Facebook Paying Teens $20/Month to Install Data Harvesting VPN App on iPhones

MacRumors

macrumors bot
Original poster
Apr 12, 2001
50,010
11,280



Apple in August 2018 forced Facebook to remove its Onavo VPN app from the App Store, because Facebook was using it to track user activity and data across multiple apps, something that violate's Apple's App Store policies.

As it turns out, Facebook has found an underhanded way to skirt Apple's rules and get people to continue installing its VPN -- paying them.


TechCrunch this afternoon exposed Facebook's "Project Atlas" program, in which Facebook paid people -- adults and teenagers -- to install a "Facebook Research" VPN that is similar to the Onavo VPN app.

As of 2016, Facebook has been secretly offering people aged 13 to 35 up to $20 per month along with referral fees to sideload the Facebook Research app using an enterprise certificate on iPhone. Enterprise certificates like this are designed to allow companies to distribute internal corporate apps and give full root access to a device.

To hide its involvement, Facebook has been using beta testing services like Applause, BetaBound and uTest to recruit participants to install Facebook Research.

By getting people to sideload an app this way through an enterprise certificate, Facebook has access to data that includes private messages in social media apps, chats from instant messaging apps (including photos and videos), emails, web searches, web browsing activity, and ongoing location information. It's not clear if Facebook is accessing this data, but it could, according to security researcher Will Strafach, who TechCrunch consulted for this piece.
"The fairly technical sounding 'install our Root Certificate' step is appalling," Strafach tells us. "This hands Facebook continuous access to the most sensitive data about you, and most users are going to be unable to reasonably consent to this regardless of any agreement they sign, because there is no good way to articulate just how much power is handed to Facebook when you do this."
The terms of service for the Facebook Research app suggest Facebook was collecting information about the smartphone apps on a participant's phone and how and when those apps are used. Facebook also said it would collect data about activities and content within the apps, and information about internet browsing history. There's even a line suggesting Facebook collects data even when an app uses encryption or from within a secure browser session.

Facebook confirmed the program in a statement provided to TechCrunch and reportedly said that the Facebook Research app was "in line with Apple's Enterprise Certificate program," though that does not seem to be the case based on Apple's Enterprise Certificate policy.
"Like many companies, we invite people to participate in research that helps us identify things we can be doing better. Since this research is aimed at helping Facebook understand how people use their mobile devices, we've provided extensive information about the type of data we collect and how they can participate. We don't share this information with others and people can stop participating at any time."
Apple has been made aware of the issue, but declined to provide a comment to TechCrunch. It's not clear how the Cupertino company will handle the situation, but as TechCrunch points out, Apple CEO Tim Cook has been highly critical of Facebook and its privacy violations. Apple could potentially block the Facebook Research app or revoke Facebook's permission to distribute internal apps entirely.

Full details on Facebook's spying app can be found in TechCrunch's exposé.

Article Link: Facebook Paying Teens $20/Month to Install Data Harvesting VPN App on iPhones
 

Zenithal

macrumors G3
Sep 10, 2009
9,669
10,809
What moron sells all their personal data for at most $20/month. Good lord people are dumb.
A moron who's smart enough to reactivate an old iPhone as a "burner" on a cheap prepaid plan and fill it with useless data and pocket $20/month. I think TMO has a very cheap $3-5 prepaid plan. And because iPhones use iMessage, you won't lose out on the limited text amount or minutes. Netting $15 a month may not seem much, but when you're doing it and screwing over Facebook by submitted dud data, then it's somewhat clever. $180/year for doing practically nothing isn't bad.
 

jtara

macrumors 68000
Mar 23, 2009
1,972
523
It doesn't seem in compliance with the Enterprise Agreement. It is pretty specific.

I looked into the Enterprise Program a while back, for applications used to aid in performing a kind of assessment/certification on homes and commercial buildings. Because the persons doing the assessments were not direct employees of the organization doing the assessments, it was determined it was not eligible for the Enterprise Program. They might be employees, for example, of a partner company, a partner public agency, an independent assessor, etc.

So, the apps were published in the App Store, and homeowners and business owners (or just the curious) were able to perform their own assessments if they wished, but would not be able to get certain reports, or an official government-issued or other similar certificate. (A per-assessment fee was paid by assessors for official certificates and advanced reports.)

It is an EXTREME stretch that an app deployed to Facebook users would be considered a legitimate usage of the Enterprise Developer Program. We could not even get clearance to deploy to e.g. subcontractors. It was our understanding that deploying an Enterprise app for use by subcontractors, partners, etc. was verbotten.

It is important to note that Apple does not approve or disapprove apps published in Enterprise stores. But there are still rules - one being that is basically for internal use by your employees - it's just that Apple would have to somehow discover a violation.

Because Apple does not approve/disapprove Enterprise Store apps, they are able to perform functions that would not be approved in the App Store. For example, they can call private frameworks, they do not have to adhere to content policies, etc.

I will add that our reason for wanting to release through the Enterprise Program was that the apps had a very specific use and were meant to be used by professional assessors. And, yes, there was a fee involved, which in most cases only HELPED pay the costs. They decided it wasn't worth the fight, and they could spin the public availably of the app as an opportunity for public enlightenment.

I have also worked on an Enterprise app that has been distributed through an Enterprise store, and is very much inline with the intent of the program. It's used by field service technicians.

----

Purpose Your company, organization or educational institution would like to use the Apple Software (as defined below) to develop one or more Internal Use Applications (as defined below) for Applebranded products running iOS, watchOS, tvOS, and/or macOS, and to deploy these Applications only for internal use within Your company, organization or educational institution or for limited use as expressly set forth herein. Apple is willing to grant You a limited license to use the Apple Software to develop and test Your Internal Use Applications, and to deploy such Applications internally and as otherwise permitted herein on the terms and conditions set forth in this Agreement. You may also create Passes (as defined below) for use on Apple-branded products running iOS or watchOS under this Agreement. Internal Use Applications developed for macOS can be distributed under this Agreement using an Apple Certificate or may be separately distributed. Note: This Program is for internal use, custom applications that are developed by You for Your specific business purposes and only for use by Your employees and, in limited cases, by certain other parties as set forth herein. If You want to distribute applications for iOS, watchOS, or tvOS to third parties or obtain an application from a third party, then You must use the App Store or Custom App Distribution for distribution
 
Last edited:

definitive

macrumors 68000
Aug 4, 2008
1,977
727
Wow, when will people realize how truly evil Facebook really is.
welcome to the world of social media. they all try to harvest data as much as they can without stepping on people's toes, because that's one of the biggest ways they can make money.

Apple should make an example of them and ban their app, at least temporarily.
it's baked into ios. it would take some major backlash and constant mention by the media for them to do something about facebook. same with twitter.
 

brendu

macrumors 68020
Apr 23, 2009
2,444
2,423
USA
A moron who's smart enough to reactivate an old iPhone as a "burner" on a cheap prepaid plan and fill it with useless data and pocket $20/month. I think TMO has a very cheap $3-5 prepaid plan. And because iPhones use iMessage, you won't lose out on the limited text amount or minutes. Netting $15 a month may not seem much, but when you're doing it and screwing over Facebook by submitted dud data, then it's somewhat clever. $180/year for doing practically nothing isn't bad.
You are either giving them your actual data or you’re working too hard to justify $20/month.
 
  • Like
Reactions: heffsf

brofkand

macrumors 6502
Jun 11, 2006
477
921
Wow, when will people realize how truly evil Facebook really is.

Apple should make an example of them and ban their app, at least temporarily.
Their app doesn't violate Apple's TOS. This isn't an app, though I guess Apple could revoke the certificate they are using for this program. If they use the same cert as their main apps, oh well. Should have thought about that first, Zuckerberg.
 
  • Like
Reactions: iModFrenzy

C DM

macrumors Sandy Bridge
Oct 17, 2011
50,449
18,797
So if the information about this is provided about the user and the user knows what he/she is in for by installing and using this, then it seems it's the user that is making a decision to do it knowing what that entails.
 

Zenithal

macrumors G3
Sep 10, 2009
9,669
10,809
You are either giving them your actual data or you’re working too hard to justify $20/month.
You're over-estimating how difficult it is to generate garbage data. For younger people, this is alright pocket change. Should be a case of cheap beer; a boon for college students.
 
  • Like
Reactions: iModFrenzy
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.