Facebook Pays Teens To Install VPN That Spies On Them

A new report from TechCrunch details how "desperate" Facebook is for data on its competitors. The social media company "has been secretly paying people to install a 'Facebook Research' VPN that lets the company suck in all of a user's phone and web activity," a TechCrunch investigation confirms. "Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity." From the report: Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android "Facebook Research" app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook's involvement, and is referred to in some documentation as "Project Atlas" a fitting name for Facebook's effort to map new trends and rivals around the globe.

We asked Guardian Mobile Firewall's security expert Will Strafach to dig into the Facebook Research app, and he told us that "If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps -- including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed." It's unclear exactly what data Facebook is concerned with, but it gets nearly limitless access to a user's device once they install the app.

Re:How is this legal in the first place?

[grumpy-cowboy]

Asking minors to do something like this without parental consent is a crime (at least in Canada).

Too bad Apple Won't Do Anything

[CanadianMacFan]

They've deliberately abused the application testing program in order to harvest user data that they couldn't get by getting that application deployed through the App Store. If almost any other company did that I bet Apple would kick them off the App Store and make an announcement about how they are protecting your privacy. But since it's Facebook and they provide so much money to Apple I figure that the project will be closed but Facebook will just start a new one.

Re:As probably do most other VPNs....

By using any VPN aren't you introducing a man in the middle?

Trusted root signing certificates can protect against just that sort of hijacking, even by the operator of a VPN. Of course, that only works when the VPN operator hasn't added itself to the trusted root certificate store on your device, as Facebook has done here. It's the difference between your device trusting the slashdot.org certificate issued by "Let's Encrypt" vs the one issued on the fly and signed by "Facebook Trusted Root", which is obviously forged but trusted by your device because your device trusts "Facebook Trusted Root". Facebook got around this protection by asking you to give it root access to your device so that it could install its signing certificate in the trusted root certificates on your device, right along side VeriSign, DigiCert and the other majors. That's like handing over your car keys to a stranger. It doesn't matter how secure your BMW anti-theft system is if you hand the keys over to the thieves. Facebook is taking advantage of the fact that the vast majority of people, and especially non-technical people, have absolutely no idea how security works.