The social media giant had users install a “Facebook Research” VPN, which gave it root access to usage data across all the apps on their phone.
An expert contacted by TechCrunch claimed that the VPN provided a window into private messages, any photos/videos sent to others, personal emails, web searches, web history, and location information.
Participants were paid up to $20 per month for this information, plus additional referral fees.
Facebook has agreed to shut down the program on iOS in the wake of the investigation, but will reportedly continue to collect data from participants with Android devices.
The VPN was referred to internally as “Project Atlas”, and was distributed via beta-testing services rather than the iOS App Store. This may be a strategy for circumventing App Store policies on data protection: a similar VPN-based Facebook project named Onavo was pulled in 2018 after Apple’s developer terms changed. The new policies require that apps only collect data necessary for their functioning.
The personal data collected by Project Atlas may have been used to identify popular competitor features and interesting startups – Onavo, while active on iOS, was used to research WhatsApp ahead of a $19 billion acquisition in 2014.
Mark Zuckerberg’s company has responded harshly to journalistic criticism of the program. It said: “Key facts about this market research program are being ignored. Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App.
“It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms.”
Read more here.