Facebook Shuts Down iOS Version of Data-Sucking VPN After Damning Report

Social platform is still paying Android users to mine their personal data

Some of those mobile phone users involved in the project were as young as 13 years old, TechCrunch found. Getty Images

Facebook has shut the iOS version of a Facebook app that had allowed the social media giant to spy on young mobile phone users in exchange for cash—but the company will continue to pay young people who use Android devices in exchange for their detailed mobile phone and web browsing activity.

The decision comes after a damning report from TechCrunch finding that since 2016, the social media company had paid young people to sign away virtually all details of their mobile phone and web activity to Facebook in exchange for up to $20 a month.  The app, called “Facebook Research,” gives Facebook the ability to track all of the users’ phone activity, including the contents of private messages, photos and videos on the device and specific location data.

Some of those mobile phone users involved in the project were as young as 13 years old, TechCrunch found.

After the report, Apple issued a statement slamming Facebook for violating its rules and revoking Facebook’s enterprise developer credentials that allowed the app to function, which today affected versions of apps used internally by Facebook employees.

Facebook confirmed today that the iOS version of the app would shut down. In a statement to Adweek, the company defended the program and argued that the program didn’t count as spying because users agreed to it.

“Key facts about this market research program are being ignored,” a Facebook spokesperson said in a statement. “Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App.”

The spokesperson also claimed the app wasn’t “spying,” as “all of the people who signed up to participate went through a clear onboarding process asking for their permission and were paid to participate,” adding that “less than 5 percent of people who chose to participate” were teenagers.

The spokesperson did not respond to additional questions about how many people had given Facebook permission to access all of the information on their phones, or how many Android users will continue to give Facebook access to their mobile phone data. A spokesperson for Google declined to offer an on-the-record comment.

According to TechCrunch, Facebook buried its data-sucking app into beta testing programs like Applause, BetaBound and uTest and did not make the app available through Apple’s App Store or through Apple’s official beta testing program. Users who downloaded the testing apps and agreed to participate in a “paid social  media research study” in exchange for gift cards were, upon signing up, prompted to allow their phone to trust Facebook’s root certificate system—handing Facebook full access to the users’ device and all of the data that comes with it, including personal messages and emails, location data and internet search history.

Under Apple’s rules, developers are only to use the root certificate system for internal corporate apps. An Apple spokesperson said today that Facebook had violated its policies and that Apple had revoked Facebook’s developer privilege, meaning the company will no longer be able to use the root certificate system. That move effectively rendered Facebook Research nonfunctional.

“Facebook Research” is similar to another app that Facebook built, called “Onavo Protect,” which Apple’s App Store banned in June 2018 after it violated Apple’s policies.

Facebook acquired Onavo, a VPN app that monitors users’ mobile activity, in 2014 and has leveraged it to learn about web habits. According to an analysis from TechCrunch, Onavo and Facebook Research have similar lines of code; Facebook told TechCrunch the apps are separate but maintained by the same team.

Facebook has built a less than stellar track record in protection and respect of user privacy. Last week, the Center for Investigative Reporting’s Reveal News reported that Facebook was knowingly letting children rack up charges on their parents’ credit cards—sometimes when the children didn’t know they were spending money—and then refusing to issue refunds. And just this week, Facebook changed its code to block reporting and transparency tools that were tracking the opaque world of targeted advertising on the social media platform.

The latest revelation did not prompt another round of goodwill from industry watchers.

“Once again, Facebook has been exposed for putting profits before people, and for the second time in a week, it is kids who are being harmed,” said James Steyer, CEO of advocacy group Common Sense Media. “The company’s manipulative tactics and desire to gather every waking thought about its users at any cost is unacceptable.”

Shane Green, the CEO of the data-sharing platform Digi.me and the co-founder of the data monetization program Ubdi, said the Apple’s move to revoke Facebook’s enterprise developer license was a big deal.

“This is the official beginning of the data and privacy wars,” Green said. “We’ve had some serious skirmishes already, but the gloves are coming off now—and the stakes couldn’t be bigger.”

@kelseymsutton kelsey.sutton@adweek.com Kelsey Sutton is the streaming editor at Adweek, where she covers the business of streaming television.