Google Fined 50 Million Euros For Violations Of New European Privacy Law
Survey: Users Don't Understand Facebook's Advertising System. Some Disagree With Its Classifications

Facebook Paid Teens To Install Unauthorized Spyware On Their Phones. Plenty Of Questions Remain

Facebook logoWhile today is the 15th anniversary of Facebook,  more important news rules. Last week featured plenty of news about Facebook. TechCrunch reported on Tuesday:

"Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android “Facebook Research” app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook’s involvement, and is referred to in some documentation as “Project Atlas” — a fitting name for Facebook’s effort to map new trends and rivals around the globe... Facebook admitted to TechCrunch it was running the Research program to gather data on usage habits."

So, teenagers installed surveillance software on their phones and tablets, to spy for Facebook on themselves, Facebook's competitors,, and others. This is huge news for several reasons. First, the "Facebook Research" app is VPN (Virtual Private Network) software which:

"... lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August. Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access to network traffic in what may be a violation of Apple policy..."

Reportedly, the Research app collected massive amounts of information: private messages in social media apps, chats from in instant messaging apps, photos/videos sent to others, emails, web searches, web browsing activity, and geo-location data. So, a very intrusive app. And, after being forced to remove oneintrusive app from Apple's store, Facebook continued anyway -- with another app that performed the same function. Not good.

Second, there is the moral issue of using the youngest users as spies... persons who arguably have the lease experience and skills at reading complex documents: corporate terms-of-use and privacy policies. I wonder how many teenagers notified their friends of the spying and data collection. How many teenagers fully understood what they were doing? How many parents were aware of the activity and payments? How many parents notified the parents of their children's friends? How many teens installed the spyware on both their iPhones and iPads? Lots of unanswered questions.

Third, Apple responded quickly. TechCrunch reported Wednesday morning:

"... Apple blocked Facebook’s Research VPN app before the social network could voluntarily shut it down... Apple tells TechCrunch that yesterday evening it revoked the Enterprise Certificate that allows Facebook to distribute the Research app without going through the App Store."

Facebook's usage of the Enterprise Certificate is significant. TechCrunch also published a statement by Apple:

"We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization... Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked..."

So, the Research app violated Apple's policy. Not good. The app also performs similar functions as the banned Onavo VPN app. Worse. This sounds like an end-run to me. So as punishment for its end-run actions, Apple temporarily disable the certificates for internal corporate apps.

Axios described very well Facebook's behavior:

"Facebook took a program designed to let businesses internally test their own app and used it to monitor most, if not everything, a user did on their phone — a degree of surveillance barred in the official App Store."

And the animated Facebook image in the Axios article sure looks like a liar-liar-logo-on-fire image. LOL! Pure gold! Seriously, Facebook's behavior indicates questionable ethics, and/or an expectation of not getting caught. Reportedly, the internal apps which were shut down included shuttle schedules, campus maps, and company calendars. After that, some Facebook employees discussed quitting.

And, it raises more questions. Which Facebook executives approved Project Atlas? What advice did Facebook's legal staff provide prior to approval? Was that advice followed or ignored?

Google logo Fourth, TechCrunch also reported:

"Facebook’s Research program will continue to run on Android."

What? So, Google devices were involved, too. Is this spy program okay with Google executives? A follow-up report on Wednesday by TechCrunch:

"Google has been running an app called Screenwise Meter, which bears a strong resemblance to the app distributed by Facebook Research that has now been barred by Apple... Google invites users aged 18 and up (or 13 if part of a family group) to download the app by way of a special code and registration process using an Enterprise Certificate. That’s the same type of policy violation that led Apple to shut down Facebook’s similar Research VPN iOS app..."

Oy! So, Google operates like Facebook. Also reported by TechCrunch:

"The Screenwise Meter iOS app should not have operated under Apple’s developer enterprise program — this was a mistake, and we apologize. We have disabled this app on iOS devices..."

So, Google will terminate its spy program on Apple devices, but continue its own program with Facebook. Hmmmmm. Well, that answers some questions. I guess Google executives are okay with this spy program. More questions remain.

Fifth, Facebook tried to defend the Research app and its actions in an internal memo to employees. On Thursday, TechCrunch tore apart the claims in an internal Facebook memo from vice president Pedro Canahuati. Chiefly:

"Facebook claims it didn’t hide the program, but it was never formally announced like every other Facebook product. There were no Facebook Help pages, blog posts, or support info from the company. It used intermediaries Applause and CentreCode to run the program under names like Project Atlas and Project Kodiak. Users only found out Facebook was involved once they started the sign-up process and signed a non-disclosure agreement prohibiting them from discussing it publicly... Facebook claims it wasn’t “spying,” yet it never fully laid out the specific kinds of information it would collect. In some cases, descriptions of the app’s data collection power were included in merely a footnote. The program did not specify data types gathered, only saying it would scoop up “which apps are on your phone, how and when you use them” and “information about your internet browsing activity.” The parental consent form from Facebook and Applause lists none of the specific types of data collected...

So, Research app participants (e.g., teenagers, parents) couldn't discuss nor warn their friends (and their friends' parents) about the data collection. I strongly encourage everyone to read the entire TechCrunch analysis. It is eye-opening.

Sixth, a reader shared concerns about whether Facebook's actions violated federal laws. Did Project Atlas violate the Digital Millennium Copyright Act (DMCA); specifically the "anti-circumvention" provision, which prohibits avoiding the security protections in software? Did it violate the Computer Fraud and Abuse Act? What about breach-of-contract and fraud laws? What about states' laws? So, one could ask similar questions about Google's actions, too.

I am not an attorney. Hopefully, some attorneys will weigh in on these questions. Probably, some skilled attorneys will investigate various legal options.

All of this is very disturbing. Is this what consumers can expect of Silicon Valley firms? Is this the best tech firms can do? Is this the low level the United States has sunk to? Kudos to the TechCrunch staff for some excellent reporting.

What are your opinions of Project Atlas? Of Facebook's behavior? Of Google's?

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Chanson de Roland

While no lawyer could dispositively opine that Facebook has violated the criminal and/or civil provisions of the Digital Millennium Copyright Act; the Computer Fraud and Abuse Act; committed consumer fraud and common law fraud; violated COPA, the Child Online Protection Act; breach of contract with the arising relief in law and in equity; and committed sufficient predicate crimes to have violated federal and/or state RICO, Racketeer Influenced and Corrupt Organizations Act, crimes, TechCrunch and others’ reporting present sufficient facts to raise probable cause, that is, a reasonable basis for believing, that Facebook has violated some or all of the foregoing civil and criminal causes of action.

And the same is true for Google.

George

For those unfamiliar with the Children's Online Privacy Protection Act (COPPA), this blog has covered the Act and related privacy issues/failures. A good place to start:

New Online Privacy Rules For Children Went Into Effect Yesterday, July 1, 2013
https://ivebeenmugged.typepad.com/my_weblog/2013/07/coppa-update.html

Businesses and parents may find this helpful:

COPPA - Frequently Asked Questions
https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions

George
Editor
https://ivebeenmugged.typepad.com

Chanson de Roland

One thing that I left out is that where probable cause of crime, regulatory and/or public policy violations exists, as it does for Facebook and Google in the scandal reported, supra, and elsewhere, prosecutors and law enforcement officials of competent jurisdiction have the duty to investigate to determine whether a case can be made for prosecution, administrative remedies, regulation, and/or legislation.

It will be interesting to see whether the lead agencies, which have jurisdiction in this matter, the U.S. Department of Justice, the U.S. Federal Trade Commission, and the several state Attorneys General, do anything to address this seemingly established misconduct in this matter by Google and the even more egregious misconduct by Facebook.

Chanson de Roland

And I forgot to list two other causes of action, Unfair Competition and possible violations of U.S. antitrust law, in my earlier discussion of the possible laws that Facebook and Google may have violated with their respective Research App/Project Atlas and Screenwise Meter apps. Using those apps, Facebook and Google appear to have been able, and it was reported that Facebook did, collect proprietary competitive information on competitors, potential competitors, and firms that were targeted for acquisition. Without getting too deep in the woods about prima facie elements of those cause of action, suffice it to say that TechCrunch’s reporting raises probable cause of the violation of antitrust and unfair competition claims that would sound in federal and state law.

So many others, e.g., equity owners, state and federal governments, and competitors, all may have claims against Facebook and Google. And some of those claims may invoke the criminal provisions of antitrust law, depending on the facts. If for example, Facebook was found to have stolen proprietary information to effect an anticompetitive acquisition.

But, as I wrote, supra, we shall see whether the authorities will do anything, whether they will even investigate. Senators Blumenthal, Markey, and Hawley should see that they federal authorities, the FTC and/or the DOJ, do investigate, and as leading politicians in their respective states, they should urge their state Attorneys General to investigate.

The comments to this entry are closed.