TechCrunch: Facebook Pays Teenagers to Install VPN That Spies on Them

Josh Constine, reporting for TechCrunch:

Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android “Facebook Research” app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook’s involvement, and is referred to in some documentation as “Project Atlas” — a fitting name for Facebook’s effort to map new trends and rivals around the globe.

Unless I’m missing something, running this through their enterprise developer certificate is a flagrant violation of Apple’s policies. Apple shut down Facebook’s Ovano VPN in August for collecting this exact type of data. Doing it outside the App Store doesn’t make it any better. As Constine points out:

However, Facebook’s claim that it doesn’t violate Apple’s Enterprise Certificate policy is directly contradicted by the terms of that policy. Those include that developers “Distribute Provisioning Profiles only to Your Employees and only in conjunction with Your Internal Use Applications for the purpose of developing and testing”. The policy also states that “You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers” unless under direct supervision of employees or on company premises.

Security expert Will Strafach, quoted by TechCrunch:

“This hands Facebook continuous access to the most sensitive data about you, and most users are unable to reasonably consent. There is no good way to articulate just how much power is handed to Facebook when you do this.”

What apps you’re using, all of your network data, your location — Facebook takes all of it with this app. (Strafach is tweeting up a storm tonight on this story.)

Genuinely interested to see how Apple responds to this. To my eyes, this action constitutes Facebook declaring war on Apple’s iOS privacy protections. I don’t think it would be out of line for Apple to revoke Facebook’s developer certificate, maybe even pull their apps from the App Store. No regular developer would get away with this. Facebook is betting that their apps are too popular, that they can do what they want and Apple has to sit back and take it. I keep saying Facebook is a criminal enterprise, and I’m not exaggerating. Sometimes a bully needs to be punched in the face, not just told to knock it off.

Tuesday, 29 January 2019