So, how is Facebook being terrible today? It is hard to keep up, people. But this one is kind of extraordinary even by Facebook standards.
Several years ago Facebook bought a VPN company called Onavo. VPNs are awesome, although you have to be careful whose VPN service you use, because if they’re shady you’re really just giving them access to all your activity instead of accomplishing what a VPN is supposed to do – keep it private.
Now “a VPN from Facebook” mostly should provoke eye-rolling and laughter, but they do have market reach. So they started pushing Onavo. Except, um, what Onavo was actually doing was sucking up huge amounts of tracking data and giving it Facebook. I guess they were confused about what the “P” in “VPN” stood for.
Once it became clear that Onavo was basically spyware for Facebook, there was an uproar, and Apple booted them out of its app store. The end?
Of course not. Facebook’s brilliant idea for this – hey, let’s sneak it into phones under another name, and pay teenagers to use it so we can watch them! Maybe Sheryl & Zuck came up with this in one of their reflection sessions.
We asked Guardian Mobile Firewall’s security expert Will Strafach to dig into the Facebook Research app, and he told us that “If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.” It’s unclear exactly what data Facebook is concerned with, but it gets nearly limitless access to a user’s device once they install the app.
Facebook seems to have purposefully avoided TestFlight, Apple’s official beta testing system, which requires apps to be reviewed by Apple and is limited to 10,000 participants. Instead, the instruction manual reveals that users download the app from r.facebook-program.com and are told to install an Enterprise Developer Certificate and VPN and “Trust” Facebook with root access to the data their phone transmits. Apple requires that developers agree to only use this certificate system for distributing internal corporate apps to their own employees. Randomly recruiting testers and paying them a monthly fee appears to violate the spirit of that rule.
It’s just a fucking mess. Facebook killed the program, along with some huffing about how unfair it was. And Apple, to its credit, invalidated Facebook’s enterprise developer certificates, causing them a ton of headaches. Good.
Facebook is not the only company whose actions raise privacy concerns… but they are unique in their willingness to be utterly shady, lie to users, and make protecting one’s privacy as difficult as possible. They are just bad news all around.
You don’t need it as much as you think you do, and if you stop using it, you make it marginally less valuable to everyone else. Don’t participate in it.