Facebook's Research app, which was banned by Apple in January for violating App Store Review Guidelines, managed to collect personal and potentially sensitive information from some 187,000 users since 2016, according to a report on Wednesday.
The number was divulged in a letter addressed to U.S. Sen. Richard Blumenthal and subsequently seen by TechCrunch. Blumenthal has voiced criticism of Facebook's handling of user privacy matters and the lackadaisical pace of a Department of Justice investigation into the social network.
In all, Facebook said its "Project Atlas" initiative, publicly known as the Research app, obtained data from 187,000 users, including 34,000 teenagers. Of the 31,000 users who had their data collected in the U.S., 4,300 were teenagers, the letter said.
Facebook maintains the operation was driven by analytics, but notes the now-defunct app in some cases received "non-target" information.
"We did not review all of the data to determine whether it contained health or financial data," a Facebook spokesperson told the publication. "We have deleted all user-level market insights data that was collected from the Facebook Research app, which would include any health or financial data that may have existed."
Apple commented on the issue in a separate letter sent to lawmakers in March, the report said. The tech giant admitted it did not know how many devices were running the Research app, which was deployed using Enterprise Developer Certificate and VPN technology typically reserved for business applications.
"We know that the provisioning profile for the Facebook Research app was created on April 19, 2017, but this does not necessarily correlate to the date that Facebook distributed the provisioning profile to end users," said Apple director of federal affairs Timothy Powderly.
Apple caught wind of Facebook Research when a report in January outlined the data-gathering initiative that flouted the iPhone maker's developer rules. The exposé discovered Facebook paid program participants $20 plus referral fees to sideload a VPN client on their device, granting nearly unfettered access to iOS usage patterns and activity.
A day after the report went to press, Apple pulled Facebook's enterprise certificate, saying the company was in violation of its Enterprise Developer Program agreement. Google, which was running a similar analytics campaign called Screenwise Meter, saw its certificate revoked that same day.
Apple later restored privileges and in a statement to TechCrunch today confirmed both companies are in compliance with developer rules.