Facebook pays youngsters to introduce VPN that government operatives on them

Once installed, users just had to keep the VPN running and send data to Facebook to get paid. The Applause-administered program requested that users screenshot their Amazon orders page. This data could potentially help Facebook tie browsing habits and usage of other apps with purchase preferences and behavior. That information could be harnessed to pinpoint ad targeting and understand which types of users buy what.

TechCrunch commissioned Strafach to analyze the Facebook Research app and find out where it was sending data. He confirmed that data is routed to “VPN-sjc1.v.facebook-program.com” which is associated with Onavo’s IP address and that the Facebook-program.com domain is registered to Facebook, according to MarkMonitor. The app can update itself without interacting with the App Store and is linked to the email address PeopleJourney@fb.com. He also discovered that the Enterprise Certificate first acquired in 2016 indicates Facebook renewed it on June 27th, 2018 — weeks after Apple announced its new rules that prohibited the similar Onavo Protect app.

“It is tricky to know what data Facebook is saving (without access to their servers). The only information that is knowable here is what access Facebook is capable of based on the code in the app. And it paints a very worrisome picture,” Strafach explains. “They might respond and claim to only actually retain/save very specific limited data, and that could be true, it boils down to how much you trust Facebook’s word on it. The most charitable narrative of this situation would be that Facebook did not think too hard about the level of access they were granted to themselves . . . which is a startling level of carelessness in itself if that is the case.”

“Flagrant defiance of Apple’s rules”

In response to TechCrunch’s inquiry, a Facebook spokesperson confirmed it’s running the program to learn how people use their phones and other services. The spokesperson told us “Like many companies, we invite people to participate in research that helps us identify things we can be doing better. Since this research is aimed at helping Facebook understand how people use their mobile devices, we’ve provided extensive information about the type of data we collect and how they can participate. We don’t share this information with others and people can stop participating at any time.”

Facebook’s Research app requires Root Certificate access, which Facebook gathers almost any piece of data transmitted by your phone

Facebook’s spokesperson claimed that the Facebook Research app was in line with Apple’s Enterprise Certificate program, but didn’t explain how in the face of evidence to the contrary. They said Facebook first launched its Research app program in 2016. They tried to liken the program to a focus group and said Nielsen and ComScore run similar programs, yet neither of those asks people to install a VPN or provide root access to the network. The spokesperson confirmed the Facebook Research program does recruit teens but also other age groups from around the world. They claimed that Onavo and Facebook Research are separate programs, but admitted the same team supports both as an explanation for why their code was so similar.

Facebook’s Research program requested users screenshot their Amazon order history to provide it with purchase data

However, Facebook’s claim that it doesn’t violate Apple’s Enterprise Certificate policy is directly contradicted by the terms of that policy. Those include that developers “Distribute Provisioning Profiles only to Your Employees and only in conjunction with Your Internal Use Applications to develop and test”. The policy also states that “You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers” unless under the direct supervision of employees or on company premises. Given Facebook’s customers are using the Enterprise Certificate-powered app without supervision, it appears Facebook is in violation.

Seven hours after this report was first published, Facebook updated its position and told TechCrunch that it would shut down the iOS Research app. Facebook noted that the Research app was started in 2016 and was therefore not a replacement for Onavo Protect. However, they do share similar codes and could be seen as twins running in parallel. A Facebook spokesperson also provided this additional statement:

“Key facts about this market research program are being ignored. Despite early reports, there was nothing ‘secret’ about this; it was called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear onboarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms.”

Facebook did not publicly promote the Research VPN itself and used intermediaries that often didn’t disclose Facebook’s involvement until users had begun the signup process. While users were given clear instructions and warnings, the program never stresses nor mentions the full extent of the data Facebook can collect through the VPN. A small fraction of the users paid may have been teens, but we stand by the newsworthiness of its choice not to exclude minors from this data collection initiative.

Facebook disobeying Apple so directly and then pulling the app could hurt their relationship. “The code in this iOS app strongly indicates that it is simply a poorly re-branded build of the banned Onavo app, now using an Enterprise Certificate owned by Facebook in direct violation of Apple’s rules, allowing Facebook to distribute this app without Apple review to as many users as they want,” Strafach tells us. ONV prefixes and mentions of graph.onavo.com, “onavoApp://” and “onavoProtect://” custom URL schemes litter the app. “This is an egregious violation on many fronts, and I hope that Apple will act expeditiously in revoking the signing certificate to render the app inoperable.”

Facebook is particularly interested in what teens do on their phones as the demographic has increasingly abandoned the social network in favor of Snapchat, YouTube, and Facebook’s acquisition of Instagram. Insights into how popular with teens are Chinese video music app TikTok and meme sharing led Facebook to launch a clone called Lasso and begin developing a meme-browsing feature called LOL, TechCrunch first reported. But Facebook’s desire for data about teens riles critics at a time when the company has been battered in the press. Analysts on tomorrow’s Facebook earnings call should inquire about what other ways the company has to collect competitive intelligence now that it’s ceased to run the Research program on iOS.

Last year when Tim Cook was asked what he’d do in Mark Zuckerberg’s position in the wake of the Cambridge Analytica scandal, he said “I wouldn’t be in this situation . . . The truth is we could make a ton of money if we monetized our customer if our customer was our product. We’ve elected not to do that.” Zuckerberg told Ezra Klein that he felt Cook’s comment was “extremely glib.”

Now it’s clear that even after Apple’s warnings and the removal of Onavo Protect, Facebook was still aggressively collecting data on its competitors via Apple’s iOS platform. “I have never seen such open and flagrant defiance of Apple’s rules by an App Store developer,” Strafach concluded. Now that Facebook has ceased the program on iOS and its Android future is uncertain, it may either have to invent new ways to surveil our behavior amidst a climate of privacy scrutiny or be left in the dark.

Once introduced, clients just needed to keep the VPN running and send information to Facebook to get compensated. The Commendation managed program mentioned that clients screen capture their Amazon orders page. This information might assist Facebook with tieing perusing propensities and use of other applications with buy inclinations and conduct. That data could be bridled to pinpoint promotion focusing on and comprehending which sorts of clients purchase what.

TechCrunch authorized Strafach to dissect the Facebook Exploration application and find out where it was sending information. He affirmed that information is directed to "VPN-sjc1.v.facebook-program.com" which is related to Onavo's IP address and that the Facebook-program.com space is enrolled to Facebook, as per MarkMonitor. The application can refresh itself without associating with the Application Store and is connected to the email address PeopleJourney@fb.com. He additionally found that the Undertaking Declaration previously gained in 2016 shows Facebook reestablished it on June 27th, 2018 — weeks after Apple reported new guidelines denied the comparative Onavo Safeguard application.

"It is precarious to understand what information Facebook is saving (without admittance to their servers). The main data that is comprehensible is this entrance Facebook is equipped for given the code in the application. Furthermore, it lays out an extremely troubling picture," Strafach makes sense of. "They could answer and promise to just really hold/save unmistakable restricted information, and that could be valid, all that matters is the amount you trust Facebook's assertion on it. The most magnanimous account of this present circumstance would be that Facebook didn't take time to consider the degree of access they were conceded to themselves . . . which is a surprising degree of recklessness in itself on the off chance that that is the situation."

"Egregious insubordination of Apple's standards"

In light of TechCrunch's request, a Facebook representative affirmed it's running the program to figure out how individuals utilize their telephones and different administrations. The representative told us "In the same way as other organizations, we welcome individuals to take part in research that assists us with recognizing things we can improve. Since this exploration is pointed toward assisting Facebook with understanding how individuals utilize their cell phones, we've given broad data about the kind of information we gather and how they can take an interest. We don't impart this data to other people and individuals can quit taking part whenever."

Facebook's Exploration application requires Root Endorsement access, which Facebook assembles practically any piece of information communicated by your telephone

Facebook's representative guaranteed that the Facebook Exploration application was by Apple's Undertaking Declaration program, yet didn't clarify how in that frame of mind of proof for the opposite. They said Facebook previously sent off its Exploration application program in 2016. They attempted to compare the program to a central gathering and said Nielsen and ComScore run comparative projects, yet neither of those requests that individuals introduce a VPN or give root admittance to the organization. The representative affirmed the Facebook Exploration program initiates adolescents yet additionally other age bunches from around the world. They guaranteed that Onavo and Facebook Exploration are isolated projects, however, conceded a similar group upholds both as a clarification for why their code was so comparative.

Facebook's Exploration program mentioned clients screen capture their Amazon request history to give it buy information

Nonetheless, Facebook's case that it doesn't abuse Apple's Undertaking Endorsement strategy is straightforwardly gone against the particulars of that arrangement. Those incorporate that engineers "Appropriate Provisioning Profiles just to Your Representatives and just related to Your Inward Use Applications to create and test". The arrangement likewise expresses that "You may not utilize, circulate or in any case make Your Inward Use Applications accessible to Your Clients" except if under the immediate management of representatives or on organization premises. Given Facebook's clients are utilizing the Venture Endorsement fueled application without oversight, it seems Facebook is in infringement.

Seven hours after this report was first distributed, Facebook refreshed its situation and let TechCrunch know that it would close down the iOS Exploration application. Facebook noticed that the Exploration application was begun in 2016 and was consequently not a swap for Onavo Safeguard. Be that as it may, they in all actuality do have comparative codes and should have been visible as twins running equally. A Facebook representative gave this extra explanation:

"Key realities about this statistical surveying program are being disregarded. Regardless of early reports, there was nothing 'secret' about this; it was known as the Facebook Exploration Application. It wasn't 'spying' as each individual who joined to take part went through a reasonable onboarding process requesting their consent and was paid to take part. At last, under 5% of individuals who decided to take part in this statistical surveying program were youngsters. Every one of them with marked parental assent structures."

Facebook didn't freely advance the Exploration VPN itself and utilized go-betweens that frequently didn't uncover Facebook's association until clients had started the information exchange process. While clients were given clear guidelines and admonitions, the program never pushes nor refers to the full degree of the information Facebook can gather through the VPN. A little part of the clients paid may have been youngsters, however, we stand by the newsworthiness of barring minors from this information assortment initiative decision not.

Facebook resisting Apple so straightforwardly and afterward pulling the application could hurt their relationship. "The code in this iOS application emphatically demonstrates that it is essentially an ineffectively re-marked form of the prohibited Onavo application, presently utilizing a Venture Testament possessed by Facebook in direct infringement of Apple's standards, permitting Facebook to convey this application without Apple survey to however many clients as they need," Strafach tells us. ONV prefixes and notices of graph.onavo.com, "onavoApp://" and "onavoProtect://" custom URL plans to litter the application. "This is a horrifying infringement on many fronts, and I trust that Apple will act speedily in renouncing the marking declaration to deliver the application inoperable."

Facebook is especially keen on what adolescents do on their telephones as the segment has progressively deserted the informal community for Snapchat, YouTube, and Facebook's procurement of Instagram. Bits of knowledge into how famous with teenagers Chinese video music application TikTok and image sharing drove Facebook to send off a clone called Rope and start fostering an image perusing highlight called Haha, TechCrunch initially detailed. Yet, Facebook's longing for information about teenagers disturbs pundits when the organization has been battered in the press. Experts on the upcoming Facebook profit call ought to ask about what alternate ways the organization needs to gather serious insight now that it's failed to run the Exploration program on iOS.

Last year when Tim Cook asked what he'd do in Check Zuckerberg's situation right after the Cambridge Analytica outrage, he said "I wouldn't be in this present circumstance . . . Truly we could make a lot of cash on the off chance that we adapted our client if our client was our item. We've chosen to avoid that." Zuckerberg told Ezra Klein that he felt Cook's remark was "incredibly garrulous."

Presently obviously even after Apple's admonitions and the expulsion of Onavo Secure, Facebook was still forcefully gathering information on its rivals using Apple's iOS stage. "I have never seen such open and blatant rebellion of Apple's guidelines by an Application Store designer," Strafach closed. Since Facebook has stopped the program on iOS and its Android future is dubious, it might either need to design better approaches to keep an eye on our way of behaving amid an environment of protection examination or be left in obscurity.