It turns out that Facebook is paying teenagers around $20 a month to use its VPN app that aggressively monitors their smartphone and web activity and then sends it back to Facebook.
The social media giant was previously caught collecting some of this data through Onavo Protect, a Virtual Private Network (VPN) service that it acquired in 2013.
However, the company was forced to pull the app from the App Store in August 2018 after Apple found that Facebook was using the VPN service to track its user activity and data across multiple apps, which clearly violates its App Store guidelines on data collection.
Onavo Protect became a data collection tool for Facebook helping the company track smartphone users' activities across multiple different apps to learn insights about how Facebook users use third-party apps.
Facebook's Paid Market Research
Now according to a report published by TechCrunch, Facebook has been doing much more than just collecting some data on its users—this time in the name of an app called "Facebook Research" for iOS and Android since at least 2016.
In some documentation, this program has been referred to as "Project Atlas." Facebook has also confirmed the existence of the app to the publication.
The report said the company has been paying people aged between 13 and 35 as much as $20 per month along with referral fees in exchange for installing Facebook Research on their iPhone or Android devices, saying it's a "paid social media research study."
Instead of downloading the app via any app store, Facebook has been using third-party beta testing services—Applause, BetaBound and uTest—that specifically runs ads on Instagram and Snapchat recruiting participants to install Facebook Research.
Facebook Research App Collects Troves of User Data
The app requires users to install a custom root enterprise certificate, which gives the social media giant the level of access that can allow it to see users' private messages in social media apps, non-e2e chats from instant messaging apps, emails, web searches, web browsing activity, and ongoing location information.
Although it is not clear if Facebook is accessing this data, if the company wants it could, according to security researcher Will Strafach, who was commissioned by the publication.
In some instances, the Facebook Research app also asked users to take screenshots of their Amazon order histories and send it back to Facebook.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
According to the Facebook Research's terms of service, installing the app gives the company permission to collect information about other mobile apps on a participant's smartphone as well as how and when those apps are used.
"This means you are letting our client collect information such as which apps are on your phone, how and when you use them, data about your activities and content within those apps, as well as how other people interact with you or your content within those apps," the terms read.
"You're also letting our client collect information about your internet browsing activity (including the websites you visit and data is exchanged between your device and those websites) and your use of other online services. There're some instances when our client will collect this information even where the app uses encryption, or from within secure browser sessions."
Facebook Acknowledges the Existence of the Program
While acknowledging the existence of this program, Facebook said, "like many companies, we invite people to participate in research that helps us identify things we can be doing better."
Since Facebook Research is aimed at "helping Facebook understand how people use their mobile devices, we have provided extensive information about the type of data we collect and how they can participate. We do not share this information with others, and people can stop participating at any time."
Though Facebook's spokesperson claimed that the app was in line with Apple's Enterprise Certificate program, but since Apple requires developers to only use this certificate system for distributing internal corporate apps to their own employees, "recruiting testers and paying them a monthly fee appears to violate the spirit of that rule," the report reads.
Apple is "aware" of the issue, but it is unclear if the iPhone maker might ban Facebook from using its Enterprise Developer Certificates or not.
In response to the report, Facebook said the company is planning to shut down the iOS version of its Research app. BetaBound, uTest, and Applause have not yet responded to the report.