Apple and Facebook Clash Over User Data Collection Scandal

Journalists from TechCrunch have published the results of their own investigation, revealing that Facebook created apps to collect user data. According to the report, the social network developed a VPN app called Facebook Research, which monitored all activity on a user’s mobile device and installed its own root certificate. Previously, similar activity was discovered in the VPN app Onavo Protect, which Apple banned in June of the previous year, prompting a review of its policies regarding such apps.

Since 2016, Facebook offered iOS and Android users (ages 13 to 35) up to $20 per month in gift cards, along with various bonuses for referring friends. To receive these rewards, users simply had to install a special app on their device and keep it running in the background. Participants were also asked to take screenshots of their Amazon orders. The app was distributed through beta testing services like Applause, BetaBound, and uTest to conceal Facebook’s involvement, and in some documents, it was referred to as Project Atlas.

Facebook Research was actively promoted on Instagram and Snapchat, mainly targeting users aged 13 to 17 (parental consent was required for minors). Users were invited to participate in a “paid social media research study.” To be fair, while Facebook was not mentioned on the Applause page until the end, users were informed that the app would access a wide range of data.

What Data Did Facebook Collect?

In practice, the app could access almost any information on the device: private messages in messengers and social media (including photos and videos), emails, search history, browsing activity, and location data (if the user interacted with any other location-tracking app). It’s unclear exactly what data Facebook collected (since this can’t be determined without access to the company’s servers), but researchers emphasized that the app had virtually unlimited access and could theoretically do anything. It is known that the collected data was sent to vpn-sjc1.v.facebook-program.com, previously linked to Onavo. Worse, the app could update itself without going through the App Store.

Facebook’s Response

Facebook commented on the investigation as follows:

“Like many other companies, we invite people to participate in research that helps us determine what we can improve. Since this research is aimed at helping Facebook better understand how people use their mobile devices, we provide users with detailed information about what data will be collected and how it will be used. We do not share this data with others, and users can leave the program at any time.”

Conflict with Apple

Interestingly, immediately after the investigation was published, Facebook representatives claimed that Facebook Research did not violate Apple’s enterprise certificate terms, and that there was no connection between Onavo and Facebook Research. However, TechCrunch journalists pointed out that these statements directly contradicted Apple’s rules. Apps signed with enterprise certificates are only allowed for internal company use. Just seven hours after the article was published, Facebook abruptly changed its stance and quickly shut down Facebook Research for iOS (Apple later stated that it had already banned the app before this). The company again emphasized that the app was not “spying” on anyone, that users were fully informed about the data collection, and that all participants knew what they were signing up for.

It’s hardly surprising that Apple representatives were deeply displeased with Facebook’s behavior, especially since Tim Cook has repeatedly criticized the social network for collecting user data. As a result, Apple revoked Facebook’s enterprise certificate entirely. This reportedly “broke” apps used internally by 33,000 Facebook employees, including beta versions of Facebook and Instagram, as well as tools for managing various office tasks.

Apple issued the following statement:

“Our Enterprise Developer Program is designed solely for internal distribution of apps within an organization. Facebook used its membership in the program to distribute apps that collect user information, which is a direct violation of our agreements with Apple. Any developer using enterprise certificates to distribute apps to consumers will have their certificates revoked, as we did in this case to protect our users and their data.”

What About Google?

Google representatives have not yet commented on the situation surrounding Facebook Research. However, it was also revealed that Google has engaged in similar practices with iOS users. Researchers discovered the Screenwise Meter app, which has existed since 2012. It was also used to study user behavior for those aged 13 and older (parental consent was required for those under 18), and participants were rewarded with gift cards. The problem is that Screenwise Meter was also signed with an enterprise certificate.

When TechCrunch journalists contacted Google for comment, the company assured them that it would immediately disable the app on iOS devices and remove it from the Enterprise Developer Program, stating that the use of the enterprise certificate was a mistake.