New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

Facebook Paying Teens $20/Month to Install Data Harvesting VPN App on iPhones

Apple in August 2018 forced Facebook to remove its Onavo VPN app from the App Store, because Facebook was using it to track user activity and data across multiple apps, something that violate's Apple's App Store policies.

As it turns out, Facebook has found an underhanded way to skirt Apple's rules and get people to continue installing its VPN -- paying them.


TechCrunch this afternoon exposed Facebook's "Project Atlas" program, in which Facebook paid people -- adults and teenagers -- to install a "Facebook Research" VPN that is similar to the Onavo VPN app.

As of 2016, Facebook has been secretly offering people aged 13 to 35 up to $20 per month along with referral fees to sideload the Facebook Research app using an enterprise certificate on iPhone. Enterprise certificates like this are designed to allow companies to distribute internal corporate apps and give full root access to a device.

To hide its involvement, Facebook has been using beta testing services like Applause, BetaBound and uTest to recruit participants to install Facebook Research.

By getting people to sideload an app this way through an enterprise certificate, Facebook has access to data that includes private messages in social media apps, chats from instant messaging apps (including photos and videos), emails, web searches, web browsing activity, and ongoing location information. It's not clear if Facebook is accessing this data, but it could, according to security researcher Will Strafach, who TechCrunch consulted for this piece.
"The fairly technical sounding 'install our Root Certificate' step is appalling," Strafach tells us. "This hands Facebook continuous access to the most sensitive data about you, and most users are going to be unable to reasonably consent to this regardless of any agreement they sign, because there is no good way to articulate just how much power is handed to Facebook when you do this."
The terms of service for the Facebook Research app suggest Facebook was collecting information about the smartphone apps on a participant's phone and how and when those apps are used. Facebook also said it would collect data about activities and content within the apps, and information about internet browsing history. There's even a line suggesting Facebook collects data even when an app uses encryption or from within a secure browser session.

Facebook confirmed the program in a statement provided to TechCrunch and reportedly said that the Facebook Research app was "in line with Apple's Enterprise Certificate program," though that does not seem to be the case based on Apple's Enterprise Certificate policy.
"Like many companies, we invite people to participate in research that helps us identify things we can be doing better. Since this research is aimed at helping Facebook understand how people use their mobile devices, we've provided extensive information about the type of data we collect and how they can participate. We don't share this information with others and people can stop participating at any time."
Apple has been made aware of the issue, but declined to provide a comment to TechCrunch. It's not clear how the Cupertino company will handle the situation, but as TechCrunch points out, Apple CEO Tim Cook has been highly critical of Facebook and its privacy violations. Apple could potentially block the Facebook Research app or revoke Facebook's permission to distribute internal apps entirely.

Full details on Facebook's spying app can be found in TechCrunch's exposé.



Top Rated Comments

(View all)

8 months ago
Facebook is garbage.
Rating: 42 Votes
8 months ago
What moron sells all their personal data for at most $20/month. Good lord people are dumb.
Rating: 35 Votes
8 months ago
Wow, when will people realize how truly evil Facebook really is.

Apple should make an example of them and ban their app, at least temporarily.
Rating: 34 Votes
8 months ago
Mark, Mark, Mark, Mark, Mark. Do you even know what the "P" in VPN stands for? Private. You've made a data-harvesting virtual private network. That doesn't compute!

Rating: 27 Votes
8 months ago
facebook should be paying me $20/month to use Facebook at all for the amount of $$$ they made off of my data.
Rating: 24 Votes
8 months ago
I am sick of these companies and all this garbage they are pulling! Especially, Facebook.
Rating: 22 Votes
8 months ago
Woooooow. So glad I stopped using that crap years ago. I recall reading Facebook could get all your browsing history just by having a tab open....insanity.

Rating: 21 Votes
8 months ago
Call me crazy but this sounds like fraud or misrepresentation in the service of user spying or surveillance.
Rating: 17 Votes
8 months ago

What moron sells all their personal data for at most $20/month. Good lord people are dumb.

A moron who's smart enough to reactivate an old iPhone as a "burner" on a cheap prepaid plan and fill it with useless data and pocket $20/month. I think TMO has a very cheap $3-5 prepaid plan. And because iPhones use iMessage, you won't lose out on the limited text amount or minutes. Netting $15 a month may not seem much, but when you're doing it and screwing over Facebook by submitted dud data, then it's somewhat clever. $180/year for doing practically nothing isn't bad.
Rating: 16 Votes
8 months ago

Facebook is garbage.

Zuckerberg is evil.
Rating: 16 Votes

[ Read All Comments ]