Facebook pays users to sideload data-gathering VPN in apparent violation of Apple privacy policies [u]
Facebook appears to be once again flouting Apple's developer guidelines regarding user privacy, as a report on Tuesday reveals the social media giant is paying users ages 17 to 35 to install a VPN that aggressively monitors usage habits.
Outlined in a expos by TechCrunch, Facebook's latest gambit to acquire user data pays participants $20 plus referral fees for nearly unfettered access to iOS usage patterns and activity.
Through the Facebook Research app for iOS, which has been available since 2016, the company is able to collect data by enabling root access to a user's device. Marketed as a "social media research study," the VPN app is distributed through beta testing services Applause, BetaBound and uTest, the report says.
Importantly, Facebook relies on the three software testing platforms to enable sideloading of the Research app, effectively bypassing Apple's App Store and its stringent guidelines. Facebook does not disseminate Research through Apple's TestFlight, presumably because the system involves an app review process and 10,000 user limit.
The entire operation smacks of deception and appears to fly in the face of Apple's good faith developer agreements. In particular, Research asks users to install an Enterprise Developer Certificate and VPN, granting root access to a bulk of iPhone's transmitted data, the report says. As noted by TechCrunch, Apple's developer guidelines place restrictions on the Enterprise Developer Certificate, noting companies are to use the privilege only for internal apps distributed to employees.
Security expert Will Strafach, who was contracted to investigate Research, said the app could make use of the root privilege to collect data pertaining to "private messages in social media apps, chats from in instant messaging apps - including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed."
Interestingly, the Research app directs data to an address associated with Onavo Protect, a Facebook VPN app that was found to violate App Store privacy regulations in 2018. At the time, Apple said Onavo Protect ran afoul of data collection restrictions and parts of the iPhone maker's developer agreement covering customer data usage. Facebook pulled Onavo Protect from the App Store shortly after Apple revised its App Store guidelines to reflect stricter policies on data collection.
According to today's report, Facebook claims the Facebook Research and Onavo Protect apps are part of different programs, though they are supported by the same group of engineers. Further, the social media monolith believes the Research project is within the scope of Apple's Enterprise Certificate policy.
"Like many companies, we invite people to participate in research that helps us identify things we can be doing better," Facebook said in a statement to TechCrunch. "Since this research is aimed at helping Facebook understand how people use their mobile devices, we've provided extensive information about the type of data we collect and how they can participate. We don't share this information with others and people can stop participating at any time."
Apple is aware of Facebook Research, but has yet to comment on the matter.
Update: Facebook in a statement to The Verge said it will shut down the Research app on Apple's iOS, but will keep the program live on Android.