In brief: Facebook has hit the headlines over yet another privacy-related controversy. This time, the social network was discovered to be running a market research program that paid people as young as thirteen $20 per month to harvest data from their phones.
TechCrunch reports that people aged 13 to 35 were offered the money via gift cards if they installed an app called Facebook Research on iOS or Android. It was able to gather swathes of data by asking users to install a custom root certificate. According to Guardian Mobile Firewall security expert Will Stafach, this included private messages and chats from apps, internet searches, emails, web browsing activity, and even location data, all of which was sent back to Facebook.
Facebook had been collecting this data through its Onavo Protect VPN service, which it acquired in 2013 for $100 million - $200 million. The company removed Onavo off the App Store last August following complaints from Apple that it violated recent data security rules, which prohibit apps from collecting data from other apps installed on a device for the purposes of analytics or advertising/marketing. But Facebook reportedly continued to gather the same data using a different method.
Facebook hid its identity but had intermediaries like uTest advertise to teens on Snapchat & Instagram that they could earn money via "social media research" aka selling their privacy. 3/ pic.twitter.com/9ohODeYXxM— Josh Constine (@JoshConstine) 29 January 2019
The new program has been around since 2016 and has been known as “Project Atlas” since mid-2018. Another part of the research asked users, who were signed up through beta testing services BetaBound, uTest, and Applause, to send in screenshots of their Amazon order histories.
“Ads (shown below) for the program run by uTest on Instagram and Snapchat sought teens 13-17 years old for a “paid social media research study.” The sign-up page for the Facebook Research program administered by Applause doesn’t mention Facebook, but seeks users “Age: 13-35 (parental consent required for ages 13-17),” writes TechCrunch.
they didn't even bother to change the function names, the selector names, or even the "ONV" class prefix. it's literally all just Onavo code with a different UI. pic.twitter.com/ruqH69pUfq— Will Strafach (@chronic) 29 January 2019
Facebook said Project Atlas doesn’t violate Apple’s Enterprise Certificate policy, but the certificate program is primarily designed to allow employers root access to employees' phones. “You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers,” states the policy.
Several hours after the report was published, Facebook shut down the iOS Research app, but it appears to still be available to Android users. The company gave the following statement to TechCrunch.
Key facts about this market research program are being ignored. Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms.