Facebook pays volunteers to install app that collects private data – report

Kyle Chua
(3rd UPDATE) Apple revokes software certificates letting Facebook take part in its Enterprise Developer Program to work in-house on applications for the Cupertino-based company's devices

MANILA, Philippines (3rd UPDATE) – Facebook secretly paid volunteers as much as $20 a month to install “Facebook Research,” an app that monitors and collects data from its users, according to an investigative report from TechCrunch.

The app requires the user to enable Root Certificate access, which allows it to bypass iOS and Android security features and harvest data. The data includes things like social media private messages, web searches, emails, and even location information.

Facebook even asked users to screenshot and share their Amazon order history.

How it works

In August of last year, Apple asked Facebook to pull its virtual private network app Onavo from the App Store for violation of data collection policies. Onavo reportedly gathered information of how people used their smartphones outside of Facebook’s services, which offered the social network giant insight into their competition.

Facebook this time around, however, has managed to sidestep the App Store and cover up their involvement in their own program.

TechCrunch adds the program referred to as “Project Atlas” was launched in 2016. It managed to recruit volunteers between the age of 13 to 35 through beta testing services Applause, BetaBound and uTest.

uTest, in particular, even ran ads about a paid social media research on Instagram and Snapchat.

The sign-up pages of these services, meanwhile, have no mention of Facebook but disclose all the data that would be collected from participants.

“Since this research is aimed at helping Facebook understand how people use their mobile devices, we’ve provided extensive information about the type of data we collect and how they can participate,” a Facebook spokesperson told TechCrunch. “We don’t share this information with others and people can stop participating at any time.”

The spokesperson also made it clear that the program was not in violation of any of Apple’s App Store policies, though there is evidence pointing to the actions being contradictory to Apple’s Enterprise Certificate Policy.

Speciically, Facebook’s customers – in this case, the app users – should, according to the policy, not have access to the app at all as its use is meant for employees only “and only in conjunction with Your Internal Use Applications for the purpose of developing and testing”.

As app users are using the Enterprise Certificate-powered app unsupervised, Facebook may be violating Apple policy.

Shutting down the iOS app

In a report on The Verge on Wednesday, January 30, Facebook said it would shut down the Facebook Research app on iOS, though the app will remain active on Android devices.

Facebook also released a statement objecting to TechCrunch’s report, saying, “Key facts about this market research program are being ignored.” 

“Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5% of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms,” Facebook added.

Apple fires back

On Wednesday, Apple revoked software certificates letting Facebook take part in its Enterprise Developer Program to work in-house on applications for the Cupertino-based company’s devices.

“Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple,” Apple said.

The news could be a further embarrassment for Facebook, which has been under heightened scrutiny over failing to crack down on manipulation of its platform and for sharing private data with its business partners. – with reports from Agence France-Presse/Rappler.com