Facebook is apparently so desperate for data that it is paying users to get them to hand it over. An investigation by TechCrunch found that the social networking giant is secretly paying users to install an app that delivers their data.
What is the Facebook Research app doing?
According to TechCrunch, the company has been paying teenagers and adults ages 13 to 35 up to $20 per month and a referral fee to install the Facebook Research app on their Android or iOS device. Facebook is not directly managing the app; rather, it is managed via beta testing services like uTest, Applause and BetaBound. The program is internally referred to as “Project Atlas.”
Citing a security expert, the report claims that the secret app allows the social networking giant to access the private messages sent by users, photos and videos in social media apps, emails, web searches and information on their other web activities.
The secret app also reportedly helps track location information using data from other location-tracking apps installed on the user’s smartphone. In some instances, users are even asked to log into their Amazon account, take a screenshot of their order history, and upload it on the Facebook Research website.
Facebook bypasses Apple’s beta testing system TestFlight for the Research app using an enterprise certificate on the iPhone, TechCrunch adds. Participants are asked to visit r.facebook-program.com, where they are asked to download an Enterprise Developer Certificate and VPN. The certificate allows developers to distribute internal corporate apps with full root access to the smartphone.
Is Facebook accessing the data?
As of now, it has not been confirmed that Facebook is accessing such data, but it could. The Facebook Research app’s terms of service suggest it collects information on other apps installed on participants’ phones, like how often and how apps are used. Facebook even reportedly collects data from apps that use encryption and from secure browser sessions.
A Facebook spokesperson admitted that the company runs a program to get data on usage habits.
“Like many companies, we invite people to participate in research that helps us identify things we can be doing better,” a spokesperson told CNBC.
The spokesperson added that such data helps the company understand how smartphones are used. The person also claimed the company is fully transparent about the program and provides users full information about the types of data collected.
“We don’t share this information with others and people can stop participating at any time,” the spokesperson added.
Facebook might be transparent about the workings of the app, but such apps violate Apple’s App Store policy guidelines. Last year, Apple removed a similar Facebook app called the Onavo Security app because it violated the App Store rules, which state that apps must not “collect information about which other apps are installed on a user’s device.”
Violating App Store rules
Even though the social network claims its Facebook Research app and Onavo Security app cater to different programs, both apps are managed by the same group of engineers. Even Guardian Mobile Firewall’s security expert, Will Strafach (consulted by TechCrunch), notes that the two apps are mostly the same.
“They didn’t even bother to change the function names, the selector names, or even the ‘ONV’ class prefix. it’s [sic] literally all just Onavo code with a different UI,” Strafach tweeted.
this is the most defiant behavior I have EVER seen by an App Store developer. it’s mind blowing. this is an amazing scoop by @JoshConstine – I still don’t know how to best articulate how absolutely floored I am by Facebook thinking they can get away with this.
— Will Strafach (@chronic) January 30, 2019
After the Onavo VPN was blocked, the social networking giant apparently renamed it Project Atlas. The company even ran ads on Snapchat and Instagram, but the ads reportedly include no reference to Facebook.
Specifically, Applause’s ads for the Facebook Research app describe it as a “paid social media research study” but don’t mention the social network at all. Facebook’s name only comes up when users younger than 18 try to sign up for the paid study. Such users are required to submit a signed consent form from their parents.
BetaBound also makes a similar pitch, saying that users will receive $20 per month to install the app and keep it running in the background. Users also get an additional $20 for referring another potential participant.
As of now, there has been no comment from Apple on the development, but considering its stance on privacy and previous instances in which CEO Tim Cook criticized Facebook and its privacy violations, there is a good chance the iPhone maker will block the Facebook Research app or restrict the social network from distributing the app internally.
Facebook maintained that such practices don’t violate Apple’s guidelines, although TechCrunch updated its report later to say the company was shutting down the iOS version of the app. However, it seems the Android version of the Facebook Research app will remain in service, at least for the foreseeable future.