Furious Apple revokes Facebook's enty app cert after Zuck's crew abused it to slurp private data
Internal FB apps in chaos, lawmaker on warpath
Facebook has yet again vowed to "do better" after it was caught secretly bypassing Apple's privacy rules to pay adults and teenagers to install a data-slurping iOS app on their phones.
The increasingly worthless promises of the social media giant have fallen on deaf ears however: on Wednesday, Apple revoked the company's enterprise certificate for its internal non-public apps, and one lawmaker vowed to reintroduce legislation that would make it illegal for Facebook to carry out such "research" in future.
The enterprise cert allows Facebook to sign iOS applications so they can be installed for internal use only, without having to go through the official App Store. It's useful for intranet applications and in-house software development work.
Facebook, though, used the certificate to sign a market research iPhone application that folks could install it on their devices. The app was previously kicked out of the official App Store for breaking Apple's rules on privacy: Facebook had to use the cert to skirt Cupertino's ban.
"We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization," said Apple in a statement.
"Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data."
With its certificate revoked, Facebook employees are reporting that their legitimate internal apps, also signed by the cert, have stopped working. The consumer iOS Facebook app is unaffected.
Trust us, we're Facebook!
At the heart of the issue is an app for iPhones called "Facebook Research" that the company advertised through third parties. The app is downloaded outside of the normal Apple App Store, and gives Facebook extraordinary access to a user's phone, allowing the company to see pretty much everything that person does on their device. For that trove of personal data, Facebook paid an unknown number of users aged between 13 and 35 up to $20 a month in e-gifts.
Europe taps Facebook, Google, Twitter on the shoulder. So about those promises to stamp out lies, bots, dodgy ads?READ MORE
The VPN-based app is similar to one Facebook used to offer called Onavo Protect, which also logged and forward user activity to Facebook, but that app was specifically banned by Apple last year over privacy concerns.
Facebook wasn't able to get a similar app approved due to changes in Apple's rules, and so it used the aforementioned enterprise certificate program, run by Apple, that is only for internal-use apps to get around the restrictions, an investigation by TechCrunch this week revealed.
In Facebook's case, it knowingly broke those rules by encouraging third parties – including children – to download the app and use it. And it paid them to do so. And then, as its activity was exposed, embarked – yet again – on a series of half-truths and lies rather than acknowledge what it was really doing.
Here are just a few of them:
- Facebook said it was pulling its app in response to criticism. Whereas in fact Apple revoked its certificate due to breaking the terms of the program, and so Facebook had no choice but to end it.
- Facebook claimed that parental consent was received by every user under the age of 18 that had downloaded and installed the app. Whereas in fact there was no check on whether that parental consent was real: two kids with two phones would be able to confirm an account. It was literally a check-box exercise.
- Facebook claimed that it was open about its app, that it was obviously monitoring the users' online activity from the description of the software, and pointed to the fact it was called "Facebook Research" as evidence. Whereas in fact users were approached through third parties, and Facebook's involvement was hidden until after users started the sign-up process.
Here come the regulators
Meanwhile, the news has caught the attention of a US lawmaker. Senator Ed Markey (D-MA) is furious that Facebook "has been offering teens financial compensation for access to vast amount of those minors’ personal information, including personal messages, web history, and photos."
He vowed on Tuesday to reintroduce legislation – which was termed the Do Not Track Kids Act – in order to update privacy laws and make it illegal for companies to pay children to hand over their private data.
"It is inherently manipulative to offer teens money in exchange for their personal information when younger users don’t have a clear understanding of how much data they’re handing over and how sensitive it is," he said in a statement.
The news that Facebook knowingly bypassed privacy rules to grab teenagers' person data follow on the heels of revelations that the company knowingly manipulated children into spending their parents’ money without permission while playing games on Facebook.
And following recent changes in its code that were designed to stop independent reviewers from keeping an eye on the company's controversial political ad service that has been used repeatedly in recent years to spread misinformation during election campaigns.
Facebook has promised in each case to do better. ®
PS: Looks like Google has a similar certificate-signed iOS app, Screenwise Meter, which has now been disabled amid the outcry over Facebook.
Sponsored: Becoming a Pragmatic Security Leader