Facebook Paid Minors to Use VPN Spyware Violating App Store’s Policies

Facebook, notorious for being the world’s most pervasive social media corporation, apparently decided even children need spying on. In a new investigation published by TechCrunch, the company went as far as to pay all of their users for the use of a “Facebook Research” VPN which allowed admins to “suck in all of a user’s phone and web activity,” a clear violation of the developer policies of companies such as Apple. In the wake of this report, Apple blocked the VPN app before the company could voluntarily shut it down.

By their own admission, the world’s richest social media site has been paying users between the ages of 13 to 35 (at least on paper) around $20 per month plus referral fees to “gather data on usage habits” since as early as 2016. Cloaked from the public eye as “Project Atlas,” the spyware app sought to “decrypt and analyze” the phone activity of users across the world through “root network access” that “routes traffic back to Facebook.” Through obtaining vague consent in the form of a TOS policy, the site was granted abilities ranging from taking screenshots of Amazon order histories to potentially knowing the porn their users watched.

betabound Project Atlas

(“Facebook’s Research program is referred to as Project Atlas on sign-up sites that don’t mention Facebook’s involvement anywhere,” wrote tech journalist Josh Constine.)

Facebook also admitted to using rat-hole beta testing services, such as Applause, BetaBound, and uTest, in order to hide direct involvement with their service. The only visible connection to the site was the app being a “Facebook Study” which, of course, has better framing than something along the lines of a Facebook Espionage Program.

Facebook Study VPN

TechCrunch asked Will Strafach, the security expert for the privacy app Guardian Mobile Firewall, to further investigate the website’s boundaries. “If Facebook makes full use of the level of access they are given by asking users to install the Certificate,” he stated, “they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps — including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location-tracking apps you may have installed.” The spying possibilities were virtually limitless.

Utest Facebook paid app

Once the spyware racket was discovered by journalist Josh Constine and his fellow TechCrunch editors, Facebook provided assurances the app would be shut down on iOS in the near future. It remained up till Tuesday when the App Store decided to pull the plug. Facebook’s research program continues to run on Android to this day. This isn’t surprising given TechCrunch also discovered Screenwise Meter, Google’s own surveillance app breaks the exact same iOS rules. No honor amongst Big Tech companies, I suppose.

“We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization,” stated an Apple spokesperson in a public statement. “Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute such apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”

Keep in mind, Facebook is by no means a first-time offender. Before we even get into the data scandals of Cambridge Analytica and Russian-bought political memes, The Wall Street Journal reported that the company was forced to remove their eerily similar app called the Onavo Protect, another VPN program which was removed from iOS for clearly violating their policies on predatory data collection. Readers should greatly reconsider where exactly their VPNs are coming from and who is pushing them before granting their privacy over to the rapaciously rich.

Onavo Protect Facebook VPN

“Facebook seems to have purposefully avoided TestFlight, Apple’s official beta testing system, which requires apps to be reviewed by Apple and is limited to 10,000 participants,” Constine writes. “Instead, the instruction manual reveals that users download the app from r.facebook-program.com and are told to install an Enterprise Developer Certificate and VPN and ‘Trust’ Facebook with root access to the data their phone transmits. Apple requires that developers agree to only use this certificate system for distributing internal corporate apps to their own employees. Randomly recruiting testers and paying them a monthly fee appears to violate the spirit of that rule.”

The company has continually abused ethical and legal policies behind iOS’ Enterprise Certificate program, going as far as to use the same code and references to the removed Onavo Protect, yet Facebook absurdly wants to make the argument their ability to self-regulate will solve the market’s privacy problems — while the only compensation that Big Brother grants users for the millions in profits from this surveillance is a measly $20. It’s naivety bordering on insanity. Facebook pat themselves on the back for hiring privacy experts who focus on free speech and digital rights, though clearly this is more about image than substance.

TechCrunch sources also explained Facebook’s misuse of their Enterprise Certificate violate their own privacy policies on Facebook and Instagram. This means that if we’re enforcing the rules justly, it should result in their termination from iOS entirely — though is unlikely due to the monopolistic power behind their enterprise. Instead, the tech companies are fighting it out amongst themselves behind closed doors without public transparency. “That’s causing mayhem at Facebook,” Constine wrote, “disrupting their daily workflow and ability to do product development… the disruption will translate into a huge loss of productivity for Facebook’s 33,000 employees.”

“It is tricky to know what data Facebook is actually saving (without access to their servers). The only information that is knowable here is what access Facebook is capable of based on the code in the app. And it paints a very worrisome picture,” Strafach told the publication. “They might respond and claim to only actually retain/save very specific limited data, and that could be true, it really boils down to how much you trust Facebook’s word on it. The most charitable narrative of this situation would be that Facebook did not think too hard about the level of access they were granting to themselves . . . which is a startling level of carelessness in itself if that is the case.”

Related News