The battle for privacy and reputation raging between Apple and Facebook has begun to heat up after Apple blocked a Facebook app before the social media company could do so voluntarily. Unfortunately for users, this forceful gesture is more than justified. Uncovered by a recent investigation by TechCrunch, Facebook was found to have been paying users as young as 13 to install a “Facebook Research” VPN app that allows the company unprecedented access to a user’s phone and web activity.
The History Between the Moguls
This tension has been rising for some time and shows no sign of improving any time soon. Ranging from blatant provocation to secretive manoeuvres, Apple and Facebook have been challenging one another over the privacy of their users and the safety of their data.
The animosity likely began when Apple started positioning itself as a champion of privacy. After the San Bernardino attack in 2015, Apple was ordered by the FBI to break into an iPhone owned by one of the shooters, but refused on the grounds that doing so would make almost every other iPhone vulnerable to hacking. They considered this “something too dangerous to create”, and when the FBI eventually cracked into the iPhone on their own, Apple was quick to fortify its devices and operating systems in response.
Again in 2015 Apple’s CEO, Tim Cook, made an infamously scathing speech which all but named the companies that he believed had built their businesses “by lulling their customers into complacency about their personal information” and monetizing their data. Targeting Facebook, Google, Twitter and more, Cook emphasised that this was “not the kind of company that Apple wants to be”.
After the Cambridge Analytica scandal shook the world, the CEO was asked in an interview what he would have done had he been in Zuckerberg’s shoes. Cook stated that he simply would not be in that situation, and that privacy is a human right that Facebook continues to deprive people of.
In June last year, Apple unveiled Safari’s new anti-tracking features and in no uncertain terms named their target. “We’ve all seen these like buttons and share buttons,” Apple’s VP of software Craig Federighi stated, “Well it turns out, these can be used to track you, whether you click on them or not. So, this year, we’re shutting that down.”
For several years, the company has been developing various methods for forcing other tech companies and app developers to respect user privacy. Apple’s software is designed in a way that restricts access to private user data, and all apps are required to explicitly ask for permission each time they use tools such as GPS. The new safari software helps to prevent Facebook from using a technique called fingerprinting, which is used to track internet users who are not even logged in, and paint an eerily accurate image of that user. But Apple has sworn that its new browser will ensure that the information that allows this will not be passed on to the websites anymore.
The Facebook Research App
This brings us to the latest clash, which saw Apple not only forcefully remove a Facebook app but also suspend Facebook’s ability to use apps through Apple’s enterprise development program.
The app, known as ‘Facebook Research’, is a VPN that allows the company to tap into the user’s phone at all times. Since 2016, Facebook has been paying users aged 13 to 35 years old up to $20 per month, plus referral fees, to essentially sell their privacy. The app gives Facebook almost limitless access to a user’s device once installed, side-stepping the App Store by having it on the enterprise development program instead. Adds were run on Instagram and Snapchat, seeking teenagers for a “paid social media research study”. The app explains that “the inherent nature of the project involves the tracking of personal information via [your] use of apps”.
Facebook began dabbling in data-sniffing when it acquired VPN app Onavo for $120 million in 2013. The app, designed to help users track their mobile data usage, gave Facebook unprecedented access to the analytics regarding the user’s usage of other apps. This is why Facebook bought WhatsApp; having seen that its usage almost doubled that of Facebook messenger. Onavo allowed Facebook to understand what apps to copy, which features to build and what to avoid.
Apple pulled Onavo from the App Store last year due to privacy policy violations. But this was simply a road bump in Facebook’s desperate plight to collect more data. Even now, Apple’s latest move to remove the Research App is more of a slap on the wrist rather than a severe punishment.
Interestingly, Facebook is pleading not guilty. When initially challenged with the allegations, Facebook claimed the app was in line with Apple’s Enterprise Certificate program, but failed to explain how. In an additional statement, a spokesperson stated that there was nothing ‘secret’ about the app and it was not ‘spying’ as all participants were willing, well-informed and compensated. The spokesperson insisted that “key facts about this market research program are being ignored”.
However, Facebook never publicly promoted the app itself, instead using intermediaries that often failed to disclose Facebook’s involvement until after users had signed up. What is more, the so-called clear instructions and warnings were simply not enough to make users aware of the extent of Facebook’s access. Security expert Will Strafach explains that by using the VPN to its full extent, Facebook could easily have access to:
- private messages in social media apps;
- chats from instant messaging apps, including photos and videos sent;
- emails;
- web searches;
- web browsing activity; and
- ongoing location information.
Apple’s Reaction
Hours after the investigation was made public, Facebook abandoned their innocent plea, jumping ship and promising to shut down the iOS Research app.
After failing to do so, Apple blocked the app and revoked the Enterprise Certificate that allowed the company to distribute the app outside of the App Store. Without this certificate, Facebook’s internal iOS apps will no longer work, causing a big headache for the social media giant. Apple has yet to indicate if the ban is temporary and whether any further actions will be taken.
The Self-Proclaimed Hero of Privacy
Interestingly, Apple’s reputation is far more at risk than Facebook’s at this stage. Having put the company’s name on the line and specifically differentiated itself from its competitors through privacy protections, the company is risking its reputation and could face adverse consequences if they do not tread carefully. Apple has claimed to have built its company and reputation on security in a way that no other big company has, and because of this will face a much bigger fallout from any security incidents.
Importantly, Apple has so far successfully demonstrated a keen interest in developing significant privacy-enhancing measures, moving away from the token methods that Facebook, Google and others have offered to web users. The company’s techniques have actual potential to curtail the monetisation of user data, and it has shown a real dedication to the bitter war over privacy that it sparked years ago. Apple would be wise to continue on this path, both for the reputation of the company and for its users, although it is likely to be a very, very long road to success.
Follow our LinkedIn page for all the latest security updates, and Contact Us to see how we can assist your business.
Author: Elsa Chapple, Agilient Consultant