U.S. Senators Demand Answers from Facebook, Apple and Google on Invasive ‘Research’ Apps

Three U.S. Senators are seeking answers from Apple, Facebook, and Google regarding Facebook’s invasive research app that paid consumers — including teens — to allow the company to collect staggering amounts of personal data on how they used their mobile phones.

Facebook’s research study app, dubbed Project Atlas, came to light last week when an investigative report by TechCrunch revealed that the company was paying users in the form of gift cards to side-load an app that it had released under Apple’s Developer Enterprise program — a move that was also in clear violation of Facebook’s licensing agreement with Apple, which explicitly states that the Developer Enterprise program is only to be used for its intended purpose of allowing companies to build apps for internal use by their own employees, on their own company premises.

Now, in a series of letters sent out today by Senators Richard Blumenthal (D-CT), Edward Markey (D-MA), and Josh Hawley (R-MO), the trio of U.S. senators is demanding that the companies explain exactly how the whole situation came to be, pressing Facebook for information on the nature and extent of its research study, and asking Apple and Google to explain what they knew about it and about the policies and procedures for handling apps on their respective platforms.

In the letter to Facebook CEO Mark Zuckerberg, the trio of senators express concerns that “Facebook is collecting highly-sensitive data on teenagers” and creating a profile of their behaviour “without adequate disclosure, consent, or oversight.” The letter also notes that the reports amplify the longstanding concerns about Facebook’s intrusion into personal privacy, and suggests that the social media giant may have even used this data to “engage in potentially anti-competitive behaviour.”

We write concerned about reports that Facebook is collecting highly-sensitive data on teenagers, including their web browsing, phone use, communications, and locations — all to profile their behaviour without adequate disclosure, consent, or oversight. These reports fit with lonstanding concerns that Facebook has used its products to deeply intrude into personal privacy.

Letter to Facebook from U.S. Senate

The letter goes on to pillory Facebook, noting that despite the requirement of parental consent for users younger than 18, “the program appears to have specifically targeted teens” and did not take steps to properly verify parental consent. The letter cites the teen-targeted ads for the program, and a journalist who found that the registration page “failed to impose meaningful checks on parental consent,” as two examples, noting that Facebook has “more rigorous mechanisms” in place, such as those used for Messenger Kids, and questioning by implication why Project Atlas had such “lax oversight of teen privacy” — especially in light of the “deeply invasive” data collection.

The three senators also express grave concerns about the way in which Project Atlas collected data, and outright accuse Facebook of creating Project Atlas to deliberately bypass Apple’s previous ban of the Onavo Protect app last year, “circumventing Apple’s attempts to protect consumers” by distributing the app through the Developer Enterprise program instead. The senators are asking Facebook to explain the timeframe and scope of Project Atlas, particularly in regard to the number of participants under 18 years of age, whether it targeted and specifically recruited teens, and why it used a less strict method for verifying parental consent than that found in its own Messenger Kids app. The letter also seeks to determine what types of data were collected, whether Facebook used the root certificate privileges granted by the Enterprise certificate to inspect encrypted traffic, the purposes for which the collected data was used and for how long it was retained.

In the letter, the senators also pointedly ask Facebook why they chose to deliberately “bypass Apple’s app review” and to provide a list and description of any other apps the company may have created for non-internal purposes under Apple’s Developer Enterprise program. They also want to know whether data from Onavo or Project Atlas was used to monitor non-Facebook products or services for anti-competitive reasons or to “inform Facebook’s acquisition decisions.”

The senators’ letters to Apple CEO Tim Cook and Google SVP Hiroshi Lockheimer focus on how Facebook’s app managed to land on users’ iPhone and Android devices, respectively, requesting information on both companies’ app review processes and Apple’s Developer Enterprise program. Notably, the three senators seem focused on Facebook’s violation, despite the fact that Google has been doing something similar for years, and was also caught blatantly abusing Apple’s Developer Enterprise program to do so. However, since the letter seems primarily concerned with invasive monitoring of teens, Google’s diligence at verifying parental consent may have kept it out of the senators’ crosshairs.

That said, Google’s Screenwise app is mentioned in each of the letters to Apple and Google, however the senators only seem to be concerned with why Google chose to bypass Apple’s App Store approval process in the same way that Facebook did, and what steps Google took to ensure authentic parental consent for teens. No other information is requested regarding Google’s Screenwise project.

The questions put to Apple also suggest a weaker understanding of how the Developer Enterprise program works, such as asking on how many devices the app was installed, information that would not normally be available to Apple, since enterprise apps are installed directly and not via Apple’s servers. Apple is specifically requested to explain whether the collection of “browsing histories, communications content, or app usage from a user’s device violate[s] the App Store terms of service” as well as why the company considered it necessary to update its terms of service in June 2018 to “ban the collection of data about other apps.” The senators also ask about what steps Apple can take to protect its users and whether it will “pursue such any [sic] remedies with respect to the Project Atlas app” and whether it plans to “allow the Project Atlas app on its devices in the future.” The letter asks similar questions about Google’s Screenwise Monitor app, and whether either Google or Facebook have “bypassed the App Store approval processing using enterprise certificates for any other non-internal apps” — again something that Apple is unlikely to know based on the nature of the Developer Enterprise program.

In light of recent invasions of children’s and teens’ privacy, including those described above, would Apple support federal legislation to create new privacy safeguards for children and teens online?

CommentLetter to Apple from U.S. Senate

All three letters end with the same final question about whether the companies would be in support of federal legislation that would create new privacy safeguards for younger online users, making it fairly clear that the fact-finding mission is part of a larger move toward the ongoing support of new privacy legislation that has long been under discussion in both the Senate and Congress.