “vpn-sjc1.v.facebook-program.com” that is associated with Onavo’s IP address, and that the facebook-program.com domain is registered to Facebook, according to MarkMonitor. The app can update itself without interacting with the App Store, and is linked to the email address PeopleJourney@fb.com. He also discovered that the Enterprise Certificate first acquired in 2016 indicates Facebook renewed it on June 27th, 2018 — weeks after Apple announced its new rules that prohibited the similar Onavo Protect app.

"It is tricky to know what data Facebook is actually saving (without access to their servers). The only information that is knowable here is what access Facebook is capable of based on the code in the app. And it paints a very worrisome picture," Strafach explains. "They might respond and claim to only actually retain/save very specific limited data, and that could be true, it really boils down to how much you trust Facebook’s word on it. The most charitable narrative of this situation would be that Facebook did not think too hard about the level of access they were granting to themselves...which is a startling level of carelessness in itself if that is the case."

Those who downloaded "Project Atlas" (which, for iOS users, was always downloaded outside the Apple app store) were prompted to "trust" the application, install a VPN and grant the app "root access" to their network.

FB

Facebook

After TC published its report, Facebook confirmed that it had deleted the iOS version of the app; though, the Android version may or may not remain functional.

Facebook's efforts to collect as much data on its competitors as possible has given the company a serious market edge in the past. Before the app was shut down, Facebook used Onavo to collect data on Snapchat and Whatsapp usage which it used when calibrating its buyout offers. The discovery, which was fueled by data collected by Onavo, helped Facebook determine that Whatsapp messaging traffic was three times larger than that of the Facebook messenger app, helping Facebook justify its $19 billion offer for the app.

The report also revealed that Facebook has deliberately lied about violating Apple's Enterprise Certificate Policy, which limits apps with this level of access only to distribution among a company's employees: "Distribute Provisioning Profiles only to Your Employees and only in conjunction with Your Internal Use Applications for the purpose of developing and testing." Facebook denied that there was anything "secret" about "Project Atlas", pointing out that t was called the "Facebook Research app".

However, Facebook's use of intermediaries to promote the app may have muddied the waters for many users. In the wake of the report, it remains to be seen whether Apple will take action to punish Facebook for this flagrant violation of Apple's trust. But more worrying for Facebook could be the reaction of lawmakers, as the scrutiny of the company's aggressive data collection tactics - something the company has long wished would finally fade from the public's interest - is now back in the spotlight.