Slashdot Mirror
Apple Says It's Banning Facebook's Research App That Collects Users' Personal Information (recode.net)
Facebook is at the center of another privacy scandal -- and this time it hasn't just angered users. It has also angered Apple. From a report: The short version: Apple says Facebook broke an agreement it made with Apple by publishing a "research" app for iPhone users that allowed the social giant to collect all kinds of personal data about those users, TechCrunch reported Tuesday. The app allowed Facebook to track users' app history, their private messages and their location data. Facebook's research effort reportedly targeted users as young as 13 years old.
As of last summer, apps that collect that kind of data are against Apple's privacy guidelines. That means Facebook couldn't make this research app available through the App Store, which would have required Apple approval. Instead, Facebook apparently took advantage of Apple's "Developer Enterprise Program," which lets approved Apple partners, like Facebook, test and distribute apps specifically for their own employees. In those cases, the employees can use third-party services to download beta versions of apps that aren't available to the general public. Update: The Verge reports: Apple has shut down Facebook's ability to distribute internal iOS apps, from early releases of the Facebook app to basic tools like a lunch menu. A person familiar with the situation tells The Verge that early versions of Facebook, Instagram, Messenger, and other pre-release "dogfood" (beta) apps have stopped working, as have other employee apps, like one for transportation. Facebook is treating this as a critical problem internally, we're told, as the affected apps simply don't launch on employees' phones anymore. Update 2: Apple says it shut down Facebook's app before the social company could voluntarily shut it down -- contrary to an earlier statement by Facebook, in which it said it was shutting down the app.
As of last summer, apps that collect that kind of data are against Apple's privacy guidelines. That means Facebook couldn't make this research app available through the App Store, which would have required Apple approval. Instead, Facebook apparently took advantage of Apple's "Developer Enterprise Program," which lets approved Apple partners, like Facebook, test and distribute apps specifically for their own employees. In those cases, the employees can use third-party services to download beta versions of apps that aren't available to the general public. Update: The Verge reports: Apple has shut down Facebook's ability to distribute internal iOS apps, from early releases of the Facebook app to basic tools like a lunch menu. A person familiar with the situation tells The Verge that early versions of Facebook, Instagram, Messenger, and other pre-release "dogfood" (beta) apps have stopped working, as have other employee apps, like one for transportation. Facebook is treating this as a critical problem internally, we're told, as the affected apps simply don't launch on employees' phones anymore. Update 2: Apple says it shut down Facebook's app before the social company could voluntarily shut it down -- contrary to an earlier statement by Facebook, in which it said it was shutting down the app.
You're not using Facebook, you work for Facebook. Spread that message to others, please.
Politics; n. : A religion whereby man is god.
Note: I have not read Apple's TOS for their enterprise application deployment.
If it is the case that Apple's enterprise application deployment license dictates that it's only to be used by employees or those being directly supervised by an employee, then, it's certainly fine for apple to ban this application for its flagrant disregard for their own terms. They want to control distribution of apps to the public through their app store, but allow for private distribution within enterprises. Facebook agreed to not try to go around this, but did so anyways.
These certificates can give complete access to everything on your phone. They can allow Facebook to read their text messages, view all their photos, see all their phone calls, etc. All depends on the permissions certificate requested at install. My company requires such a certificate installed in order to have email within the Mail app (can still access it via webmail instead), which is why I don't bother having it on my personal phone. I'm not giving them that kind of access.
I'm sorry but you are factually wrong on it being an overreach by Apple.
Apple's terms expressly allow certain use of their Enterprise certificates by developers, everything else not stated in the T&Cs is forbidden. Facebook broke the conditions set out in the T&Cs by distributing the app outside of its employees (not covered by any of the exceptions).
Apple have every right to revoke the app and would be within their rights to terminate the developer full stop (but obviously that won't happen in this case). So this is pretty much the least they can do without doing nothing. And given how well facebook is digging their own hole with the number of privacy violations that are constantly coming to light, Apple definitely don't want to be anywhere near that train wreck.
Replying to myself since a lot of people seem to be under the woefully incorrect impression that Apple's license terms are in some way vague about this stuff. They aren't. Not at all. Facebook agreed to the Apple Developer Enterprise License Agreement, which—I can't make this stuff up—is actually subtitled "(for in-house, internal use applications)". I'm not even kidding. And it appears it was last updated in October, well before this scandal made the news.
Emphasis is mine unless otherwise noted.
The Purpose section, right at the top of the document, starts with:
Your company [...] would like to use the Apple Software (as defined below) to develop one or more Internal Use Applications (as defined below) for Apple-branded products[...] and to deploy these Applications only for internal use within Your company [...]
In the very next paragraph is this note:
Note: This Program is for internal use, custom applications that are developed by You for Your specific business purposes and only for use by Your employees and, in limited cases, by certain other parties as set forth herein.
So how do they define "Internal Use Application"? Like this:
“Internal Use Application” means a software program [...] that is developed by You on a custom basis for Your own business purposes (e.g., an inventory app specific to Your business) [...] and solely for internal use by Your Employees or Permitted Users, or as otherwise expressly permitted in Section 2.1(f). Except as otherwise expressly permitted herein, specifically excluded from Internal Use Applications are any programs or applications that may be used, distributed, or otherwise made available to other companies, contractors [...], distributors, vendors, resellers, end-users or members of the general public.
So, basically, you can't distribute your apps outside your company. But just in case someone thinks they're being sly with mention of "Permitted Users" and "Section 2.1(f)":
“Permitted Users” means employees and contractors of Your Permitted Entity who have written and binding agreements with You or Your Permitted Entity to protect Your Internal Use Application from unauthorized use in accordance with the terms of this Agreement.
I.e. Not the sorts of people who were using the app in question. Not at all. And what about Section 2.1(f)? Section 2.1 lists out the comprehensive set of acceptable uses. They basically boil down to these:
- 2.1(a)(b)(c)(d)(g): Developers/testers working on the app are allowed to do typical developer/tester stuff for development/testing purposes
- 2.1(e): Your company's employees can install provisioning profiles to use the app for internal use only
- 2.1(f): Your customers can use the app, but only when they are "on [y]our physical premises" or under "the direct supervision and physical control of [y]our [e]mployees"
And then right after that section, they add:
Except as set forth in Section 2.1, You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers or to any third parties in any way
All of which is to say, Apple really couldn't get more explicit about the fact that this license is only for internal use only, which Facebook was grossly and flagrantly violating. The only way they couldn't have known better was if Facebook literally skipped the bolded subtitle of the document, the first paragraph, the second paragraph, all of the definitions of terms, and a section that was pointed to numerous times throughout the document that spells out appropriate uses.
I think you're misunderstanding something about this story, but I'm not sure what. This seems to be what happened:
Apple has privacy protection built into their products to protect their customers. There are limits to the amount of control an App has over a device, and what data can be collected. They do things like, just as an example, prevent Facebook from snooping on every site you visit on your phone's browser just because Facebook's app is installed.
However, Apple doesn't these rules to hamstring large business customers from having control over their own devices. For example, maybe some company wants to use iPads for industrial purposes in their warehouses to track inventory. For iOS to be a good platform for that, the company wants to be able to develop their own app that can take greater control of the device than Apple normally allows. Ok, fine, Apple has a developer program for large businesses to cater to that kind of thing.
Apple lets big businesses have greater control over their own devices, but as part of the agreement to allow that, Apple specifies that they're only allowed to use this greater level of access on their own devices, and not use it to distribute apps to consumers. Otherwise, developers could just use this access willy-nilly to get past all of Apple's security and privacy protection. Seems reasonable enough, right?
Now along comes Facebook, and they do the exact thing Apple says not to do, and for the exact reason Apple says not to do it. They use their Enterprise program to sidestep Apple's privacy protections so that they can spy on Apple users. In response, Apple revokes their ability to distribute apps that way.
Now if I'm being honest, I'd prefer that Apple allowed us all to use apps from outside of the App store. I don't really like the walled garden, and I'd prefer that Apple not rely on walled gardens for security. However, given that there is a walled garden and Apple does rely on it to secure their devices, it only makes sense that they'd enforce it.
Ultimately, it boils down to this: Facebook entered into an agreement with Apple in order to receive a greater level of access than developers normally have. Facebook then violated both the letter and spirit of the agreement, so Apple responded by revoking that greater level of access. I don't see any valid interpretation for how Apple is in the wrong here.
Apple didn't ban Facebook's app because it was spying on users or because it was offensive. Apple banned Facebook's app because it was being used by end users. Except in some VERY narrow cases that don't apply here, end users are expressly forbidden from using apps licensed under the terms of the Apple Developer Enterprise License Agreement—which is appropriately subtitled "(for in-house, internal use applications)"—that Facebook agreed to.
Companies are welcome to make anything they want for internal purposes, be it an app for inventory management, an app to order food from the in-house cafeteria, or an app to make coordinating human sacrifices to Satan easier, so long as the app remains internal. Facebook broke that cardinal rule.