Georgetown Law
Technology Review

Would you let someone pay you $20 per month to look at every picture, message, and email you send? Every website you visit? Watch everything you look at on Twitter, Instagram, Tumblr, and YouTube? Most would not. Yet this is exactly the deal Facebook secretly made with a myriad of users age 13–35. Why would these users agree to this? Most of them did not know what information Facebook was collecting.

In 2013, Facebook acquired Onavo, an app that purported to help users monitor their mobile data use and protect user data by sending all internet traffic through a private encrypted network. The real purpose of this app was to allow Facebook to spy on users—analyzing all of their mobile internet and app usage to predict trends and make product development and purchasing decisions. For example, the data Facebook acquired through the Onavo app was behind the company’s decision to purchase WhatsApp for $19 billion. In March, 2018, security expert Will Strafach detailed Onavo’s incursions into user privacy. Apple then investigated and updated its developer policies to ban such intrusive data collection practices, forcing Facebook to remove the Onavo app from the Apple App Store.

Rather than complying with Apple’s new policy and respecting user data privacy, Facebook decided to go underground and skirt Apple’s rules. They rebranded their Onavo app as “Facebook Research,” using essentially the same code and servers, and utilized various research and testing companies to market the app to unsuspecting users. Users were compensated $20 per month in gift cards to grant Facebook “root access” to the data their phone transmitted. This means that the app could see which websites the users visited, what they did on those websites, messages the users sent, videos they watched, products they purchased, and almost anything else they did on their phone. The app may have been able to see this information even if the user was using encryption or secure/private browsing.

In order to load the “Facebook Research” app onto users’ phones, Facebook had to get creative. They could not use Apple’s App Store, as all apps submitted to the store are inspected by Apple before publication and this app was clearly in violation of Apple’s policies. Their solution was to use an Enterprise Developer Certificate. This certificate is a special file issued by Apple to app developers that allows them to install apps on employee phones without using the App Store and without oversight by Apple, for testing and internal purposes only. The certificate was issued to Facebook under the terms that it would only be used by Facebook employees or by app testers that were physically on Facebook campus premises. Facebook clearly violated the letter and spirit of Apple’s enterprise certificate policy in this covert move to continue to mine customer’s private data.

Once Facebook’s practices came to light, Apple reacted by swiftly disabling their Enterprise Certificate, which disabled all of Facebook’s internal apps and caused havoc for their 33,000 employees that rely on such apps for scheduling, testing, and transportation. The certificate was reinstated two days later after Facebook contacted Apple about the issue and announced it was ending its research app program. Facebook has been largely unapologetic for its actions and a Facebook spokesperson indicated that they still plan to pay for user data in the future.

Perhaps the most troubling aspect of Facebook’s response to this scandal is their assertion that users knew the level of access they were granting to Facebook through this program. As security expert Strafach points out, “The fairly technical sounding ‘install our Root Certificate’ step is appalling . . . because there is no good way to articulate just how much power is handed to Facebook when you do this.” Allowing a company to install a root certificate on your phone grants them virtually unlimited access to monitor you in any way they desire and to control almost every aspect of your phone. It is unlikely that the majority of the users receiving $20 per month from Facebook for installing a “Research App” understood that they were granting Facebook this much control and power to spy on them. Hopefully, moving forward, we will enact stronger privacy laws to curb such abuses.