Facebook is paying teens to install VPN app that collects user data

by Edward Ramamoorthy · Published January 30, 2019 · Updated January 30, 2019

Tags: CyberSecurity Facebook Internet Security Privacy Security

Facebook

According to a recent report, Facebook is paying teenagers to install a “Research” app, which secretly tracks user activity and collects data on them.

Companies like Facebook needs user data, usage habits, activities and other statistics for their targeted ads, improve, and develop services or products and staying one-step above their competition. However, almost all these companies cross the moral and/ ethical line due to their greed to increase their revenue. And it turns out Facebook is also one of these companies.

Last year, Facebook in its own twisted greed to collect more user data launched a pseudo-VPN service called “Onavo VPN” that collects user data in the pretext of protecting their privacy. Fortunately, it was found and removed from App Store.

Now, hungry for more data, the company has reached a new low by paying users $20 per month to use its VPN service. Facebook is targeting teens to install an app via third-party beta testing services, in possible violation of Apple’s rules for enterprise developers.

As per the report by TechCrunch, Facebook asks users to install its “Facebook Research” VPN app on their device. During the installation process, the user ends up giving access to their phone data and browsing history in lieu of $20/month.

Since Onavo was banned on the App Store, Facebook uses an installation process that completely bypasses the App Store by using beta testing services like Applause, BetaBound, and uTest.

The beta programs make a generic claim of collecting data on what apps are installed on the phone and the user’s browsing activity. However, TechCrunch says that further analysis revealed that it was all-encompassing permission to gather private messages in other apps, videos, and pictures shared, emails, and more. In other words, anything and everything that could be submitted to Facebook, the Facebook Research app did.

It looks like a simple opt-in where users willingly share their data for money. However, the catch is the program targets users at 13-35 years of age, but really mostly at the 13-17 bracket. This makes teenagers as its target audience.

To entice users to join the research program, it has been running ads for “Project Atlas” on Instagram and Snapchat. The ad states the requirement of 13-17 years old teenagers for a “paid social media research study”.

Interestingly, the company managed to keep its name hidden in the entire beta process. The sign-up page for the Research VPN app does not mention Facebook anywhere as well. It is only when someone under 18 tries to join the program that a form seeking the required permissions from their parents reveals Facebook’s involvement.

If minors try to sign-up, they’re asked to get their parents’ permission with a form that reveal’s Facebook’s involvement and says “There are no known risks associated with the project, however you acknowledge that the inherent nature of the project involves the tracking of personal information via your child’s use of apps. You will be compensated by Applause for your child’s participation”.

Teenagers usually have tighter budgets and the offer from Facebook looks good for them. However, they may not fully understand what they are handing over and repercussions of their consent. For them, it is just an easy $20 per month. What makes it even worse is that Facebook is asking some users to go to their Amazon account and upload a screenshot of their order history.

Applause, one of the third-party beta testing service used by Facebook, wrote that by installing the so-called “research program”, it will collect data “even where the app uses encryption, or from within secure browser sessions”.

This means you’re letting our client collect information such as which apps are on your phone, how and when you use them, data about your activities and content within those apps, as well as how other people interact with you or your content within those apps. You are also letting our client collect information about your internet browsing activity (including the websites you visit and data that is exchanged between your device and those websites) and your use of other online services. There are some instances when our client will collect this information even where the app uses encryption, or from within secure browser sessions.

To install the app Facebook asks users to install an Enterprise Developer Certification and VPN and then “trust” Facebook with root access to the data their phone transmits.

If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.

Guardian Mobile Firewall security researcher Will Strafach told TechCrunch.

As per Apple’s guidelines, developers can only use this certification for internal testing of corporate apps so Facebook is clearly not adhering to that rule here.

The app requests permissions that would allow the company to suck up pretty much any data it wants from an iOS or Android device, from private messages and photos to web browsing habits.

Moreover, the app seems to share its code with the now banned Onavo app. It contains much of the same code as Onavo, sends data to Onavo-associated IP addresses, and contains numerous sections of code that appeared to be lifted directly from Onavo. However, it is impossible to tell what Facebook is actually downloading from users from outside the company.

When TechCrunch contacted Facebook, the company replied that it did not violate Apple policies (without getting into any specifics). It also told the site that the commonalities between Onavo and the newer app are because both were built by the same team, compared the program to a Nielsen-like focus group, and said it had no plans to stop.

If their claim is true, then it raises another question on why the company did not make use of Apple’s official TestFlight beta testing platform.

While it is unethical, we can understand why the company is hell-bent on pushing this Onavo clone. A 2017 Wall Street Journal article detailed that data from Onavo played a critical role in many of Facebook’s business decisions, including the company’s 2014 acquisition of WhatsApp.

The company also wants to monitor teens, because they are easily exploited and many reports have suggested that they are leaving the platform in large numbers and engaging more with its subsidiary Instagram as well as competitors like YouTube and Snapchat.

As usual, Facebook promises it does not misuse data users have entrusted (mostly unknowingly) to it, but Facebook made a lot of promises it failed to keep. Also, it says it is not spying on users as all of the people who signed up to participate went through a clear onboarding process asking for their permission and were paid to participate. I do not know about others, but I feel it is still immoral to collect private data from teens.

Make sure to read the full report from TechCrunch by hitting the source link below as it provides an incredibly detailed picture of Facebook’s shady practices.

While we can keep discussing the ethics and morality of data collection, it always comes to one question: How much your privacy cost? For some, it is priceless, while some will happily trade it for free services and others seem happy to trade it for actual money.

What about you? How much is your privacy worth? Please leave your thoughts in the comments.

Source