In a shocking development brought to light by the investigative efforts of tech news site TechCrunch, Facebook is yet again the villain in a data collection scheme that has raised several questions and re-ignited a feud between the social media giant and counterpart tech titan Apple.
Desperately trying to stay ahead of the competition, Facebook has, for years, been paying people aged 13 to 35 to get full access to their phone and web activities. Dubbed the Facebook Research app, the VPN has been used to recruit both teenagers and adults into the “research” program, which requires users to grant full access to the app in exchange for a $20 monthly reward as well as referral fees.
But what has left many reeling is the discovery that the Facebook Research app is a poorly refurbished version of Onavo, a data-collection service that Zuckerberg’s company acquired in 2013 for $120 million, which was banned by Apple last year for violating its developer policies.
Facing mounting pressure following the TechCrunch expose, Facebook conceded to shut down the iOS version of the research app, but their stand was quickly rendered meaningless after an Apple spokesperson revealed that due to the violation of their policies, the Facebook Research app had already been banned.
Four Years Too Late
Facebook began its research program shortly after the acquisition of Onavo in 2013. At the time, the VPN app was merely a tool for users to track data usage, but at the same time, it allowed Facebook to collect highly detailed analytics about the apps used in each device.
It is believed that Onavo’s foresight is what pushed the company to pay $19 billion for instant messaging app WhatsApp, which has since tripled its user base.
In 2018, Facebook launched the Onavo Protect app, which side-stepped the Apple App Store by allowing users to download it straight from within Facebook’s main app. Their second Onavo app, the Onavo Bolt, which allowed users to lock apps with passcodes or fingerprint authorization, did not fair as well and was shortly shut down amid claims of privacy violations.
In March 2018, security expert Will Strafach discovered that Onavo Protect had some worrying discrepancies. The app kept sending data to Facebook even when both the screen and the VPN service were turned off.
In June, after updating its developer policies, Apple informed Facebook that the Onavo Protect app was in violation of its revised policies, which specifically banned the collection of data that was not essential to the app’s functioning.
The consequent elimination of the Onavo Protect app from the Apple App Store should have marked the end of Facebook’s data collection. But it didn’t.
Project Atlas
Facebook continued to collect data from its users through a similar VPN app called the Facebook Research app, which could only be sideloaded from its main app. Following the backlash to the Onavo Protect app, Facebook elected to use three beta testing services to distribute their new research app: uTest, Applause and BetaBound.
According to ads run by uTest on Snapchat and Instagram, the research study was seeking teens aged 13 to 17 to participate. Users who signed up for the research program as administered by Applause did not initially see any mentions of Facebook. The service states that it is seeking eligible users of ages 13 through to 35, and requires parental consent for users aged 13 to 17. Facebook’s involvement is only revealed in a permission form that’s necessary for minors to sign up.
Aside from allowing the app to run in the background, the Applause research program requires users to provide a screenshot of their Amazon order history, information that Facebook could use to categorize spending habits based on a user’s phone and web activity.
The BetaBound sign up page explains that users will get $20 in e-gift cards every month when they install the app and allow it to run in the background. It also promises to pay $20 for every friend that’s referred to the program. Again, Facebook’s involvement only becomes apparent in the download instruction manual for the Facebook Research app.
Though Facebook has been distributing the research app since 2016, the project only became known as Project Atlas since 2018.
Facebook’s Brazen Defiance of Apple’s Policies
So far, the Facebook Research app has been discontinued on the iOS platform, though it still continues to collect information from Android users.
Apple’s Enterprise Certificate policy specifically prohibits the distribution of provisioning profiles to non-employees and for external use, and by distributing internal use applications to customers, Facebook exhibited a clear violation of rules.