‘Appalling’: Facebook paying teens to spy on their phones
Project Atlas is an apparent effort to gather information about the social media giant's competitors
Facebook has been paying teenagers £15 (R267) per month to give it complete access to their smartphones, including their e-mails, their browsing habits and their private messages in other apps.
An investigation by TechCrunch found that the social media giant enlisted users between 13 and 35 to install an app that continuously snooped on their behaviour in an apparent effort to gather information about its competitors.
The scheme, reportedly known as Project Atlas, appears to have been deliberately crafted to downplay Facebook’s involvement and to circumvent Apple’s app store, which banned a similar Facebook app last year for being too invasive.
A security expert who aided the investigation described the level of access granted by the app as “appalling”, saying it was so extensive as to render getting the informed consent of underaged users almost impossible.
What Facebook knows about you
After the programme’s existence became public, Facebook tried to defend it but said it had been stopped on all Apple devices, without saying why.
When this publication tried to sign up on Wednesday morning, it was met with the message: “We are currently not accepting any new participants in our research programme.”
The project indicates just how far Facebook is willing to go to collect data on its rivals, threatening to reignite controversy over its privacy practices as well as further damage its testy relations with Apple. The age range of the participants also suggests that Facebook is deeply concerned about monitoring the online behaviour of teenagers and young people, whom some research shows are deserting its main app.
According to TechCrunch, users were recruited through three third-party beta testing services which offer rewards for testing new products and whose sign-up pages made only limited mention of Facebook’s involvement. They were then asked to download and an app named Facebook Research and to give it sweeping permission to snoop on their activity.
Will Strafach, a security researcher who investigated the app for Techcrunch, said: “The fairly technical-sounding ‘install our Root Certificate’ step is appalling. This hands Facebook continuous access to the most sensitive data about you, and most users are going to be unable to reasonably consent to this regardless of any agreement they sign, because there is no good way to articulate just how much power is handed to Facebook when you do this.”
He said it was difficult to know how much of this data Facebook was actually gathering, but that the “most charitable” interpretation of its actions was that it had displayed “a startling level of carelessness”.
In addition to monitoring activity, the app asked users to take screenshots of their Amazon orders page, effectively enlisting minors as secret shoppers to gather information normally accessible only to Amazon.
The beta testing services offered extra money to users willing to recruit their friends. Facebook Research, Strafach claimed, appears to be a renewed version of Onavo, another Facebook-owned app which promises to “keep you and your data safe” but sends information back to Facebook about what apps people are using and how much time they are spending on each one.
He said both apps contained some of the same code. Leaked documents show that data from Onavo allowed Facebook to see how the encrypted chat app WhatsApp was beating its own apps in many respects, mere months before Facebook bought WhatsApp for almost £15bn.
Onavo was banned from the iPhone app store in 2018, but Facebook Research was able to bypass the store by asking users to download it through Apple’s enterprise software programme, which is only supposed to be used by businesses to distribute special apps to their employees. Apple’s terms of service for that programme stipulate that such apps be distributed only to a company’s employees, and should only be used by customers under employees’ supervision and on company premises.
“This is the most defiant behaviour I have ever seen by an app store developer,” Strafach said. “I still don’t know how to best articulate how absolutely floored I am by Facebook thinking they can get away with this.”
Apple did not respond to a request to comment on whether it would take action against Facebook Research.
A Facebook spokesperson pushed back against some aspects of TechCrunch’s investigation but did not dispute its main findings. “Key facts about this market research programme are being ignored,” she said. “Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App.
“It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission, and were paid to participate.
“Finally, less than 5% of the people who chose to participate in this market research programme were teens – all of them with signed parental consent forms.”
The spokesperson said Facebook Research was not a replacement for Onavo because the new programme began in 2016, two years before Onavo was removed from Apple’s app store.
It is unclear whether Facebook actually obtained the signatures of teenagers’ parents. When this publication tried to sign up as an underage user via a beta-testing service called Applause, it was only asked to tick a box and enter an e-mail address.
In earlier statements the company sought to emphasise that the data gathered by Facebook Research was not shared with other companies, and sought to liken it to other market research programmes which do not ask the same kind of access to users’ phones.
The revelation came after Facebook hired three well-known pro-privacy activists to advocate for change within the company, part of a broader hiring spree of lobbyists and policy experts under its new head of global affairs, Sir Nick Clegg.
– © The Daily Telegraph