Facebook got 187,000 users’ data with snoopy VPN app

In January, Apple’s App Store gave the heave-ho to Facebook’s snoopy Research VPN (virtual private network) app.

Now we know how many users Facebook Research got personal and sensitive device data from: 187,000, according to a letter sent by Facebook to Senator Richard Blumenthal and obtained by TechCrunch. That’s 31,000 US users – 4,300 of whom are teenagers – and with the rest being from India.

The now-defunct Research app used its access to get what security researcher Will Strafach called “nearly limitless access.” That includes web browsing histories, encrypted messages and mobile app activity of not just the volunteer users but also, potentially, data from their friends.

It was kicked from the App Store for violating Apple’s Developer Enterprise Program License Agreement by installing a root certificate. Something that’s supposed to be limited to “for use by your employees”.

Facebook pushed back at the negative coverage it received following the eviction, pointing out that it wasn’t the snoopiness of the app that saw it discarded, and that users were well aware they were being snooped on:

…there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate.

The data was used for competitive analysis. Facebook used an earlier version of VPN app, Onavo, to track its competition and scope out new product categories. Private, internal emails from Facebook staff that were published in December 2018 revealed that Facebook had relied on the Onavo data when it decided to purchase WhatsApp, for example. The company also used the Onavo data to track usage of its rivals and to block some of them – including Vine, Ticketmaster, and Airbiquity – from accessing its friends data firehose API.

Onavo, banned from Apple’s App Store in August 2018 for its privacy-violating ways, has been recycled multiple times.

Following the Onavo backlash, since at least mid-2018, the company started calling Facebook Research “Project Atlas.” It had yet another similar program called “Project Kodiak.”

And as TechCrunch reports, just this week, the research app has resurfaced yet again as “Study”. It’s yet another pay-for-market-research app, but this one’s only available on Google Play – no surprise there, since both Onavo and Research got kicked out of the App Store. It’s available by invitation to approved users who’ve been invited to the Facebook Study program. TechCrunch reports that Facebook is pledging to be more transparent about how it collects user data.

Facebook has also promised to not snoop on user IDs, passwords or any of participants’ content, including photos, videos or messages. It’s not saying how much participants will be paid – they got $20 for going along with the Research app – but Facebook does say that it won’t sell participants’ info to third parties, use it to target ads or add it to their account or the behavior profiles the company keeps on each user.