Facebook has sneaked a service similar to Onavo Protect, its VPN psuedo vampírica that claims to protect users' privacy, but actually collects and analyzes their data. This time, it's worse: Facebook is targeting teens to install a similar application through third-party beta testing services, in possible violation of Apple's rules for corporate developers.
According to a report on Tuesday at TechCrunch, Facebook used at least three companies to target individuals between 13 and 35 years of age, which was originally dubbed "Facebook Search" when it was launched in 2016. Atlas since at least mid-2018, "when reaction against Onavo in the tech community was increasing and Facebook removed Onavo from the App Store after Apple said it violated data collection rules, wrote TechCrunch.
The application asks for permissions that allow the company to absorb virtually all of the data from an iOS or Android device, from private messages and photos to web surfing habits. In return, Facebook has offered small payments to participants ($ 20 a month in the form of gift cards and more for referrals) to keep the service running on their devices and occasionally supplement the data by doing things like taking screenshots of their Amazon order history.
TechCrunch has found that Facebook is working with beta testing services Applause, BetaBound and uTest through ads on Instagram, Snapchat and elsewhere to recruit participants. Users under the age of 18 have been asked to submit parental consent forms.
Some of the ads asked individuals aged 13-17 for a "paid social media research study," while others advertised opportunities for users "Age: 13-35 (parental consent for ages 13-17)." steps to overshadow that they are behind the program, with TechCrunch reporting that some application methods only mentioned their name during installation instructions.
According to TechCrunch, iOS program participants are asked to sideload the application using an Apple Enterprise Developer Certificate, in violation of Apple's rules:
Facebook appears to have intentionally avoided TestFlight, Apple's official beta testing system, which requires applications to be reviewed by Apple and limited to 10,000 participants. Instead, the instruction manual reveals that users download the application from r.facebook-program.com and are instructed to install a Business Developer Certificate and VPN and Facebook "Trusted" with root access to the data the phone transmits . Apple requires developers to agree to use this certificate system only to distribute internal enterprise applications to their own employees. The random recruitment of testers and the payment of a monthly fee appear to violate the spirit of this rule.
"If Facebook makes full use of the level of access it receives when it prompts users to install the Certificate, they can continually collect the following types of data: private messages in social media applications, chat in instant messaging applications – including photos / videos sent to others, emails, web searches, web surfing activity, and even location information in progress by tapping the feeds of any location tracking application that you may have installed, "said Will Strafach, a security researcher at Guardian Mobile Firewall, at TechCrunch.
"The step that sounds quite technical 'installing our root certificate' is shocking," added Strafach. "… There is not a good way to articulate how much power Facebook gives you when you do it."
The Aplauso site contained a language indicating that the amount of data that Facebook collects from the program is intense, to say the least, wrote TechCrunch.
Applause wrote that installing the search application gives your "client" permission to "collect information such as what applications are on your phone, how and when to use them, data about your activities and content in those applications and how others interact with you or your content in those applications, "as well as" information about your Internet browsing activity. "In some cases, Applause added that it will collect data" even when the application uses encryption or in secure browser sessions. "
Strafach also told TechCrunch that the Research application appears to be a "scarcely re-edited version of the Onavo banned application," as it contains much of the same Onavo code, sends data to IP addresses associated with Onavo, and contains several sections of code that looked like directly from Onavo. However, he admitted that it is impossible to say what Facebook is actually downloading from outside users of the company.
Facebook did not immediately respond to a Gizmodo comment request, but told TechCrunch that the search application does not violate Apple's policies (without going into detail). He also told the site that the commonalities between Onavo and the latest application are because both were built by the same team, compared the program to a Nielsen focus group and said they had no plans to stop.
It is clear why Facebook is pushing a clone of Onavo. A 2017 Wall Street Journal article detailed that Onavo's data, which it acquired in 2013, proved crucial in making decisions about everything from product design to WhatsApp's acquisition of Facebook in 2014. It is also clear why that Facebook wants to monitor teenagers' private lives as reports suggest they are leaving the platform in large numbers and becoming more involved with their subsidiary Instagram as well as with competitors such as YouTube and Snapchat. (As for this being really scary, well, it's Facebook.)
However, if Apple decides that you're using Facebook, you may be required to stop distributing the search application or even revoke your corporate certificates – and start another public relations battle that Facebook will not be able to afford. The reputation of the social media giant has been suffering from scandals involving everything from reckless data exchange with third parties and spreading defamation of critics to claims of complicity in literal genocide. Remember, though, if you're starting to distrust them, CEO Mark Zuckerberg will be more than happy to explain that you're just ignorant.