Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Pays Teens To Install VPN That Spies On Them (techcrunch.com)

Posted by BeauHD on from the desperate-for-data dept.

A new report from TechCrunch details how "desperate" Facebook is for data on its competitors. The social media company "has been secretly paying people to install a 'Facebook Research' VPN that lets the company suck in all of a user's phone and web activity," a TechCrunch investigation confirms. "Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity." From the report: Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android "Facebook Research" app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook's involvement, and is referred to in some documentation as "Project Atlas" a fitting name for Facebook's effort to map new trends and rivals around the globe.

We asked Guardian Mobile Firewall's security expert Will Strafach to dig into the Facebook Research app, and he told us that "If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps -- including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed." It's unclear exactly what data Facebook is concerned with, but it gets nearly limitless access to a user's device once they install the app.

19 of 82 comments (clear)

  1. How is this legal in the first place? by smartr · · Score: 4, Insightful

    If you encourage someone to commit a crime and help them along the way, you are an accessory to that crime. How is paying teenagers to silently send over private communications without broadcasting that fact not a violation of existing privacy laws?

    1. Re:How is this legal in the first place? by smartr · · Score: 2

      Did the third party that's communicating with the idiots agree to have their communication snooped by Facebook?

    2. Re:How is this legal in the first place? by grumpy-cowboy · · Score: 4, Informative

      Asking minors to do something like this without parental consent is a crime (at least in Canada).

      --
      Will $CURRENT_YEAR be the year of the Linux Desktop?
    3. Re:How is this legal in the first place? by smartr · · Score: 2

      Is it legal to record private conversations without telling the party you are communicating with, or to record private conversations without being a party of the conversation?

    4. Re:How is this legal in the first place? by grumpy-cowboy · · Score: 2

      I'm not sure you can SHARE this record with a party not involved in the
      conversion. So in this case, what Facebook is doing is probably illegal here.

      --
      Will $CURRENT_YEAR be the year of the Linux Desktop?
    5. Re:How is this legal in the first place? by smartr · · Score: 2

      There are many two-party consent states. Also, how far does consent of a teenager go, even if a parent signs off on it? Teenagers are generally not of the age of "consent", and the "consenting" adults aren't members of the conversations that are being recorded.

    6. Re:How is this legal in the first place? by Anubis+IV · · Score: 2

      Even in Texas, Facebook isn’t considered a party to the conversation. It’d be illegal wiretapping.

    7. Re:How is this legal in the first place? by umghhh · · Score: 2

      Is the VPN not sold with an argument about protecting privacy? If so then any abuse of it would be invalidating the commercial claim which in some jurisdictions is a crime which is prosecuted if people complain.

  2. Digital prostitution... by Picodon · · Score: 3, Interesting

    ...where the johns are corporations and naïve/desperate teens (and others) are exploited as usual.

    I’m especially astounded at the installation of a root certificate. This allows Facebook “researchers” to mount man-in-the-middle attacks on any of their “secure” transactions. It’s hard to believe that their suppliers/victims truly understood the implications when they signed up for it. I’m also wondering about the legality of such paid surveillance with minors (assuming they can legally consent to that).

  3. Edit: Parental consent was sought by Picodon · · Score: 2

    Ah, I had missed the paragraph that says that Facebook obtained parental consent for minors. (apologies)
    However, I find Facebook’s assertion “There are no known risks associated with the project” rather... interesting.

    1. Re:Edit: Parental consent was sought by JaredOfEuropa · · Score: 2

      Sure. That guy that drove up to my house in a sports car the other day, and offered me prime investment opportunities in luxury homes in the UAE, hardwood plantations in the Amazon, and even a mutual fund with a guaranteed monthly 10% return, also told me “there are no known risks associated with these projects”. My dealer also tells me heroin and krokodil are perfectly safe.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  4. Now it goes without saying by AlanObject · · Score: 2

    I only learned this adage just recently (don't know where it came from) but I haven't ever seen a more clear example:

    If the product is free then you are the product.

    In this case since the cost is negative, so it seems the saying has to be extended somehow.

  5. Yea, self regulation works better than gov't regs by stevez67 · · Score: 3, Insightful

    How's that working for ya?

  6. Captain Obvious Says by nehumanuscrede · · Score: 5, Insightful

    While I'm obviously preaching to the choir here, why do you think everyone and their brother wants you to use their " app " instead of a simple webpage ?
    They like to pretend it's for your " convenience ". Remember this story the next time you decide to download that " free " app.

    For those who have yet to understand this: Nothing is free. Everything comes with a price.

    Sometimes, it just isn't quite so obvious what that price is.

  7. Too bad Apple Won't Do Anything by CanadianMacFan · · Score: 4, Informative

    They've deliberately abused the application testing program in order to harvest user data that they couldn't get by getting that application deployed through the App Store. If almost any other company did that I bet Apple would kick them off the App Store and make an announcement about how they are protecting your privacy. But since it's Facebook and they provide so much money to Apple I figure that the project will be closed but Facebook will just start a new one.

  8. 20$ does sound good by OppMan29 · · Score: 3, Interesting

    install it on a phone I never use and has no other apps,,, Profit from Facebook

  9. As probably do most other VPNs.... by Darkling-MHCN · · Score: 2

    I've always wondered about the wisdom of people paying for access to VPNs to hide their nefarious activities (mostly downloading GOT). Have these people not heard of man in the middle attacks? By using any VPN aren't you introducing a man in the middle? If you were running a VPN would you not be logging all the activity and thinking of ways of monetising it or gaining other insights?

    1. Re:As probably do most other VPNs.... by Anonymous Coward · · Score: 2, Informative

      By using any VPN aren't you introducing a man in the middle?

      Trusted root signing certificates can protect against just that sort of hijacking, even by the operator of a VPN. Of course, that only works when the VPN operator hasn't added itself to the trusted root certificate store on your device, as Facebook has done here. It's the difference between your device trusting the slashdot.org certificate issued by "Let's Encrypt" vs the one issued on the fly and signed by "Facebook Trusted Root", which is obviously forged but trusted by your device because your device trusts "Facebook Trusted Root". Facebook got around this protection by asking you to give it root access to your device so that it could install its signing certificate in the trusted root certificates on your device, right along side VeriSign, DigiCert and the other majors. That's like handing over your car keys to a stranger. It doesn't matter how secure your BMW anti-theft system is if you hand the keys over to the thieves. Facebook is taking advantage of the fact that the vast majority of people, and especially non-technical people, have absolutely no idea how security works.

  10. Skeptical by DarkOx · · Score: 2

    if Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps

    I am not sure this true, but It would not surprise me if some of the changes Google and Apple have made in recent years are a response to stuff like this. You essentially can't modify the Trust store on Android anymore unless you root the device. You can not for example install a private CA certificate on an android phone. Rig up the DNS server on your network with an A rec www.facebook.com 192.168.1.10 and put a server there with a www.facebook.com cert you have issues and go view in in chrome on that android phone without getting a cert warning... (you can do this on a rooted device though)

    Similarly on an Apple device if the apps are using ATS, and certs are already pinned etc you will also have problems even if you install an in house CA.

    Trust me I know this because i have to test a lot of mobile apps and this all makes it excruciatingly painful. Usually requiring either rooted devices or patching the applications just to get a look at the web services conversation they are using.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html