Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Says It's Banning Facebook's Research App That Collects Users' Personal Information (recode.net)

Posted by msmash on from the enough-is-enough dept.

Facebook is at the center of another privacy scandal -- and this time it hasn't just angered users. It has also angered Apple. From a report: The short version: Apple says Facebook broke an agreement it made with Apple by publishing a "research" app for iPhone users that allowed the social giant to collect all kinds of personal data about those users, TechCrunch reported Tuesday. The app allowed Facebook to track users' app history, their private messages and their location data. Facebook's research effort reportedly targeted users as young as 13 years old.

As of last summer, apps that collect that kind of data are against Apple's privacy guidelines. That means Facebook couldn't make this research app available through the App Store, which would have required Apple approval. Instead, Facebook apparently took advantage of Apple's "Developer Enterprise Program," which lets approved Apple partners, like Facebook, test and distribute apps specifically for their own employees. In those cases, the employees can use third-party services to download beta versions of apps that aren't available to the general public. Update: The Verge reports: Apple has shut down Facebook's ability to distribute internal iOS apps, from early releases of the Facebook app to basic tools like a lunch menu. A person familiar with the situation tells The Verge that early versions of Facebook, Instagram, Messenger, and other pre-release "dogfood" (beta) apps have stopped working, as have other employee apps, like one for transportation. Facebook is treating this as a critical problem internally, we're told, as the affected apps simply don't launch on employees' phones anymore. Update 2: Apple says it shut down Facebook's app before the social company could voluntarily shut it down -- contrary to an earlier statement by Facebook, in which it said it was shutting down the app.

17 of 109 comments (clear)

  1. The more we learn about Facebook... by QuietLagoon · · Score: 4, Insightful

    ... the worse Facebook looks.

  2. Re:Bad Apple by Anubis+IV · · Score: 5, Insightful

    You make it sound as if Apple arbitrarily reached out and nuked an app. They didn’t. They nuked a app that showed a flagrant disregard for the rules that everyone had agreed to.

    Facebook broke specific terms in the license that say enterprise apps are expressly disallowed from being used by customers unless they are being supervised physically by an employee or are being operated on the company’s premises. Facebook made no attempt at abiding by the rules and engaged in behavior that many people are suggesting may actually have been criminal in nature.

    But hey, if you want to shill for them and blame Apple, go ahead.

  3. Dear Facebook Users... by BringsApples · · Score: 5, Informative

    You're not using Facebook, you work for Facebook. Spread that message to others, please.

    --
    Politics; n. : A religion whereby man is god.
  4. Well by DaMattster · · Score: 4, Insightful

    Maybe the powers that be will finally take notice and start regulating privacy and big data. But more than likely, nothing will become of this. At least Apple slapped down Facebook like a mosquito.

  5. Re:Bad Apple by jittles · · Score: 2

    I am going say Bad Apple on this one. As I stated on the other article I am not sure that this app really could do a lot of the things that are being claimed. Terrible for privacy sure, but apps implementing ATS and other best practices should still have been secure.

    So now we have Apple essentially ban hammering an application outside the app store. Think about that. If you have an enterprise, and your write an application, to run on devices you have purchased; Apple might still come along and disable it; if they don't like you or it!

    This isn't really good for users, this is really anti-freedom/anti-ownership type action here. Just because it might protect a few dolts from malicious actors like facebook, does not automatically make it good.

    Uhhh do you know how Apple devices work? The people installing this app basically gave Facebook enterprise control of their devices. This means that Facebook had access to EVERYTHING. Installed apps, text messages, call history, location data, etc is all available to an enterprise owner of a device. This is why you should not use BYOD with your personal phone if the employer requires enterprise provisioning of the device. And most people, including yourself it seems, are unaware that such a capability exists and would not stop to consider the consequences of their actions. Apple ought to revoke all of Facebooks apps and development accounts over this but we know that won’t happen because Facebook will just pay to make this little sin go away.

  6. Re:Bad Apple by jellomizer · · Score: 3, Insightful

    I expect you just hate Apple because they are Apple.
    However, this is a case where this Enterprise Developer Program which was given to trusted sources, and I expect were told to play by the rules, with their elevated rights and freedom, which Facebook abused.

    It is like you welcomed a friend into you home. They are allowed to get some food out of the fridge if they were hungry or thirsty. They took the dessert you had made for after dinner, and it was rather obvious that was its intent. So this person abused the privilege they were granted, and you have the right to kick them out of your house or not invite them back in again.

    From Star Trek VI: Let us redefine progress to mean that just because we can do a thing, it does not necessarily mean we must do that thing.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  7. Re:Apple should nuke Facebook by j_l_cgull · · Score: 2

    Apple should have pulled Facebook's development certificates for Facebook as a whole

    I think that's exactly what has happened, as evidenced by Apple's statement : Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data."

  8. Re:Bad Apple by willaien · · Score: 4, Informative

    Note: I have not read Apple's TOS for their enterprise application deployment.

    If it is the case that Apple's enterprise application deployment license dictates that it's only to be used by employees or those being directly supervised by an employee, then, it's certainly fine for apple to ban this application for its flagrant disregard for their own terms. They want to control distribution of apps to the public through their app store, but allow for private distribution within enterprises. Facebook agreed to not try to go around this, but did so anyways.

  9. Re:Bad Apple by WankerWeasel · · Score: 4, Informative

    These certificates can give complete access to everything on your phone. They can allow Facebook to read their text messages, view all their photos, see all their phone calls, etc. All depends on the permissions certificate requested at install. My company requires such a certificate installed in order to have email within the Mail app (can still access it via webmail instead), which is why I don't bother having it on my personal phone. I'm not giving them that kind of access.

  10. Re:Bad Apple by gnasher719 · · Score: 2

    I am going say Bad Apple on this one.

    And you are absolutely completely wrong on this.

    Apple has an "Enterprise Developer" program that lets companies joining the program develop applications that they can download without any review by Apple to the phones owned by the enterprise. There is absolutely no permission to give these applications to anyone outside the company. The terms and conditions, which are in a contract signed by FaceBook, state very, very clearly that FaceBook had no permission to do what they did, and that violation of the terms means that Apple will kill any applications using the Enterprise Development Certificate.

    Usually this happens when a rogue employee steals the certificate and uses it to distribute usually malware. That malware gets nuked as soon as Apple finds out. In this case it was the company (Facebook) itself producing malware, so it gets nuked.

    Just like the previous version, an official "VPN" app, that secretly tracked everything that users of that VPN app were doing.

  11. Re:Bad Apple by gnasher719 · · Score: 4, Insightful

    So now we have Apple essentially ban hammering an application outside the app store. Think about that. If you have an enterprise, and your write an application, to run on devices you have purchased; Apple might still come along and disable it; if they don't like you or it!

    F***ing nonsense. The whole point is that they _didn't_ run the app on devices that FaceBook purchased.

  12. Re:Apple should nuke Facebook by gnasher719 · · Score: 2

    Facebook will have joined two separate programs: The normal "developer" program, where they pay $99 a year just like every other developer, and the "enterprise" program, where they pay $299 a year for a program that plays by different rules: No review by Apple, the apps don't go on the App Store, and the enterprise must make sure that the app _only_ gets installed on devices belonging to the company.

    Their enterprise account just got nuked (their Enterprise certificate probably got revoked, which kills all enterprise apps that they legitimately installed on Facebook devices as well), but their normal developer account would be unaffected.

  13. Re:Bad Apple by overnight_failure · · Score: 3, Informative

    I'm sorry but you are factually wrong on it being an overreach by Apple.

    Apple's terms expressly allow certain use of their Enterprise certificates by developers, everything else not stated in the T&Cs is forbidden. Facebook broke the conditions set out in the T&Cs by distributing the app outside of its employees (not covered by any of the exceptions).

    Apple have every right to revoke the app and would be within their rights to terminate the developer full stop (but obviously that won't happen in this case). So this is pretty much the least they can do without doing nothing. And given how well facebook is digging their own hole with the number of privacy violations that are constantly coming to light, Apple definitely don't want to be anywhere near that train wreck.

  14. Re:No, bad apple by UnknowingFool · · Score: 2

    The problem is that you are using "any reason" when everything about this story says Facebook violated an agreement they made with Apple.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  15. Re:Bad Apple by Anubis+IV · · Score: 5, Informative

    Replying to myself since a lot of people seem to be under the woefully incorrect impression that Apple's license terms are in some way vague about this stuff. They aren't. Not at all. Facebook agreed to the Apple Developer Enterprise License Agreement, which—I can't make this stuff up—is actually subtitled "(for in-house, internal use applications)". I'm not even kidding. And it appears it was last updated in October, well before this scandal made the news.

    Emphasis is mine unless otherwise noted.

    The Purpose section, right at the top of the document, starts with:

    Your company [...] would like to use the Apple Software (as defined below) to develop one or more Internal Use Applications (as defined below) for Apple-branded products[...] and to deploy these Applications only for internal use within Your company [...]

    In the very next paragraph is this note:

    Note: This Program is for internal use, custom applications that are developed by You for Your specific business purposes and only for use by Your employees and, in limited cases, by certain other parties as set forth herein.

    So how do they define "Internal Use Application"? Like this:

    “Internal Use Application” means a software program [...] that is developed by You on a custom basis for Your own business purposes (e.g., an inventory app specific to Your business) [...] and solely for internal use by Your Employees or Permitted Users, or as otherwise expressly permitted in Section 2.1(f). Except as otherwise expressly permitted herein, specifically excluded from Internal Use Applications are any programs or applications that may be used, distributed, or otherwise made available to other companies, contractors [...], distributors, vendors, resellers, end-users or members of the general public.

    So, basically, you can't distribute your apps outside your company. But just in case someone thinks they're being sly with mention of "Permitted Users" and "Section 2.1(f)":

    “Permitted Users” means employees and contractors of Your Permitted Entity who have written and binding agreements with You or Your Permitted Entity to protect Your Internal Use Application from unauthorized use in accordance with the terms of this Agreement.

    I.e. Not the sorts of people who were using the app in question. Not at all. And what about Section 2.1(f)? Section 2.1 lists out the comprehensive set of acceptable uses. They basically boil down to these:
    - 2.1(a)(b)(c)(d)(g): Developers/testers working on the app are allowed to do typical developer/tester stuff for development/testing purposes
    - 2.1(e): Your company's employees can install provisioning profiles to use the app for internal use only
    - 2.1(f): Your customers can use the app, but only when they are "on [y]our physical premises" or under "the direct supervision and physical control of [y]our [e]mployees"

    And then right after that section, they add:

    Except as set forth in Section 2.1, You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers or to any third parties in any way

    All of which is to say, Apple really couldn't get more explicit about the fact that this license is only for internal use only, which Facebook was grossly and flagrantly violating. The only way they couldn't have known better was if Facebook literally skipped the bolded subtitle of the document, the first paragraph, the second paragraph, all of the definitions of terms, and a section that was pointed to numerous times throughout the document that spells out appropriate uses.

  16. Re:Bad Apple by nine-times · · Score: 4, Informative

    I think you're misunderstanding something about this story, but I'm not sure what. This seems to be what happened:

    Apple has privacy protection built into their products to protect their customers. There are limits to the amount of control an App has over a device, and what data can be collected. They do things like, just as an example, prevent Facebook from snooping on every site you visit on your phone's browser just because Facebook's app is installed.

    However, Apple doesn't these rules to hamstring large business customers from having control over their own devices. For example, maybe some company wants to use iPads for industrial purposes in their warehouses to track inventory. For iOS to be a good platform for that, the company wants to be able to develop their own app that can take greater control of the device than Apple normally allows. Ok, fine, Apple has a developer program for large businesses to cater to that kind of thing.

    Apple lets big businesses have greater control over their own devices, but as part of the agreement to allow that, Apple specifies that they're only allowed to use this greater level of access on their own devices, and not use it to distribute apps to consumers. Otherwise, developers could just use this access willy-nilly to get past all of Apple's security and privacy protection. Seems reasonable enough, right?

    Now along comes Facebook, and they do the exact thing Apple says not to do, and for the exact reason Apple says not to do it. They use their Enterprise program to sidestep Apple's privacy protections so that they can spy on Apple users. In response, Apple revokes their ability to distribute apps that way.

    Now if I'm being honest, I'd prefer that Apple allowed us all to use apps from outside of the App store. I don't really like the walled garden, and I'd prefer that Apple not rely on walled gardens for security. However, given that there is a walled garden and Apple does rely on it to secure their devices, it only makes sense that they'd enforce it.

    Ultimately, it boils down to this: Facebook entered into an agreement with Apple in order to receive a greater level of access than developers normally have. Facebook then violated both the letter and spirit of the agreement, so Apple responded by revoking that greater level of access. I don't see any valid interpretation for how Apple is in the wrong here.

  17. Re:No, bad apple by Anubis+IV · · Score: 5, Informative

    Apple didn't ban Facebook's app because it was spying on users or because it was offensive. Apple banned Facebook's app because it was being used by end users. Except in some VERY narrow cases that don't apply here, end users are expressly forbidden from using apps licensed under the terms of the Apple Developer Enterprise License Agreement—which is appropriately subtitled "(for in-house, internal use applications)"—that Facebook agreed to.

    Companies are welcome to make anything they want for internal purposes, be it an app for inventory management, an app to order food from the in-house cafeteria, or an app to make coordinating human sacrifices to Satan easier, so long as the app remains internal. Facebook broke that cardinal rule.