Earlier this year, an investigative report revealed that Facebook had been secretly pushing out an invasive “research” app that flagrantly abused Apple’s Enterprise Developer program to gain access to an unprecedented amount of data on users’ iPhones and iPads, and now it turns out that the company was at this for almost three years before it was caught, sucking up extremely personal data on thousands of users, including teens.
The app, dubbed “Project Atlas”, was part of an opt-in study — participants were offered $20/month to install the app and feed all of their smartphone activity to an arm of the social media giant — however very little information was provided on what data was being collected, and due to the way that Facebook misused Apple’s Enterprise program to build the app, it was capable of collecting a lot of personal data. Even worse, many users who were lured into the study were minors.
Following these revelations, a trio of U.S. Senators demanded that Facebook explain exactly what it was thinking in releasing such an app, pillorying the social media giant for specifically targeting teens and its deeply invasive data collection. TechCrunch has now obtained a copy of Facebook responses to the office of Senator Richard Blumenthal (D-CT), where the company admitted that it collected data on 187,000 users in total. 31,000 of those were based in the U.S., and of those, “only” 4,300 were teenagers. The rest of the data reportedly came from users in India.
However, Facebook also denied that it was collecting the kind of invasive data that it was being accused of, emphasizing that it only cared about analytics data, and “did not target any health or financial apps, collect any images or video, or decrypt the vast majority of data being sent by a phone.”
Regardless of whether Facebook was decrypting and using the data or not, however, the very fact that it had this data available to it isn’t particularly reassuring, particularly coming from a company with Facebook’s reputation of a ravenous appetite for data.
The U.S. Senators also asked Apple to comment on its own role in Facebook’s malfeasance, to which the iPhone maker was only able to say that it had no way of knowing how many devices had Facebook’s app installed, but that it took action immediately once the abuse of its enterprise certificates was discovered, revoking the ability for Facebook’s own internal iOS apps to function.
Apple’s director of federal affairs, Timothy Powderly, added that the company could identify that the provisioning profile for the Facebook Research app was created on April 19, 2017, but that “this does not necessarily correlate to the date that Facebook distributed the provisioning profile to end users.” However, Facebook itself admitted that the app dated back to 2016.
During last week’s Worldwide Developers Conference, Apple also announced that it now “reserves the right to review and approve or reject any internal use application” — those issued under Apple’s Enterprise Developer Program — although it’s unclear how Apple plans to do this, as these apps are normally side loaded directly onto users’ devices. Most likely this will simply involve routine audits of the apps being issued by those companies participating in program. Apple also told TechCrunch that at this point, both Facebook and Google — which had also been abusing the program in much the same way — “are in compliance” with its rules.
Facebook Remains Unrepentant
Facebook’s abuse of Apple’s Enterprise Developer program was both intentional and flagrant. The Project Atlas app was in fact a repackaged version of its Onavo VPN, which was discovered collecting user data in early 2018, and killed by Apple later that year. Despite this, Facebook knowingly decided to re-release the app using its privileged status as an Apple Enterprise Developer — a program very clearly restricted to building apps for internal use by a company’s own employees — bypassing the App Store Review process that had already rejected the app and gaining access to even more data in the process.
Although Apple allowed Facebook back into its Enterprise Developer Program, Facebook’s response was unrepentant, with Facebook VP Pedro Canahuati insisting that their app was “a valid method of market research” and that it was Apple’s opinion — and by implication, not Facebook’s — that the terms of the agreement were violated.
Facebook continues to deny any wrongdoing on its part, saying it was just doing the same thing everybody else was. Vice-President of Public Policy Kevin Martin defended the company’s use of enterprise certificates, saying it “was a relatively well-known industry practice” — despite extremely clear policies on Apple’s part that its Developer Enterprise Program was not to be used in any way to release apps to external users, regardless of the purpose of those apps. While Facebook didn’t further clarify Martin’s comments, he may have been speaking of the many other apps that were later discovered to also be abusing enterprise certificates, but as most of us learned in grade school, just because everybody else is breaking the rules doesn’t justify breaking them yourself.
In fact, Facebook has relaunched its research app as Study, although naturally it’s only available on Google Play for Android devices, and Facebook is being a bit more circumspect now, requiring that users be approved through its research partner, Applause, and promising to be more transparent about how it collects user data.
However, as Senator Blumenthal points out, the move shows where Facebook’s priorities lie, and despite Mark Zuckerberg’s grandiose promises of a major privacy overhaul, it seems pretty clear that actions speak louder than words.
After its previous app was rightly taken down and blocked from operating, Facebook moved more quickly to reintroduce a market research product than it has to provide any substantial consumer privacy protections or resolve the significant abuse on its platform. At a time when the company is under investigation for its data practices and anticompetitive actions, the Facebook Study app is at best tone-deaf and ill-considered.U.S. Senator Richard Blumenthal (D-CT)
Meanwhile, it’s safe to say that we probably won’t see a reappearance of Facebook’s research app in the Apple world, and in fact it’s quite likely that the social media giant is going to remain under Apple’s microscope for the foreseeable future.