TechCrunch, in their recent report mentioned, Facebook has been spying on user’s data and internet habits by paying $20 a month, plus referral fees for users aged between 13 – 35 to install a ‘Facebook Research’ VPN via beta testing services such as Applause, BetaBound, and uTest. The VPN allows Facebook to have an eye on user’s web as well as phone activity. Such activity was found similar to Facebook’s Onavo Project app, which was banned by Apple in June 2018 and totally discarded in August. Launched in 2016, the Facebook research project was renamed to Project Atlas mid-2018 after the backlash against Onavo.
One of the companies, uTest, was also running ads for a “paid social media research study” on Instagram and Snapchat, tweeted one of contributing TechCrunch editors to the report.
Facebook hid its identity but had intermediaries like uTest advertise to teens on Snapchat & Instagram that they could earn money via "social media research" aka selling their privacy. 3/ pic.twitter.com/9ohODeYXxM
— Josh Constine (@JoshConstine) January 29, 2019
TechCrunch has also updated that “Facebook now tells TechCrunch it will shut down the iOS version of its Research app in the wake of our report.”
According to the Techcrunch report, “Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access to network traffic in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity.”
Guardian Mobile Firewall’s security expert Will Strafach, told TechCrunch, “If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location-tracking apps you may have installed.”
As part of the study, users were even asked to provide screenshots of their Amazon purchases.
For underage users, Applause requires parental permission, and Facebook is mentioned in the consent agreement. The agreement also mentions this line about the company tracking your children, “There are no known risks associated with this project, however, you acknowledge that the inherent nature of the project involves the tracking of personal information via your child’s use of Apps. You will be compensated by Applause for your child’s participation.”
As highlighted by TechCrunch, the Facebook Research app sent data to an address which is affiliated with Onavo.
the "Facebook Research" app can be found here, accessible by anyone + signed with the Enterprise Certificate, an unauthenticated server owned by Facebook: r[.]facebook-program[.]com/ ios/stable/manifest[.]plist (this will likely get yanked by FB very soon)
— Will Strafach (@chronic) January 29, 2019
A Facebook spokesperson wrote that the program is being misrepresented by TechCrunch and that there was never a lack of transparency surrounding it.
As a response to this, Josh Constine, Editor at TechCrunch tweeted, “Here is my rebuttal to Facebook’s statement regarding the characterization of our story. We stand by our report, and have a fully updated version here.” He also provided an updated report link followed by a snippet from the report.
Here is my rebuttal to Facebook's statement regarding the characterization of our story. We stand by our report, and have a fully updated version here https://t.co/W72PKZLPHg pic.twitter.com/wmK3phtNA2
— Josh Constine (@JoshConstine) January 30, 2019
Facebook should be broken up, and its ad business spunoff. Combining an ad business with an essential information carrier is inherently corrupting. https://t.co/r1ABcWQuhj
— Matt Stoller (@matthewstoller) January 30, 2019
According to Will Strafach, who did the actual app research for TechCrunch, “”they didn’t even bother to change the function names, the selector names, or even the “ONV” class prefix. it’s literally all just Onavo code with a different UI. Also, the Root Certificate they have users install so that they can access any TLS-encrypted traffic they’d like.”
According to a user on Hacker News, “By using a VPN they forced all traffic to go through their servers, and with the root certificate, they are able to monitor and gather data from every single app and website users visit/use. Which would include medical apps, chat apps, Maps/gps apps and even core operating system apps. So for users using Facebook’s VPN they are effectively able to mine data which actually belongs to other apps/websites.”
Another user writes, “How is this not in violation of most wiretapping laws? Facebook is not the common carrier in these cases. Both parties of conversations with teens are not consenting to the wiretapping, which is not allowed in many US states. I’m not sure teenage consent is considered “consent” and the parents aren’t a party to the conversations Facebook is wiretapping. Facebook is both paying people and recording the electronic communications.”
To know more about this news, head over to TechCrunch’s complete report.