It’s the Faustian pact for the 21st century, except this time the devil is Facebook. As unearthed by TechCrunch’s Josh Constine, the world’s biggest social network has been paying people (including 13-year-olds) to install a sketchy mobile VPN that spies on everything they do.
The VPN app, called Facebook Research, but referred to as “Project Atlas” in company documentation, provides absolute access to a device’s network data. Every packet sent is captured for later analysis, allowing Facebook to glean information on user habits, as well as to see how its competitors are faring.
According to Constine, users were also asked to provide screenshots of their Amazon order history page.
— Josh Constine (@JoshConstine) January 30, 2019
Facebook compensated users for signing up. The social network opened the app to people aged between 13 to 35, and paid them $20 per month, plus a referral fee for any new users they recruited.
To get the app in the hands of potential subjects, Facebook advertised heavily on popular teen social networks, like Instagram and Snapchat. It also teamed up with several major beta testing services, including Applause, BetaBound, and uTest. This also had the welcome side effect of obfuscating — at least superficially — Facebook’s involvement in the project.
To circumvent Apple’s App Store review process, Facebook signed its code with its enterprise certificate. This is primarily intended for internal-use-only, and allows developers to test future releases of software, as well as the distribution employee-only applications. It’s unclear if Apple will revoke this certificate in response to this blatant breach of its terms.
Apple banned Facebook's VPN/surveillance app Onavo last year, but Fb kept paying people to install its similar Research app through Apple's enterprise certificate program meant for employee-only apps 2/ pic.twitter.com/yRdsuI81Lv
— Josh Constine (@JoshConstine) January 29, 2019
Eagle-eyed researchers spotted that the Facebook Research app bore striking similarities with the controversial Onavo Protect App, which Apple banned from the App Store in August last year. Will Strafach, CEO of the Guardian Mobile Firewall app, observed several references to Onavo within the app’s code.
they didn't even bother to change the function names, the selector names, or even the "ONV" class prefix. it's literally all just Onavo code with a different UI. pic.twitter.com/ruqH69pUfq
— Will Strafach (@chronic) January 29, 2019
Facebook acquired Onavo for $120 million in 2014. While the Onavo Protect app promised to help users track and manage their cellular data consumption, it ultimately allowed Facebook to gain valuable insights into its competitors. Documents obtained by Buzzfeed News show it was instrumental in allowing Facebook to spot the tremendous growth of Whatsapp, hereby justifying its $19 billion purchase price.
Since TechCrunch published its investigation, Facebook has discontinued the iOS version of its VPN app. The program will continue to run on Android, arguably because Google’s mobile OS allows users to easily install non-Play Store apps without much extra effort.
Facebook and Teens
This episode illustrates two things. Firstly it emphasises that Facebook cannot be trusted to look after the best interests of its youngest users.
It’s unlikely that many thirteen-year-olds understand the value of their personal data, and can grasp the potential consequences of providing it wholesale to a large multinational tech company. In my opinion, this absence of informed consent makes the Facebook Research app especially troubling.
And remember, it was only a few days ago that leaked internal documents showed Facebook has an inexcusably lax policy when it comes to children spending huge sums on in-app payments without parental consent.
Our relationship with our phones is perhaps the most intimate one we have, excluding spouses and children. It follows us everywhere we go. It holds all our secrets, and all our ambitions. For most of us, it’s the facilitator of our social lives. And people were willing to hand it over for just $20.
Perhaps that says more about us than Facebook.