Apple bans Facebook’s Research app that paid users for data

Apple bans Facebook’s Research app that paid users for data

  

In the wake of TechCrunch’s investigation yesterday,

Apple blocked Facebook’s Research VPN app before the social network could voluntarily shut it down. The Research app asked users for root network access to all data passing through their phone in exchange for $20 per month. Apple tells TechCrunch that yesterday evening it revoked the Enterprise Certificate that allows Facebook to distribute the Research app without going through the App Store.

TechCrunch had reported that Facebook was breaking Apple’s policy that the Enterprise system is only for distributing internal corporate apps to employees, not paid external testers. That was actually before Facebook released a statement last night saying that it had shut down the iOS version of the Research program without mentioning that it was forced by Apple to do so.

TechCrunch’s investigation discovered that Facebook has been quietly operated the Research program on iOS and Android since 2016, recently under the name Project Atlas. It recruited 13 to 35 year olds, 5 percent of which were teenagers, with ads on Instagram and Snapchat and paid them a monthly fee plus referral bonuses to install Facebook’s Research app, the included VPN app that routes traffic to Facebook, and to ‘Trust’ the company with root network access to their phone. That lets Facebook pull in a user’s web browsing activity, what apps are on their phone and how they use them, and even decrypt their encrypted traffic. Facebook went so far as to ask users to screenshot and submit their Amazon order history. Facebook uses all this data to track competitors, assess trends, and plan its product roadmap.

Facebook was forced to remove its similar Onavo Protect app in August last year after Apple changed its policies to prohibit the VPN app’s data collection practices. But Facebook never shut down the Research app with the same functionality it was running in parallel. In fact, TechCrunch commissioned security expert Will Strafach to dig into the Facebook Research app, and we found that it featured tons of similar code and references to Onavo Protect. That means Facebook was purposefully disobeying the spirit of Apple’s 2018 privacy policy change while also abusing the Enterprise Certificate program.

Sources tell us that Apple revoking Facebook’s Enterprise Certificate has broken all of the company’s legitimate employee-only apps. Those include pre-launch internal-testing versions of Facebook and Instagram, as well as the employee apps for coordinating office collaboration, commutes, seeing the day’s lunch schedule, and more. That’s causing mayhem at Facebook, disrupting their daily work flow and ability to do product development. We predicted yesterday that Apple could take this drastic step to punish Facebook much harder than just removing its Research app. The disruption will translate into a huge loss of productivity for Facebook’s 33,000 employees.

For reference, Facebook’s main iOS app still functions normally. Also, you can’t get paid for installing Onavo Protect on Android, only for the Facebook Research app. And Facebook isn’t the only one violating Apple’s Enterprise Certificate policy, as TechCrunch discovered Google’s Screenwise Meter surveillance app breaks the rules too. This morning, Apple informed us it had banned Facebook’s Research app yesterday before the social network seemingly pulled it voluntarily. Apple provided us with this strongly worded statement condemning the social network’s behavior:

“We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”

That comes in direct contradiction to Facebook’s initial response to our investigation. Facebook claimed it was in alignment with Apple’s Enterprise Certificate policy and that the program was no different than a focus group. Seven hours later, a Facebook spokesperson said it was pulling its Research program from iOS without mentioning that Apple forced it to do so, and issued this statement disputing the characterization of our story:

“Key facts about this market research program are being ignored. Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms.”

We refute those accusations by Facebook. As we wrote yesterday night, Facebook did not publicly promote the Research VPN itself and used intermediaries that often didn’t disclose Facebook’s involvement until users had begun the signup process. While users were given clear instructions and warnings, the program never stresses nor mentions the full extent of the data Facebook can collect through the VPN. A small fraction of the users paid may have been teens, but we stand by the newsworthiness of its choice not to exclude minors from this data collection initiative.

Senator Mark Warner has since called on Facebook CEO Mark Zuckerberg to support legislation requiring individual informed consent for market research initiatives like Facebook Research. Meanwhile, Senator Richard Blumenthal issued a fierce statement that “Wiretapping teens is not research, and it should never be permissible.”

The situation will surely worsen the relationship between Facebook and Apple after years of mounting animosity between the tech giants. Apple’s Tim Cook has repeatedly criticized Facebook’s data collection practices, and Zuckerberg has countered that it offers products for free for everyone rather than making products few can afford like Apple. Flared tensions could see Facebook receive less promotion in the App Store, fewer integrations into iOS, and more jabs from Cook. Meanwhile, the world sees Facebook as having been caught red-handed threatening user privacy and breaking Apple policy.

Article Produced By
Josh Constine

Editor-At-Large

Josh Constine is a technology journalist who specializes in deep analysis of social products. He is currently an Editor-At-Large for TechCrunch and is available for speaking engagements. Previously, Constine was the Lead Writer of Inside Facebook through its acquisition by WebMediaBrands, covering everything about the social network. Constine graduated from Stanford University in 2009 with a Master's degree in Cybersociology, examining the influence of technology on social interaction. He researched the impact of privacy controls on the socialization of children, meme popularity cycles, and what influences the click through rate of links posted to Twitter.

Constine also received a Bachelor of Arts degree with honors from Stanford University in 2007, with a concentration in Social Psychology & Interpersonal Processes. Josh Constine is an experienced public speaker, and has moderated over 120 on-stage interviews in 15 countries with leaders including Facebook CEO Mark Zuckerberg, whistleblower Edward Snowden (via on-stage video conference), and U.S. Senator Cory Booker. He is available to moderate panels and fireside chats, deliver keynotes, and judge hackathon and pitch competitions. Constine has been quoted by The Wall Street Journal, CNN Money, The Atlantic, BBC World Magazine, Slate, and more, plus has been featured on television on Good Morning, America, The Today Show, China Central Television, and Fox News. Constine is ranked as the #1 most cited tech journalist on prestigious news aggregator Techmeme.

[Disclosures: Josh Constine temporarily advised a college friend's social location-sharing startup codenamed 'Signal' that was based in San Francisco before dissolving in 2015. This advising role was cleared with AOL and TechCrunch's editors and has concluded. Constine's fiancée Andee Gardiner co-founded startup accelerator Founders Embassy. Constine's cousin Darren Lachtman is the founder of influencer advertising startup Niche that was acquired by Twitter, and he's since left and founded teen content studio Brat. Constine does not write about Founders Embassy or Brat. Constine has personal acquaintances stemming from college housing circa 2007 with founders at Skybox Imaging (now Terra Bella), Hustle, Snapchat, and Robinhood, but does not maintain close social ties with them nor does that influence his writing. Constine occasionally does paid speaking engagements at conferences, but only those funded by companies he does not cover. Constine owns a small position in Ethereum and Bitcoin cryptocurrencies, does not day-trade, and discloses his positions directly in articles where appropriate. Constine does not do consulting, angel investing, or public stock trading beyond public stock invesments by his parents' estate that he has no role in managing or advising.]

https://techcrunch.com/2019/01/30/apple-bans-facebook-vpn/

TP