As you’ve probably heard by now, Facebook — in its infinite wisdom — has been running a program that pays your kid (aged 13 to 35) a whopping $20 worth of gift cards each month in exchange for near-unlimited access to the data on their Apple or Android devices. By installing a custom root certificate, Facebook can see what websites they browse, what they say to their friends, and what they write in their emails, to name a few privacy-shattering examples.
I’m describing this in present tense, because this (seemingly) invite-only program still exists on Android. Apple, not so much, especially since Facebook’s new data-mining deal is basically just a rebranded version of its former Onavo VPN-turned-spyware app, which Apple asked Facebook to remove from the App Store last year.
Confused? I don’t blame you. Here’s the short version: Facebook wants to know the personal details of what you do on your device, and it has no problem doing whatever it takes to get that. If you’re concerned that a younger family member is paying for their monthly Fortnite DLC purchases by giving up their secrets to Facebook, let’s go over the basics of Facebook’s Research program:
If Facebook got “caught,” did the company apologise?
Ahahahahahaha no. Why would Facebook apologise if it feels it did nothing wrong? Here’s the statement media outlets received from a Facebook spokesperson:
“Key facts about this market research program are being ignored. Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5 per cent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms.”
As you’ll see, the phrases, “we’re sorry,” “we apologise,” “removing the app,” and “never again” do not appear in this statement. Facebook plans to continue the “Facebook Research” on Android, and it would probably do so on iOS were there any other conceivable workaround it could use.
How long has this been going on?
Since 2016, says the original TechCrunch report.
A recent Privacy International study found that 42.55% of the free apps in Google Play could share data with Facebook, and many popular apps share data with Facebook the second they’re opened.
Can I sign up now?
Really? If you’re even remotely thinking about this, your personal data is worth a lot more than $20 a month. And if you’re fine with turning over nearly everything you do to Facebook, you might as well give your friends your passwords to your accounts and let them go to town, since you don’t seem to care about your privacy that much.
Anyway, it appears the Betabound sign-up link for the program is no longer active, so it’s unclear whether you can still sign up to participate. I suspect Facebook is going to rejigger how program invitations work, given the outcry, but I wouldn’t expect them to stop. You can still download the Apple-banished Onavo app from Google Play, after all.
There’s no word on whether those previously enrolled in the program will still be able to continue, but I don’t see why not. Get some of that sweet referral cash, right?
Why does Apple care so much about this and not Google?
Different platforms; different rules. Apple tends to have stricter privacy policies in place for apps than Google. When Apple told Facebook that it should voluntarily remove Onavo from the App Store last year, Apple also released this statement:
“With the latest update to our guidelines, we made it explicitly clear that apps should not collect information about which other apps are installed on a user’s device for the purposes of analytics or advertising/marketing and must make it clear what user data will be collected and how it will be used.”
At that time, Google had nothing to say about the Onavo app, nor does the app appear to have triggered any kind of response from Google in the time since. As I mentioned, you can download it right now if you want. (You shouldn’t.)
As for Facebook Research, you won’t find an app with that name on the Google Play Store. I’m not in the program, but I presume participants receive a link to sideload an app onto their devices when they sign up to participate. And when you do, the app slaps a new certificate and VPN onto your device, which is how Facebook can get a glimpse into pretty much everything you do.
Most people use their Facebook accounts to log into websites and apps on a regular basis, but after the company's recent privacy scandal, it's clear that doing so can put your personal data at risk. To its credit, Facebook has made it possible to delete those logins for years, but it was always a tedious one-at-a-time process - until now.
But Apple is mad, right?
I’d say so. Since Facebook knows that a scammy VPN app would probably be open season for Apple’s App Review team, the company instead took advantage of the company’s Enterprise Developer Program to get this app on participants’ iOS devices.
The program is supposed to allow companies to install customised or proprietary apps on employees’ devices. Since it’s all done in-house, these apps wouldn’t go through the App Store, nor would they trigger any kind of review from Apple.
Putting the pieces together? Facebook asked participants in its program to install an Enterprise Developer Certificate and a VPN. According to the now-defunct sign-up page for the research program, this would give Facebook the ability to collect:
information such as which apps are on your phone
information about how and when you use them
data about your activities and content within those apps, as well as how other people interact with you or your content within those apps.
information about your internet browsing activity (including the websites you visit and data that is exchanged between your device and those websites) and your use of other online services.
Apple has since realised what Facebook has been doing behind-the-scenes, and a spokesperson’s statement in response to Facebook’s sneaky tactics is pretty damning:
“We designed our Enterprise Developer Program solely for the internal distribution of apps within an organisation. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”
Oh, and by revoking this certificate, Apple has also wrecked Facebook’s ability to distribute its own internal apps. Reap what you sow, Facebook.
How do I know if I am (or my kid is) giving Facebook all this data?
If you’re in iOS, go to Settings > General > Profiles. Most people shouldn’t have anything here unless their jobs require them to install a profile in order to access various work-related apps and services. If you see a “Facebook Research” profile, delete it. You can also check the VPN section of your General screen to see if anything Facebook-related is installed (or active).
On Android, you should just be able to look for the Facebook Research app. If it exists, delete it. You can also check to see if a device has any weird VPNs installed via Settings > Network & Internet > Advanced > VPN, as well as any unwanted certificates via Settings > Security & location > Advanced > Encryption & credentials > Trusted credentials > “User” tab.
Can I still use the Facebook app?
Is anyone else about to get smacked by Apple for running a similar program?
The eye of Cook turns to the lands of Mountain View. Google has a similar program, “Screenwise Meter,” that takes advantage of the same Enterprise Developer Certificate loopholes as Facebook’s app. Get your popcorn.