In a stunning revelation, Facebook has admitted to secretly paying people to install a Facebook Research VPN app which allows the company to monitor all online activity and smartphone data. The problem with the VPN app is that a root certificate must be installed. Like with other free VPNs, this allows Facebook to collect sensitive personal information, including encrypted data from multiple sources.

In 2018, Facebook was running the Onavo Protect app which behaved in a similar fashion. Apple was vehemently opposed to it and promptly banned the Onavo Protect app from the App Store, citing privacy concerns. The Onavo VPN app remained on the Google Play store until February 2019.

A security consultant with TechCrunch stated that very little separated the Onavo Protect app from the Facebook Research VPN app. Most features of the apps are similar, with the only difference being the user interface. After the Onavo debacle, Facebook switched gears and ran the new Facebook Research VPN app. Facebook was paying teens and adults (13 – 35 years old) up to $20 monthly in addition to referral fees to download and install the Android or iOS Research app for data gathering purposes.

In addition, Facebook requested screenshots of users’ purchasing activity on Amazon. Facebook has been running the Research app since 2016 and since mid-2018 it has been referred to as Project Atlas. Various testing services were used to promote the app, including: uTest, BetaBound, and Applause. Facebook’s involvement was largely shielded from users, it wasn’t until people actually downloaded and installed the app that Facebook’s name appeared.

$20 Gift Cards for Users 13 – 35 for Installing the Facebook Research App

Users of Facebook’s Research app were paid $20 per month in the form of gift cards for virtually unlimited access to iPhone data. It remains unclear precisely what data is used by Facebook. What is known is that Facebook uses the data for market research.

Previously, it was the Onavo Protect VPN service that identified competitors and then cloned them. With the Facebook Research App, things are a little different. For starters, users must install the root certificate first. This gives Facebook unimpeded access to personal communications, browsing activity, and email content.

Facebook has shied away from many hard questions in this regard. For example, why is it that the Onavo Protect VPN service which was pulled is almost identical to the Facebook Research App? The only notable difference is the UI.

The Onavo Protect VPN Service

In 2018, Facebook promoted the Onavo app in a ‘Protect Bookmark’ of the primary Facebook app. It also released the Onavo Bolt app.

To date, the Onavo app has been installed over 10 million times at the Google Play Store. Stunning revelations about the extent of the Onavo Protect VPN service surfaced in March 2018. Apparently, the Onavo Protect VPN Service fed data to Facebook whenever the user’s screen was turned on/off. The app also reported cellular data usage and Wi-Fi usage after the app was turned off.

Driven by an insatiable appetite for data, Facebook continued its hidden data collection practices. It was later learned that Facebook had sidestepped the app stores and was paying users to download a VPN app under the guise of Facebook Research. TechCrunch investigators learned that Facebook was using three beta testing services to distribute the app in 2016.

These include Applause, uTest, and BetaBound. Otherwise known as Project Atlas, this clandestine activity was in response to the backlash against the Onavo Protect fiasco. Facebook ran a similar project known as Project Kodiak, so these practices are nothing new for the social media giant.

Facebook Uses Third Party Services to Run Research

The Facebook Research App requires parental consent when minors are involved.  While there are no risks, users must agree to have all of their online data, communications, location history, and messaging apps tracked by Facebook. The company – Facebook Inc – agreed to compensate users for their participation with $20 gift cards.

The site administering the social media research study – Applause – explained what type of data the Facebook Research App was gathering and what users must agree to:

  • Agreeing to allow the app to collect important smartphone data.
  • Agreeing to allow the app to track all apps and activities on your phone.
  • Agreeing to allow the app to collect information about your internet browsing.

The app instruction manual indicates that users can download the Facebook Research App from r.facebook-program.com. An enterprise developer certificate and a VPN must be installed. Users are required to trust Facebook and grant it root access to all smartphone data.

Apple's position is such that developers must only use the certificate system for the purposes of distributing internal corporate apps to employees. It is deemed a violation of the rule to randomly recruit testers and pay them a monthly fee.

Facebook’s Fingerprint is All Over This One

Facebook used the Applause-administered program to determine buying behavior on Amazon and other e-commerce sites. Facebook tied browsing behavior and purchase preferences to develop effective ads based on user preferences.

Research expert Strafach, stated that the data collected by the Facebook Research App was being sent to vpn-sjc1.v.facebook-program.com. MarkMonitor confirms that the IP address is registered to Facebook. The self-updating app is tied to this email address [email protected].

It is concerning that nobody – besides Facebook – is fully aware of what information is being saved through the app. It is also clear that Facebook can access a wealth of data and analytics via the Facebook Research App. That Facebook unilaterally decided to grant itself access to personal information is troubling to many privacy advocates.

Facebook Snooping Stopped by Apple 

The TechCrunch report which broke the story was met with resistance by the social media juggernaut. Facebook denied violating Apple’s T&C. Though soon after, Facebook pulled the plug and agreed to shutter the iOS Research app. In its defense, Facebook argued that user agreements confirm that users agreed to be tracked for a fee of $20 per month. The counter-argument is that many people simply had no clue what they were agreeing to by allowing Facebook to collect all of that data.

An Apple spokesperson commented on Facebook’s Research app:

We designed our enterprise developer program solely for the internal distribution of apps within an organization… Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificate to distribute apps to consumers will have their certificate revoked, which is what we did in this case to protect our users and their data.’

Facebook CEO, Mark Zuckerberg tried to assuage users. He stated that Facebook is not in the business of selling people’s personal information. Zuckerberg claims that Facebook uses the data to provide relevant ads which in turn keep Facebook free of subscription fees.

The intrusive nature of the Facebook Research App grants the company access to extremely sensitive personal information. For example, the Facebook Research App can collect data from instant messaging applications, private messaging in social media, internet searches, online browsing activity, location monitoring, and more.

Unfortunately for users who downloaded the app, the reality is that they were likely be subject to unlimited tracking.

Will Facebook Stop at Nothing to Remain a Market Leader?

Apple CEO, Tim Cook, has chastised Facebook for its data collection activities in the past and the latest snafu is sure to inflame tensions between the two tech giants. Meanwhile, Facebook is moving full steam ahead to unify its three messaging apps – WhatsApp, Instagram and Messenger – with a total user base of 2.6 billion.

Any thoughts of these messaging services functioning independently have gone up in smoke.

As for the Facebook Research App, the company bypassed the App Store and crafted a way for users to sideload the app. That Facebook is apparently dismissive of Apple’s privacy protections is a concern. Many tech aficionados believe that Facebook thinks it’s too big to fail. If this is the case only statutory actions will be able to force a change in the company’s behavior.

Is the Facebook Research App Compliant with the App Store Rules?

Apple maintains that the Research App is in violation of Apple’s code of conduct. Facebook believes that it is operating above board. Both factions are digging in their heels. Facebook lists the type of data they are collecting, albeit buried within the terms and conditions of use.

The information gleaned by Facebook is securely stored and not shared with anyone. Facebook reiterated that they believe their app is compliant with Apple’s Enterprise Certificate Program and likened it to programs run by market research firms like ComScore and Nielsen.

The evidence suggests that Facebook is in violation of Apple’s Enterprise Certificate Policy. For example, the employee-only distribution clause is not being adhered to. Apple’s code of conduct states that Internal Use Applications may only be used with customers when they are administered on company premises. Since Facebook doesn’t have any company oversight or supervision, Apple’s Enterprise Certificate is likely being violated.

In Facebook’s defense, the name of the app – Facebook Research App – is self-explanatory.

While few people understand what Facebook is collecting for the research, many people simply believe that Facebook switched from Onavo to the current app. Facebook wants to gather data to understand digital culture, like why Snapchat is so popular among millennials, or why Instagram and YouTube are preferred to Facebook.

The Bottom Line

Facebook finds itself juggling many priorities at this point. The company should be focused on rebuilding its battered image, not being ensnared in another legal wrangle. Facebook finds itself on a slippery slope with privacy concerns mounting.

In the online arena, data is like pure gold, people are willing to lie, cheat and steal to get it. The tech titans are continually combing the internet in search of analytics to improve their online offerings, dig deeper and spread their influence further. It’s a veritable customer mining operation that seems unlikely to stop anytime soon.