Desperate for data on its competitors, Facebook secretly pays people to install VPN Research on Facebook, which allows the company to suck up all the phone and web activities of the user, similar to Facebook's Onavo Protect application that Apple banned in June and which was removed in August. Facebook ignores the App Store and rewards teenagers and adults to download the app for research and give it root access, which may be a violation of Apple's policy so the social network can decipher and analyze its activity over the phone, confirms the TechCrunch investigation . Facebook admitted in TechCrunch that it used the research program to collect usage data and had no plans to stop.
6, Facebook pays users aged 13 to 35 years up to $ 20 a month plus a privacy referral fee by installing the Facebook Research application on iOS or Android. Facebook even asked users to take a picture of their Amazon Order History page. The program is administered through beta-testing services Applause, BetaBound and uTest to cover Facebook's involvement and is mentioned in some documents as "Project Atlas" – an appropriate name for Facebook's efforts to draw new trends and rivals across the globe.
Facebook's Facebook App Requests Users to "Believe" With Broad Access to Their Data
We asked Guardian Mobile Firewall Security Expert Wil Strafaq to dig into the Facebook Research application and told us that "If Facebook Uses Fully obtain the access level that they receive by requiring users to install the certificate, they will be able to continuously collect the following data types: personal messages in social media applications, instant messaging applications – including photos / videos, zprateni other, emails, web searches, browsing activity on the network and even current location information via touch to the emissions of all applications for location tracking, you may have installed. it's unclear exactly what data is interested in Facebook but gets almost unlimited access to the user's device after installing the app.
The strategy shows how far Facebook wants to go and how much it is willing to pay to defend its dominance – even at the risk of violating Apple's iOS platform rules on which it depends. Apple may try to block Facebook from continuing to distribute its research application or even revoke the permission to offer apps only to employees, and the situation could boost relations between technology giants. Apple's Cook Cook has repeatedly criticized Facebook's data collection practices. Facebook does not obey iOS policies to squeeze more information can become a new point of discussion. TechCrunch talks to Apple and is aware of the problem, but the company did not provide a statement before press time.
The Facebook research program is called Project Atlas on registration sites that do not mention Facebook's participation
] "The quite technical sounding" install our root certificate " step is terrifying, "Strafach tells us. "This leads to Facebook's uninterrupted access to the most sensitive data for you, and most users will not be able to agree to that regardless of any agreement they sign, because there is no good way to express how much power is transmitted to Facebook
Facebook Observation Application
Facebook first enters the data business that acquired Onavo for about $ 120 million in 2014. The VPN application helped users track and minimize the use of their mobile data plan , but also provide Facebook to DD analyzes of what other applications have been used. The internal documents acquired by Charlie Warcell and Ryan Mac from BuzzFeed News reveal that Facebook can use Onavo to learn that WhatsApp sends more than twice as many messages a day as Facebook Messenger. Onavo allowed Facebook to see WhatsApp meteoric growth and to justify paying $ 19 billion to buy the launch of 2014 chat. WhatsApp has since tripled its customer base by demonstrating Onavo's predictability.
Since then, Onavo has reported Facebook about what apps to copy, build features, and failures to avoid. By 2018, Facebook has promoted the Onavo app as a secure app for the main application on Facebook, hoping to raise more users to listen to them. Facebook also launches the Onavo Bolt application, which allows you to lock applications behind a password or fingerprint while watching you, but Facebook closed the app on the day it was discovered after privacy. Onavo's main application remains available on Google Play and has been installed more than 10 million times.
Reaction Reached After Security Expert Strafach detailed in March how Onavo Protect reports to Facebook when the user's screen is on or off and Using Wi-Fi and cell data in bytes even when the VPN is off. In June, Apple has updated its developer policy to prohibit the collection of data for the use of other applications or data that are not necessary for the operation of an application. Apple continued to inform Facebook in August that Onavo Protect had violated these data collection policies and that the social network should remove it from the App Store that it did, reported Deepa Seetharaman of the WSJ.
TechCrunch has recently been advised that although Onavo Protect has been expelled from Apple, Facebook pays users to transfer such a VPN application under the Facebook Research email outside of the App Store. We have studied and learned that Facebook is working with three beta application testing services to distribute Facebook Research: BetaBound, uTest and Applause. Facebook began distributing the Research VPN application in 2016. It has been called Project Atlas at least since the middle of 2018, when Onavo Protect's response increased and Apple introduced new rules that forbid Onavo. Facebook did not want to stop collecting data on people's use of the phone, so the research program went on by ignoring Apple, who banned Onavo Protect.
The iOS Facebook app
Ads (shown below) for the uTest-managed program at Instagram and Snapchat searched teens aged 13-17 for "paid social media surveys." The Applause Facebook App Registration Program does not mention Facebook, but looks for users "Age: 13-35 (parental consent is required for ages 13-17." If minors attempt to register, they are asked to obtain permission from their parents with a form that discloses Facebook's participation and says, "There are no known project-related risks, you acknowledge that the intrinsic nature of the project involves tracking personal information using apps from your child. you will be compensated by the applause of your child's participation. "For children who do not have cash, payments can force them to sell their privacy on Facebook
The applause site explains what data can be collected from the app "By installing the software, you give our client permission to collect data from your phone that will help them understand how you browse the Internet and how you use the features in the applications you have installed. , This means that you allow our client to collect information, what apps are on your phone, how and when you use them data about your activities and content in these apps, and how other people interact with You or your content in these applications. You also allow our customer to collect information about your Internet browsing activity (including the websites you visit and the data that is exchanged between your device and these websites) and the use of other online services. There are some instances where our client will collect this information even when the application uses encryption or within secure browser sessions.
Meanwhile, the BetaBound sign-up page ending in Atlas explains that "For $ 20 a month (via electronic gift cards) you will install an application on your phone and let it work in the background mode. " Originally, this site does not mention Facebook, but the Facebook Research installation guide reveals the company's participation.
Facebook seems to have deliberately avoided TestFlight, Apple's official beta-testing system, which requires applications to be snapped up by Snapchat and Instagram. be reviewed by Apple and is limited to 10,000 participants. Instead, the user's manual reveals that users download the application from r.facebook-program.com and are told to install a certificate for enterprise developers and VPN and "Trust" Facebook with root access to their phone and much of the data they transmit. Apple requires developers to agree to use this certification system only to distribute internal corporate applications to their employees.
Security expert Will Strafach open a Facebook application that contains a lot of code from Onavo Protect, Apple's Facebook app, banned last year
installed, users just had to support VPN and send data to Facebook, to get paid. The Approved App program requires users to take pictures of their Amazon orders. This data could help Facebook bind browsing habits and use other applications with buying preferences and behavior. This information can be used to determine ad targeting and to understand which users are buying it.
TechCrunch has instructed Strafach to analyze the Facebook Research application and find out where it sends data. He confirmed that the data was forwarded to the "vpn-sjc1.v.facebook-program. com ", which is linked to Onavo's IP address, and that the facebook-program.com domain is registered on Facebook, according to MarkMonitor. The app can be updated without interacting with the App Store and is linked to the email address PeopleJourney@fb.com. He also found that the Enterprise certificate showed that Facebook had it upgraded on June 27, 2018 – weeks after Apple announced its new rules banning the similar application of Onavo Protect.
to their servers). The only information that is here is the access that Facebook can make based on the code in the app. And this is very painful, "explains Strafach. "They can answer and claim that they actually retain / retain very specific limited data, and that may be true, it really comes down to the extent to which you believe the Facebook word on it. The most charitable story about this situation would be that Facebook has not thought too much about the level of access they have provided. , which is a striking level of inattention by itself, if so. "
" Stupid Apple Violation "
In response to TechCrunch's inquiry, a Facebook spokesperson confirmed that it is running the program to learn how people use their phones and other services. The spokesperson told us: "Like many companies, we invite people to participate in research that helps us identify the things we can do better. Since this research aims to help Facebook understand how people use their mobile devices, we've provided detailed information about what type of data we collect and how they can participate. We do not share this information with other people and people can stop participating at any time. "
Facebook's Facebook App requires access to Root Certificate, which Facebook collects almost any piece of data transmitted from your phone. The Facebook Research application is in line with Apple's enterprise certification program, but does not explain how to prove it to the contrary. They said Facebook launched its first research application program in 2016. They tried to compare the program with a focus group and said that Nielsen and comScore are running similar programs but none of them wants people to install a VPN or to provide root access. The spokesperson confirmed that the Facebook Research program is attracting teenagers, but also other age groups from around the world. They say that Onavo and Facebook Research are separate programs, but they admitted that the same team supports both as an explanation of why their code is so similar. However, Facebook's claim that it does not violate Apple's enterprise certification policy is in direct contradiction with the terms of this policy. This includes the fact that developers "distribute accounts to provide only your employees and only in relation to your internal applications for development and testing purposes." Policy also states that "You may not use, distribute or otherwise provide access to your clients' internal applications" unless they are under the direct supervision of employees or on the premises of the company. Considering that Facebook's customers use the unattended enterprise application management app, Facebook seems to be in violation.
Facebook does not obey Apple so directly can harm their relationship. "The code in this iOS app strongly demonstrates that this is just a badly re-branded design of the forbidden Onavo application, now using Facebook-owned enterprise certificate in direct violation of Apple's rules, allowing Facebook to distribute this application, without reviewing Apple as many users as they want – says Strafach. ONV prefixes and references to graph.onavo.com, "onavoApp: //" and "onavoProtect: //" custom URL schemes discard the application. "This is a gross violation on many fronts, and I hope that Apple will act expeditiously when withdrawing the signing certificate to make the application invalid." the social network in favor of Snapchat, YouTube, and the acquisition of Facebook from Facebook. Studies of how popular teenagers are, the Chinese video TikTok and meme sharing have led Facebook to launch a clone called Lasso and began developing a meme surfing feature called LOL. But Facebook's desire for data on teenagers incites critics at a time when the company was beaten in the press. Tomorrow's Facebook call recall analysts should ask what other ways the company needs to gather for competitive intelligence. A scandal from Cambridge Analytics said: "I will not be in this situation. , The truth is that we could win a lot of money if we monetize our customers if our client is our product. We chose not to do that. "Zuckerberg told Ezra Klein that he thought Cook's comment was" very clear. "
It is now clear that even after Apple's warnings and the removal of Onavo Protect, Facebook is still aggressively collecting data for competitors through the iOS platform of Apple. "I've never seen such an open and apparent violation of Apple's App Store developer rules," Strafach concluded. If Apple closes the research agenda, Facebook will either need to think of new ways to monitor our behavior in a climate of privacy or be left in the dark.
Additional Reporting by Zack Whittaker