A damning report from TechCrunch has revealed that Facebook has been paying users as young as 13 years old to install a research app that gives them root access to the network traffic on participants’ phones.
The tech giant paid teenagers $20 a month, plus referral bonuses, to download an app that allowed Facebook unprecedented access to users’ phone activity. Through the app, they could monitor and analyze everything from their private messages to their web browsing habits and real-time location data.
Facebook acknowledged to TechCrunch that the app was designed to allow the company to collect data on the participants’ usage habits. In one version of the scheme, participants were even asked for screenshots of their Amazon order history page.
The app appears to be in direct violation of the terms of Apple’s Enterprise Developer Program. Facebook used third-party beta testing services such as Applause, BetaBound, and uTest to distribute the software to users, avoiding Apple’s official beta testing tool TestFlight. An apparent effort to sidestep any potential action from Apple or limits on how many users the company could distribute the application to.
A spokesperson from Apple explained to TechCrunch that: “we designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”
Facebook agreed to shut down the operation for Apple users in response to the TechCrunch report
Originally Facebook advertised the opportunity as a paid social media research study, code-named Project Atlas, in 2016 on Snapchat and Instagram via uTest, targeting 13 to 17-year-old social media users. Sign up for the program via Applause and BetaBound failed to clearly mention Facebook as instigating the project, suggesting that the company wanted to run it as covertly as possible. Once users signed up and began the download process, they were prompted to install the Root Certificate, which gave Facebook full access to their digital lives.
Will Strafach, Guardian Mobile Firewall’s security expert explained to TechCrunch that: “the fairly technical sounding ‘install our Root Certificate’ step is appalling.
A Facebook spokesperson has firmly denied that the company misled participants or that the program violated Apple’s terms: “there was nothing ‘secret’ about this...it wasn’t ‘spying’ as all of the people who signed up to participate went through a clear
Apple’s policies aside, it is also a gross violation of personal privacy, regardless of the fact that the participants were paid or that the minors participating in the market research project allegedly provided parental consent. This incident shows just how out of touch Facebook has become with protecting the privacy of its users. The fact that the company would exploit young people for their valuable personal data for a mere 20 bucks is alarming and inexcusable