Slashdot Mirror
Apple Says It's Banning Facebook's Research App That Collects Users' Personal Information (recode.net)
Facebook is at the center of another privacy scandal -- and this time it hasn't just angered users. It has also angered Apple. From a report: The short version: Apple says Facebook broke an agreement it made with Apple by publishing a "research" app for iPhone users that allowed the social giant to collect all kinds of personal data about those users, TechCrunch reported Tuesday. The app allowed Facebook to track users' app history, their private messages and their location data. Facebook's research effort reportedly targeted users as young as 13 years old.
As of last summer, apps that collect that kind of data are against Apple's privacy guidelines. That means Facebook couldn't make this research app available through the App Store, which would have required Apple approval. Instead, Facebook apparently took advantage of Apple's "Developer Enterprise Program," which lets approved Apple partners, like Facebook, test and distribute apps specifically for their own employees. In those cases, the employees can use third-party services to download beta versions of apps that aren't available to the general public. Update: The Verge reports: Apple has shut down Facebook's ability to distribute internal iOS apps, from early releases of the Facebook app to basic tools like a lunch menu. A person familiar with the situation tells The Verge that early versions of Facebook, Instagram, Messenger, and other pre-release "dogfood" (beta) apps have stopped working, as have other employee apps, like one for transportation. Facebook is treating this as a critical problem internally, we're told, as the affected apps simply don't launch on employees' phones anymore. Update 2: Apple says it shut down Facebook's app before the social company could voluntarily shut it down -- contrary to an earlier statement by Facebook, in which it said it was shutting down the app.
As of last summer, apps that collect that kind of data are against Apple's privacy guidelines. That means Facebook couldn't make this research app available through the App Store, which would have required Apple approval. Instead, Facebook apparently took advantage of Apple's "Developer Enterprise Program," which lets approved Apple partners, like Facebook, test and distribute apps specifically for their own employees. In those cases, the employees can use third-party services to download beta versions of apps that aren't available to the general public. Update: The Verge reports: Apple has shut down Facebook's ability to distribute internal iOS apps, from early releases of the Facebook app to basic tools like a lunch menu. A person familiar with the situation tells The Verge that early versions of Facebook, Instagram, Messenger, and other pre-release "dogfood" (beta) apps have stopped working, as have other employee apps, like one for transportation. Facebook is treating this as a critical problem internally, we're told, as the affected apps simply don't launch on employees' phones anymore. Update 2: Apple says it shut down Facebook's app before the social company could voluntarily shut it down -- contrary to an earlier statement by Facebook, in which it said it was shutting down the app.
You make it sound as if Apple arbitrarily reached out and nuked an app. They didn’t. They nuked a app that showed a flagrant disregard for the rules that everyone had agreed to.
Facebook broke specific terms in the license that say enterprise apps are expressly disallowed from being used by customers unless they are being supervised physically by an employee or are being operated on the company’s premises. Facebook made no attempt at abiding by the rules and engaged in behavior that many people are suggesting may actually have been criminal in nature.
But hey, if you want to shill for them and blame Apple, go ahead.
You're not using Facebook, you work for Facebook. Spread that message to others, please.
Politics; n. : A religion whereby man is god.
Replying to myself since a lot of people seem to be under the woefully incorrect impression that Apple's license terms are in some way vague about this stuff. They aren't. Not at all. Facebook agreed to the Apple Developer Enterprise License Agreement, which—I can't make this stuff up—is actually subtitled "(for in-house, internal use applications)". I'm not even kidding. And it appears it was last updated in October, well before this scandal made the news.
Emphasis is mine unless otherwise noted.
The Purpose section, right at the top of the document, starts with:
Your company [...] would like to use the Apple Software (as defined below) to develop one or more Internal Use Applications (as defined below) for Apple-branded products[...] and to deploy these Applications only for internal use within Your company [...]
In the very next paragraph is this note:
Note: This Program is for internal use, custom applications that are developed by You for Your specific business purposes and only for use by Your employees and, in limited cases, by certain other parties as set forth herein.
So how do they define "Internal Use Application"? Like this:
“Internal Use Application” means a software program [...] that is developed by You on a custom basis for Your own business purposes (e.g., an inventory app specific to Your business) [...] and solely for internal use by Your Employees or Permitted Users, or as otherwise expressly permitted in Section 2.1(f). Except as otherwise expressly permitted herein, specifically excluded from Internal Use Applications are any programs or applications that may be used, distributed, or otherwise made available to other companies, contractors [...], distributors, vendors, resellers, end-users or members of the general public.
So, basically, you can't distribute your apps outside your company. But just in case someone thinks they're being sly with mention of "Permitted Users" and "Section 2.1(f)":
“Permitted Users” means employees and contractors of Your Permitted Entity who have written and binding agreements with You or Your Permitted Entity to protect Your Internal Use Application from unauthorized use in accordance with the terms of this Agreement.
I.e. Not the sorts of people who were using the app in question. Not at all. And what about Section 2.1(f)? Section 2.1 lists out the comprehensive set of acceptable uses. They basically boil down to these:
- 2.1(a)(b)(c)(d)(g): Developers/testers working on the app are allowed to do typical developer/tester stuff for development/testing purposes
- 2.1(e): Your company's employees can install provisioning profiles to use the app for internal use only
- 2.1(f): Your customers can use the app, but only when they are "on [y]our physical premises" or under "the direct supervision and physical control of [y]our [e]mployees"
And then right after that section, they add:
Except as set forth in Section 2.1, You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers or to any third parties in any way
All of which is to say, Apple really couldn't get more explicit about the fact that this license is only for internal use only, which Facebook was grossly and flagrantly violating. The only way they couldn't have known better was if Facebook literally skipped the bolded subtitle of the document, the first paragraph, the second paragraph, all of the definitions of terms, and a section that was pointed to numerous times throughout the document that spells out appropriate uses.
Apple didn't ban Facebook's app because it was spying on users or because it was offensive. Apple banned Facebook's app because it was being used by end users. Except in some VERY narrow cases that don't apply here, end users are expressly forbidden from using apps licensed under the terms of the Apple Developer Enterprise License Agreement—which is appropriately subtitled "(for in-house, internal use applications)"—that Facebook agreed to.
Companies are welcome to make anything they want for internal purposes, be it an app for inventory management, an app to order food from the in-house cafeteria, or an app to make coordinating human sacrifices to Satan easier, so long as the app remains internal. Facebook broke that cardinal rule.