As it turns out, Facebook has found an underhanded way to skirt Apple’s rules and get people to continue installing its VPN — paying them.
TechCrunch this afternoon exposed Facebook’s “Project Atlas” program, in which Facebook paid people — adults and teenagers — to install a “Facebook Research” VPN that is similar to the Onavo VPN app.
As of 2016, Facebook has been secretly offering people aged 13 to 35 up to $20 per month along with referral fees to sideload the Facebook Research app using an enterprise certificate on iPhone. Enterprise certificates like this are designed to allow companies to distribute internal corporate apps and give full root access to a device.
To hide its involvement, Facebook has been using beta testing services like Applause, BetaBound and uTest to recruit participants to install Facebook Research.
By getting people to sideload an app this way through an enterprise certificate, Facebook has access to data that includes private messages in social media apps, chats from instant messaging apps (including photos and videos), emails, web searches, web browsing activity, and ongoing location information. It’s not clear if Facebook is accessing this data, but it could, according to security researcher Will Strafach, who TechCrunch consulted for this piece.
“The fairly technical sounding ‘install our Root Certificate’ step is appalling,” Strafach tells us. “This hands Facebook continuous access to the most sensitive data about you, and most users are going to be unable to reasonably consent to this regardless of any agreement they sign, because there is no good way to articulate just how much power is handed to Facebook when you do this.”
The terms of service for the Facebook Research app suggest Facebook was collecting information about the smartphone apps on a participant’s phone and how and when those apps are used. Facebook also said it would collect data about activities and content within the apps, and information about internet browsing history. There’s even a line suggesting Facebook collects data even when an app uses encryption or from within a secure browser session.
Facebook confirmed the program in a statement provided to TechCrunch and reportedly said that the Facebook Research app was “in line with Apple’s Enterprise Certificate program,” though that does not seem to be the case based on Apple’s Enterprise Certificate policy.
“Like many companies, we invite people to participate in research that helps us identify things we can be doing better. Since this research is aimed at helping Facebook understand how people use their mobile devices, we’ve provided extensive information about the type of data we collect and how they can participate. We don’t share this information with others and people can stop participating at any time.”
Apple has been made aware of the issue, but declined to provide a comment to TechCrunch. It’s not clear how the Cupertino company will handle the situation, but as TechCrunch points out, Apple CEO Tim Cook has been highly critical of Facebook and its privacy violations. Apple could potentially block the Facebook Research app or revoke Facebook’s permission to distribute internal apps entirely.
Full details on Facebook’s spying app can be found in TechCrunch‘s exposé.