Updated: Facebook Caught Paying to Spy on Teens
Facebook has been accused of breaching Apple’s privacy protection policies by paying teens to install a VPN that spies on them.
Social media giant Facebook has been paying people, including 14- to 17-year-olds, up to $20 (£15.30), plus referral fees, per month to install a ‘Facebook Research’ VPN on their devices.
The software enables the company to gather highly personal data from the users’ phone and web activity. TechCrunch has reported that Facebook used targeted social media ads to attract teenagers to sign up for the scheme.
According to TechCrunch, the software is similar to Facebook’s Onavo Protect app that Apple banned in June 2018, and was ultimately removed in August of that year.
TechCrunch’s article goes on to accuse Facebook of sidestepping the App Store as it rewards teenagers and adults to download the app that then gives it root access to network traffic in what may be a violation of Apple policy, so the social network can decrypt and analyse their phone activity.
The Facebook Research App has the potential to access
- The contents of private messages in chat apps including photos and videos
- Web browsing activity
- Logs of what apps were installed, and when they were used
- A location history of where the owner had physically been
- Data usage
Facebook has denied this accusation and the suggestion it was engaging in shady activity. A spokeswoman the company said it was unable to say whether it ran the programme in the UK or other countries outside the US but did take ire with TechCrunch’s characterisation of the app.
“Key facts about this market research programme are being ignored,” a spokeswoman said via email. “Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate.
“Finally, less than 5% of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms.”
When questioned by the BBC on how parental consent was obtained, Facebook said that consent was handled by a third party but it did not elaborate further. When tested, it proved easy for individuals posing as under 18s to sign up without parental consent, which was not sought.
Programme participants were also required to agree not to disclose any information about the project to third parties and asked users to screenshot their Amazon order history page.
Since TechCrunch published its article, Facebook has contacted the news outlet to confirm it would end the programme on Apple devices, but not on Android.
Apple has confirmed that it has blocked the controversial app and revoked its Enterprise Certificate that allows Facebook to distribute the app without going through the App Store. Facebook has since released a statement saying it had shut down the iOS version of the Research program without mentioning that it was forced by Apple to do so, making it appear it pulled it willingly.
Apple provided TechCrunch with a statement on the decision: “We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple.
“Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”
This clearly contradicts Facebook’s initial response, in which it claimed that it was compliant with Apple’s Enterprise Certificate policy and that its program was no different than a focus group.