Apple says Facebook can no longer distribute an app that paid users, including teenagers, to extensively track their phone and web use.
In doing so, Apple closed off Facebook’s efforts to sidestep Apple’s app store and its tighter rules on privacy.
The tech blog TechCrunch reported late Tuesday that Facebook paid people about $20 a month to use the Facebook Research app. While Facebook says this was done with permission, the company has a history of defining “permission” loosely and obscuring what data it collects.
READ MORE: Facebook reportedly plans to deepen data sharing between Messenger, Instagram, WhatsApp
“I don’t think they make it very clear to users precisely what level of access they were granting when they gave permission,” mobile app security researcher Will Strafach said Wednesday. “There is simply no way the users understood this.”
He said Facebook’s claim that users understood the scope of data collection was “muddying the waters.”
Facebook says fewer than 5 percent of the app’s users were teens and they had parental permission. Nonetheless, the revelation is yet another blemish on Facebook’s track record on privacy and could invite further regulatory scrutiny.
WATCH: Apple glitch allows users to eavesdrop through ‘FaceTime’
And it comes less than a week after court documents revealed that Facebook allowed children to rack up huge bills on digital games and that it rejected recommendations for addressing it for fear of hurting revenue growth.
For now, the app appears to be available for Android phones, though not through Google’s main app store. Google had no comment Wednesday.
Apple said Facebook was distributing Facebook Research through an internal-distribution mechanism meant for company employees, not outsiders. Apple has revoked that capability.
Facebook is still permitted to distribute apps through Apple’s app store, though such apps are reviewed by Apple ahead of time. And Apple’s move Wednesday restricts Facebook’s ability to test those apps — including core apps such as Facebook and Instagram — before they are released through the app store.
Facebook previously pulled an app called Onavo Protect from Apple’s app store because of its stricter requirements. But Strafach, who dismantled the Facebook Research app on TechCrunch’s behalf, told The Associated Press that it was mostly Onavo repackaged and rebranded, as the two apps shared about 98 percent of their code.
WATCH: Facebook says it had consent to share users’ data, messages with other companies
As of Wednesday, a disclosure form on Betabound, one of the services that distributed Facebook Research, informed prospective users that by installing Facebook Research, they are letting Facebook collect a range of data. This includes information on apps users have installed, when they use them and what they do on them. Information is also collected on how other people interact with users and their content within those apps, according to the disclosure.
Betabound warned that Facebook may collect information even when an app or web browser uses encryption.
Strafach said emails, social media activities, private messages and just about anything else could be intercepted. He said the only data absolutely safe from snooping are from services, such as Signal and Apple’s iMessages, that fully encrypt messages prior to transmission, a method known as end-to-end encryption.
READ MORE: Facebook denies that ’10 year challenge’ is a ploy to collect facial recognition data
Strafach, who is CEO of Guardian Mobile Firewall, said he was aghast to discover Facebook caught red-handed violating Apple’s trust.
He said such traffic-capturing tools are only supposed to be for trusted partners to use internally. Instead, he said Facebook was scooping up all incoming and outgoing data traffic from unwitting members of the public — in an app geared toward teenagers.
“This is very flagrantly not allowed,” Strafach said. “It’s mind-blowing how defiant Facebook was acting.”
Comments