Exposed! Facebook pays teenagers to install app that harvests personal data

Root-certificate app sucked up phones' private data and web browsing activity.
               

Facebook exposed paying teenagers to install app that harvested personal data

Since 2016 Facebook has been paying users aged 13-35 up to $20 per month to install an app which has almost unlimited limitless access to their smartphones and most sensitive data.

Reporters at TechCrunch exposed the scheme which saw users install a “research” app capable of scoop up:

  • private chat messages, including photos and videos
  • emails
  • web-browsing activity
  • a list of which apps were installed on the device, and when they were last used
  • the user’s physical location history
  • data usage

According to the report, the app is similar to the Onavo Protect VPN app that Facebook was forced to withdraw from the iOS App Store after Apple determined that it was breaking its data-collection policies.

From the sound of things, Facebook is installing the offending app using the enterprise provisioning features that Apple provides for companies who wish to roll out their own enterprise certificate-signed versions of apps to employees, rather than the official iOS App Store.

They do this by asking users to install a root certificate which has almost unlimited access to the phone. The enterprise provisioning feature is intended for employees of a company, not 13-year-old users of a social media website. In short, Facebook has again breached Apple’s rules.

Facebook research app

It seems to me that Apple would be well within its rights to revoke the certificates. Whether Apple will be prepared to take that ballsy step remains to be seen, but it would certainly see tensions between the two companies flare up.

Josh Constine at TechCrunch writes:

“The strategy shows how far Facebook is willing to go and how much it’s willing to pay to protect its dominance — even at the risk of breaking the rules of Apple’s iOS platform on which it depends. Apple could seek to block Facebook from continuing to distribute its Research app, or even revoke it permission to offer employee-only apps, and the situation could further chill relations between the tech giants. Apple’s Tim Cook has repeatedly criticized Facebook’s data collection practices. Facebook disobeying iOS policies to slurp up more information could become a new talking point.”

Within hours of TechCrunch’s report being published, Facebook moved from a position of defending its behaviour on the grounds that participants consented (it’s unclear how Facebook confirmed 13-year-olds received their parents’ permission) to announcing that they would be halting the research program on Apple devices.

According to a BBC News report, when it posed as a 14-year-old boy during its own test, it was able to download the app without any request for parental consent.

For now there is no indication that Facebook is planning to stop the “research” on Android phones.

I can’t imagine why anyone would trust Facebook with its personal profile information, let alone installing apps which can read their private chats and emails or track their web browsing.

If you feel the same, then why not join me by deleting your account? If you’re finding it hard to quit, why not listen to this “Smashing Security” podcast we put together describing the process:

Smashing Security #75: ‘Quitting Facebook’

Listen on Apple Podcasts | Google Podcasts | Other… | RSS

Tags: , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , ,

2 Responses

  1. Etaoin Shrdlu

    January 30, 2019 at 6:56 pm #

    If only you <i>could</i> delete your account.

    • Vog Bedrog in reply to Etaoin Shrdlu.

      January 31, 2019 at 4:09 am #

      And if only they weren’t sucking up all available data on non-users anyway.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.