This story has been updated.
Facebook has been paying teens and adults to install a “social media research” app that monitors pretty much everything they do on their phones, an investigation by TechCrunch reported on Tuesday evening.
The privacy-challenged social network has been quietly recruiting users from 13 to 35 and asking them to install a “Facebook Research” app that—albeit with opt-in consent, and a legalistic disclaimer—bypasses typical security features on iOS and Android. The app is then capable of vacuuming up data on everything from their browsing history to their encrypted phone conversations and even their Amazon order history.
On Wednesday morning, Apple said in a statement to Fast Company that it was revoking the developer certificates that Facebook relies upon for its internal apps, which had allowed its research app to gain unusual access to users’ iPhones.
“We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization,” the company said. “Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”
How “Project Atlas” works
Since 2016 Facebook has been quietly paying users $20 a month to use the app, as well as compensation for referrals.
“The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook’s involvement, and is referred to in some documentation as “Project Atlas” — a fitting name for Facebook’s effort to map new trends and rivals around the globe,” writes TechCrunch‘s Josh Constine.
Facebook has essentially done an end-run around Apple’s App Store, which banned a Facebook VPN app called Onavo Protect last year that also gathered similar data. The app was heavily marketed by Facebook after it purchased the company in 2013, but it was later revealed that Onovo was also a tool for gathering business intelligence. The app helped Facebook collect crucial data on people’s use of WhatsApp that helped justify its 2014 acquisition of that company for $19 billion.
The company apparently used digital ads offering people cash for participating in a “social media research” study. The sign-up pages for the studies make no mention of Facebook.
Once downloaded through Applause or other beta-testing apps, the Facebook Research app asks the user to download and install a so-called Enterprise Developer Certificate that gives Facebook an unusual level of access to their phone.
The developer certificate is intended, Apple says, only for distributing internal corporate apps; distributing such a certificate to non-Facebook employees violates the spirit of Apple’s developer rules.
According to security researcher Will Strafach, Facebook renewed its developer certificate in July, weeks after Apple announced its more stringent set of App Store rules, which stipulated that apps “should not collect information about which other apps are installed on a user’s device.”
In an emailed statement, a company spokesperson defended the project.
“Key facts about this market research program are being ignored,” the statement said. “Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms.”
The political firm Cambridge Analytica, whose misdeeds helped bring about Facebook’s massive privacy scandal last year, also collected user data collected through a “research” app on Facebook. That app was distributed to paid survey-takers by Cambridge University researchers through Amazon’s Mechanical Turk service, despite numerous complaints from users that the survey’s request for data violated Amazon’s terms. Facebook has claimed it thought that app was only being used for academic purposes, not to create profiles on millions of Americans for use in political campaigns. In 2015, Facebook Research hired one of the researchers behind the app; it fired him in September and has yet to publicly explain what it knew about his role.
The privacy blunders just keep coming for Facebook, even as it prepares to consolidate its Facebook Messenger, WhatsApp, and Instagram apps to further optimize and coordinate the parts of its vast data collection machine. Meanwhile, lawmakers in states around the country and in Washington, D.C. are growing increasingly eager to pass laws that restrict how big tech companies can harvest and use personal data.
Updated to include Facebook’s comment and Apple’s response.