UPDATE 6:14 p.m. EST with comments from lawmakers reacting to the latest Facebook controversy.
Another day, another revelation of Facebook's dubious actions: Since 2016, Mark Zuckerberg's company has been paying up to $20 per month to users ages 13 to 35 for full access to their iOS and Android phones, giving Facebook valuable data about how people use other companies' apps.
This is the latest in a very long list of questionable tactics by the social network, such as sharing your private data with advertisers and political research organizations. Just four days ago, newly released court documents showed that the company used "freemium games to make large sums of money off young gamers."
Now, a TechCrunch report alleges that Facebook has been "secretly paying people to install a Facebook Research VPN [Virtual Private Network] that lets the company suck in all of a user's phone and web activity."
What Facebook did
The app in question is very similar to another VPN app that was removed from Apple's App Store after it was found to be spying on users. A VPN re-routes all internet traffic in and out of device through a intermediate server. In both of these cases, the server was Facebook's and it could have saved every single byte of transmitted data.
At TechCrunch's request, internet security company Guardian Mobile Firewall's expert Will Strafach looked into the Facebook Research VPN app to see what could it be doing.
Strafach said that because the VPN app asked users for permission to install and trust a security certificate (see image below) to grant them access to everything, Facebook could have been saving "private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed."
In response, Facebook gave the following statement to The Verge:
“Key facts about this market research program are being ignored,” the company said. “Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms.”
According to The Verge, Facebook has since shut down the research app for iOS, but that it will still be available for installation on Android.
Neither app ever appeared in either platform's official app store. Rather, the app needed to be "sideloaded" from any of three beta-testing programs, one of which you can still reach here.
Facebook admitted to TechCrunch that it was "running the Research program to gather data on usage habits."
The Facebook Research app is very similar to Onavo Protect, a free VPN app offered by Facebook that security experts warned harvested a lot of user data, such as how people use other companies' apps.
Both Android and iOS "sandbox" apps so that one app cannot normally view another app's activities when both are installed on the same device. Onavo Protect and Facebook Research offer a way to get around this restriction by capturing all the network data packets going to and from the device.
Such information would be very valuable to Facebook, both to capture behavior that Facebook could incorporate into the user profiles it presents to advertisers, and to get a heads-up on any apps that might compete with Facebook products.
In a series of tweets, Strafach said that Facebook Research was "literally all just Onavo code with a different [user interface]," and shared screenshots to prove his point.
The Facebook Research app, however, wasn't a public app but a "employee app." Apple allows companies and other enterprises distribute their own apps to employees outside the App Store through private links. The apps can be installed on iPhones because they are "provisioned" with enterprise certificates, which Apple distributes to companies that apply for them.
Strafach told TechCrunch that the language used by Facebook to ask for root access sounded innocuous even as it means users gave Facebook "continuous access to the most sensitive data about you."
"Most users are going to be unable to reasonably consent to this regardless of any agreement they sign, because there is no good way to articulate just how much power is handed to Facebook when you do this," Strafach said.
If this all disturbs you, here's how to delete your Facebook account.
How Apple responded
In a statement to Recode, Apple said that Facebook's use of an enterprise certificate to distribute the Facebook Research app was "a clear breach of their agreement with Apple."
"Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked," Apple said, "which is what we did in this case to protect our users and their data."
The implication of Apple's statement is that all of Facebook's enterprise certificates might no longer be valid, which would make it impossible to sideload any Facebook-created enterprise app onto an iOS device. Indeed, various reports suggested that Facebook employees were having trouble using internal apps on iOS devices today, affecting everything from internal communications to accessing company data.
Lawmakers weigh in
By the end of the day, legislators were weighing in on Facebook's latest controversy. Sen. Mark Warner (D-Va.) sent a letter to Facebook's Mark Zuckerberg expressing concern about the social network's conduct. "I have concerns that users were not appropriately informed about the extent of Facebook’s data-gathering and the commercial purposes of this data collection," Warner wrote in his letter. "Facebook’s apparent lack of full transparency with users – particularly in the context of ‘research’ efforts – has been a source of frustration for me."
Sen. Josh Hawley, R-Mo., took to Twitter to express his dismay over the report. "Facebook PAID teenagers to install a surveillance device on their phones without telling them it gave Facebook power to spy on them?" Hawley asked. "Some kids as young as 13. Are you serious?"
Meanwhile, in a statement provided to TechCrunch, Sen. Richard Blumenthal (D-Ct.) seemed to call for a Federal Trade Commission investigation into Facebook's behavior. "Wiretapping teens is not research, and it should never be permissible," Blumenthal said. "This is yet another astonishing example of Facebook’s complete disregard for data privacy and eagerness to engage in anti-competitive behavior."
If these ongoing controversies are hurting Facebook in any way, it's not showing up on the company's bottom line. This afternoon, Facebook announced record profits for the fourth quarter of 2018.