Facebook Pays Teens to Install VPN That Spies on Them
Desperate for data on its competitors, Facebook has been secretly paying people to install a “Facebook Research” VPN that lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August. Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access to network traffic in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity, a TechCrunch investigation confirms.
Previously:
- Facebook’s “Protect” Feature
- How Facebook Squashes Competition From Startups
- Background Data and Battery Usage of Facebook’s iOS App
- Uber Used Private API to Access iPhone Serial Number
- Apple Removed Dash From the Mac App Store
This is blatantly against Apple’s rules for enterprise app distribution. It’s not arguable. It’s not even close.
Facebook is slapping Apple in the face, in broad daylight, for the world to see, because they know they’re invincible.
To my eyes, this action constitutes Facebook declaring war on Apple’s iOS privacy protections. I don’t think it would be out of line for Apple to revoke Facebook’s developer certificate, maybe even pull their apps from the App Store. No regular developer would get away with this. Facebook is betting that their apps are too popular, that they can do what they want and Apple has to sit back and take it.
Apple must revoke Facebook’s enterprise certificate. This is a slap in the face of every honest developer, a blatant corruption of App Store rules, and a disgusting violation of user privacy.
We had an enterprise certificate, and Apple in no uncertain terms explained we could never do anything like this for any purpose, for testing or anything else. Enterprise certs may not be used on devices outside your company, or by users who aren’t your employees.
There is a workaround in the Enterprise signing program where if you legally make the recipient of an app an agent of your company, you’re in compliance.
I don’t know what’s in the agreement Facebook has, but they may be making the volunteers “contractors” as a workaround.
I could imagine Facebook paying these people $20 a month will be used as an argument they are actually contractors for Facebook.
here, Facebook straight up lies to @JoshConstine about this. full stop. everyone with an Enterprise Certifucate knows that it is for internal-use apps to be used only by employees. Apple even calls you and confirms that you understand this, plus it is right in the agreement.
Another update relating to consent. FB statement said teens had provided parental consent before using the program. I asked FB what exactly that meant - signed form, scanned? - they said the vendors handled it. For at least one of the vendors, consent was basically a checkbox.
Apple’s response, via a PR rep this morning: “We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”
There’s nothing “aggressive” about revoking Facebook’s ability to continue to violate Apple’s direct rules. It’s literally the least they could do, and it’s not nearly enough. Facebook is testing Apple’s credibility on privacy here. So far Facebook is winning.
Let’s be clear. If any other developer did this, they wouldn’t just lose enterprise distribution — they’d lose their entire developer account and all of their apps would be removed from the Store.
Facebook gets VERY special treatment because of their size and importance.
Tom Warren and Jacob Kastrenakes:
Apple has shut down Facebook’s ability to distribute internal iOS apps, from early releases of the Facebook app to basic tools like a lunch menu. A person familiar with the situation tells The Verge that early versions of Facebook, Instagram, Messenger, and other pre-release “dogfood” (beta) apps have stopped working, as have other employee apps, like one for transportation. Facebook is treating this as a critical problem internally, we’re told, as the affected apps simply don’t launch on employees’ phones anymore.
This doesn’t mean that Facebook is being removed from the App Store. But it does mean that Facebook will no longer be able to widely distribute apps on Apple’s platform without approval.
It also means that, or now, Facebook employees can’t use unreleased apps on Apple devices. Facebook is famous in Silicon Valley for “dog fooding,” a practice in which employees internally test new features before they are released to the public. Employees use internal apps for everything from testing bugs in software to coordinating the use of private shuttle buses that take them to and from work every day.
Because of Apple’s sudden action against Facebook, people familiar with the matter told Cheddar that Facebook employees are unable to use their internal apps on Apple devices. Some Facebook employees privately voiced concern on Wednesday that Facebook is being unfairly targeted by Apple, the people said.
Use of enterprise certificates to distribute apps to public on iOS is pretty wide. I remember when I was in China, I got handed flyers for apps while walking down the street that explained how to install the cert.
Ironically, to distribute internal builds of apps, my team ended up buying random “shell” developer accounts on Taobao of random companies because getting access to the official enterprise certs was too complicated.
Google has been running an app called Screenwise Meter, which bears a strong resemblance to the app distributed by Facebook Research that has now been barred by Apple, TechCrunch has learned.
In its app, Google invites users aged 18 and up (or 13 if part of a family group) to download the app by way of a special code and registration process using an Enterprise Certificate.
[…]
After we asked Google whether its app violated Apple policy, Google announced it will remove Screenwise Meter from Apple’s Enterprise Certificate program and disable it on iOS devices.
Guys, 10,000 apps use Enterprise Certs against the rules. Facebook’s problem was the malintent and consumer harm and PR.
Others like Google don’t have that.
Facebook threatened Research app users with legal action for publicly discussing the VPN, I’ve learned, yet it claims there was “nothing secret about it”. 🤨
Apple owns a platform that enables & profits immensely from surveillance, while we let them get away with hawking privacy as a feature as if it’s true.
Apple selling privacy as a feature is akin to vendors like McAfee & Symantec, who are basically selling FUD and making users buy expensive yearly anti-virus subscriptions for their Windows PCs, not knowing that Windows Defender exists or how poorly these software perform.
The privacy fear factor is rampant in the minds of general consumers: Someone just told me he’ll only buy iPhones because he thinks Google’s tracking in Android cannot be disabled.
Profiting from FUD works, whether it is for selling product or in politics.
Apple knows it, and is milking this to the extreme, regardless of how far they need to stretch the truth.
Most tech reporters still haven’t discovered GDPR Article 8 and recitals 38 and 58. There’s no way that teens ‘consented’ to the requirements that Sandberg pledged to honor in Brussels last year.
In Apple’s vision of the future we all work on iPads, not Macs or Windows.
In that vision Apple has the ability to shutdown that entire companies computer infrastructure at will, at any time, on a whim, and we are just supposed to accept that state of affairs.
We laugh at Facebook’s employees not being able to run their lunch booking app, or internal chat room, because Facebook is a horrible company.
But Apple shouldn’t actually have that power.
Apple has now shut down Google’s ability to distribute its internal iOS apps, following a similar shutdown that was issued to Facebook earlier this week.
Oh damn – Apple ain’t playin’.
I wonder if they’ll hunt down other abuses of Enterprise Certificates (of which there are many, I can assure you) – not just the ones of their highest profile enemies.
My point of sale startup had issues because competitors, including Apple’s blessed one, used Enterprise dev certificates for distribution, and Apple didn’t do anything with multiple reports.
On background, the story was that Apple understood it wasnt plausible to ship mission-criticial software on a platform with App Store review rules.
This was also why companies were allowed to circumvent IAP rules, it was silly to take 30% of software that was 4 digits
If Apple had bothered to evolve past their first draft of App Store monetizarion and adjusted to reality, all sorts of things would have been better for Apple, consumers, and developers.
In two days, Apple has knocked out some of the business operations of two of its biggest competitors at the flick of a switch.
Also, obviously a coincidence, but nobody is talking much about the FaceTime eavesdropping bug anymore.
Update (2019-02-12): Chance Miller:
In a new statement today, Facebook says that Apple has restored its access to enterprise certificates. This means that Facebook can now use its internal applications again, which were rendered useless earlier this week when Apple barred the company’s access to enterprise certification.
[…]
In a leaked memo obtained by Business Insider, Facebook continues to defend its Research app, as well as its decision to distribute it via enterprise certificates.
Hey @tim_cook and @pschiller Amazon is violating the Enterprise program with their Flex app.
Sonos distributes bets versions of their iOS app via the Enterprise program to consumers.
Also, here’s the link to DoorDash showing how they distribute an app to non-employees via the Enterprise Developer program
There’s two things there:
- Could the Flex/DoorDash apps—for contractors—count as “enterprise” usage in a way that FB’s and Google’s “research” apps don’t?
- The impact of killing those apps goes way beyond a bunch of Googlers and FB employees—it affects people delivering food.
Apple revoked Google’s Enterprise Certificate and as a result, none of Google’s internal apps are functional. Pre-release versions of iOS apps like Google Maps, Hangouts, Gmail, and more stopped working today, along with employee transportation and cafe apps.
[…]
Apple has restored Google’s Enterprise Certificate so its internal apps now function again, TechCrunch confirmed with a source after a Bloomberg journalist reported the development.
See also: Hacker News, Accidental Tech Podcast, Exponent, The Talk Show.
Following last month’s revelations that Facebook and Google were using Apple’s enterprise developer program to bypass the App Store and collect analytics from participating users, TechCrunch now reports that dozens of pornography and gambling apps are abusing the program as well.
Wow. TBH, this makes the case for sideloading better than anything else I can think of; despite the seeming proliferation of unapproved apps, we have yet to see them cause a single (public) security breach. People have been sideloading for years and the sky hasn’t fallen down.
Either Apple has been purposefully looking the other way on this, or they’ve been asleep at the switch and a reckoning is coming.
2 Comments RSS · Twitter
B-b-b-but Facebook outsourced to PAID “contractors”, verification was handled by “outside vendors” and they were using the “enterprise deployment” infrastructure as designed!
Facebook “threatened” them because there was likely a micro-NDA embedded in their EULA, and again they were PAID.
Silly Valley outsources everything, all Facebook did was pay testers as micro-temp contractors. What’s the problem? /sarc
I think Kyle Howells nails it. That is the exact problem. We are focused on outcome based judgement, having Facebook punished. But step back and think about it, should a single company have the power to determine what people are allowed to run on their own devices.