Wednesday January 30, 2019

Facebook Paid Teens to Test Even More Invasive Apps

TechCrunch just posted a report claiming that Facebook paid teens to install a "VPN that spies on them" on Android and iOS devices. More specifically, the social media company has allegedly been paying users between the ages of 12 and 35 "up to $20 per month plus referral fees" to download the "Facebook Research" app, which can reportedly monitor almost every part of the phone. Among other things, the app apparently asked users to take screenshots of their Amazon orders page, and a security researcher from TechCrunch said it had the ability to collect "private messages in social media apps, chats from in instant messaging apps - including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed."

Apple banned the Onavo data collection app from the iOS App Store for violating their data collection policies last year, so Facebook allegedly had to sideload "Project Atlas" to circumvent Apple's restrictions. In a statement to TechCrunch, Apple said "Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data," and true to their word, have subsequently yanked Facebook's permission to sideload apps on iOS devices. Experts say this could interfere with Facebook's own internal R&D efforts, though unsurprisingly, "Project Atlas" will continue to run on Android. Additionally, many other publications are following TechCrunch down Facebook's latest rabbit hole today. The BBC, for example, claims it was able to sign up for the service and download the app without any parental consent, even though the BBC identified itself as a 14-year-old boy during its test, while a BuzzFeed reporter managed to get a parental consent email that didn't mention Facebook by name. When asked how parental consent was obtained, Facebook "said it was handled by a third party and did not elaborate."

News Image

"The fairly technical sounding 'install our Root Certificate' step is appalling," Strafach tells us. "This hands Facebook continuous access to the most sensitive data about you, and most users are going to be unable to reasonably consent to this regardless of any agreement they sign, because there is no good way to articulate just how much power is handed to Facebook when you do this... "It is tricky to know what data Facebook is actually saving (without access to their servers). The only information that is knowable here is what access Facebook is capable of based on the code in the app. And it paints a very worrisome picture," Strafach explains. "They might respond and claim to only actually retain/save very specific limited data, and that could be true, it really boils down to how much you trust Facebook's word on it. The most charitable narrative of this situation would be that Facebook did not think too hard about the level of access they were granting to themselves . . . which is a startling level of carelessness in itself if that is the case."

Facebook did respond after TechCrunch's article went live, but they didn't outright deny the claims.