Facebook Pays Teens To Install VPN That Spies On Them (techcrunch.com) 82
A new report from TechCrunch details how "desperate" Facebook is for data on its competitors. The social media company "has been secretly paying people to install a 'Facebook Research' VPN that lets the company suck in all of a user's phone and web activity," a TechCrunch investigation confirms. "Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity." From the report: Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android "Facebook Research" app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook's involvement, and is referred to in some documentation as "Project Atlas" a fitting name for Facebook's effort to map new trends and rivals around the globe.
We asked Guardian Mobile Firewall's security expert Will Strafach to dig into the Facebook Research app, and he told us that "If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps -- including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed." It's unclear exactly what data Facebook is concerned with, but it gets nearly limitless access to a user's device once they install the app.
We asked Guardian Mobile Firewall's security expert Will Strafach to dig into the Facebook Research app, and he told us that "If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps -- including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed." It's unclear exactly what data Facebook is concerned with, but it gets nearly limitless access to a user's device once they install the app.
How is this legal in the first place? (Score:5, Insightful)
Re: (Score:2)
What crime? They are asking users to take money to share that information for money. There is no deception, these idiots are agreeing to it. How is it a breach of privacy laws if these drones have agreed to this data collection, and are taking payment for it?
Re: (Score:3)
Re:How is this legal in the first place? (Score:5, Informative)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
general prohibition on interception (recording) of private communications, but
then provides an exception where one of the parties to the private communication
consents to the interception of that communication. Thus, broadly speaking,
Canadians can legally record their own conversations with other people, but not
other peoples' conversations that they are not involved in.
ref: https://legaltree.ca/node/908
Re: (Score:3)
conversion. So in this case, what Facebook is doing is probably illegal here.
Re: (Score:2)
Is it legal to record private conversations without telling the party you are communicating with, or to record private conversations without being a party of the conversation?
it is in Texas as we are a one-party consent state. as long as one party knows they are recording, its legal, and that one party normally can be/is the person doing the recording.
Texas Wiretapping Law. Texas's wiretapping law is a "one-party consent" law. Texas makes it a crime to intercept or record any "wire, oral, or electronic communication" unless one party to the conversation consents. Texas Penal Code 16.02.
Re: (Score:3)
Re: (Score:3)
Even in Texas, Facebook isn’t considered a party to the conversation. It’d be illegal wiretapping.
Re: (Score:2)
If facebook could monetize an anal probe (Score:2)
they would and people would insert it gladly. Fortunately they haven't... yet.
Google DNS 8.8.8.8 (Score:2)
using google as your DNS also provides all your surfing habits and a lot of other stuff to google. They could if they wanted to reroute all your content through google with the power of DNS they just haven't as far as I know.
Re: (Score:1)
Ayup. Fortunately, Cloudflare's 1.1.1.1 seems to have all the advantages, and none of those privacy implications.
From the site:
"Privacy First: Guaranteed.
We will never sell your data or use it to target ads. Period.
We will never log your IP address (the way other companies identify you). And we’re not just saying that. We’ve retained KPMG to audit our systems annually to ensure that we're doing what we say."
Re: (Score:1)
Imma gonna make me a whole bunch of sandboxed VM's and install this on each of them. It'll be just like collecting a Universal Basic Income.
Re: (Score:2, Funny)
1k android VMs 'poisoning the well'? Sounds like a 'win/win' to me.
Anybody know how they select accounts? I smell profit.
Digital prostitution... (Score:4, Interesting)
...where the johns are corporations and naïve/desperate teens (and others) are exploited as usual.
I’m especially astounded at the installation of a root certificate. This allows Facebook “researchers” to mount man-in-the-middle attacks on any of their “secure” transactions. It’s hard to believe that their suppliers/victims truly understood the implications when they signed up for it. I’m also wondering about the legality of such paid surveillance with minors (assuming they can legally consent to that).
Edit: Parental consent was sought (Score:3)
Ah, I had missed the paragraph that says that Facebook obtained parental consent for minors. (apologies)
However, I find Facebook’s assertion “There are no known risks associated with the project” rather... interesting.
Re: (Score:3)
Re: (Score:2)
Nothing beats a hit of krokodil directly into the genital region.
Now it goes without saying (Score:3)
I only learned this adage just recently (don't know where it came from) but I haven't ever seen a more clear example:
If the product is free then you are the product.
In this case since the cost is negative, so it seems the saying has to be extended somehow.
Yea, self regulation works better than gov't regs (Score:4, Insightful)
How's that working for ya?
Re: (Score:2)
Re: (Score:1)
It's not a one or the other situation. If anything, Facebook collecting this information makes it easier for the government to have access to this data. Here's the breakdown:
It's illegal for the government to obtain your information directly through surveillance.
It's completely legal for Facebook to obtain your information directly through surveillance.
It's completely legal for the government to purchase your information from Facebook or any of their their affiliates, since they are technically not the on
Captain Obvious Says (Score:5, Insightful)
While I'm obviously preaching to the choir here, why do you think everyone and their brother wants you to use their " app " instead of a simple webpage ?
They like to pretend it's for your " convenience ". Remember this story the next time you decide to download that " free " app.
For those who have yet to understand this: Nothing is free. Everything comes with a price.
Sometimes, it just isn't quite so obvious what that price is.
Re: (Score:2)
Too bad Apple Won't Do Anything (Score:5, Informative)
They've deliberately abused the application testing program in order to harvest user data that they couldn't get by getting that application deployed through the App Store. If almost any other company did that I bet Apple would kick them off the App Store and make an announcement about how they are protecting your privacy. But since it's Facebook and they provide so much money to Apple I figure that the project will be closed but Facebook will just start a new one.
Re: (Score:2)
"They've deliberately abused the application testing program in order to harvest user data that they couldn't get by getting that application deployed through the App Store."
The reason they are distributing that way is because... Apple threw the original app out of the App Store.
20$ does sound good (Score:3, Interesting)
How much more of this shit? (Score:2)
As probably do most other VPNs.... (Score:3)
I've always wondered about the wisdom of people paying for access to VPNs to hide their nefarious activities (mostly downloading GOT). Have these people not heard of man in the middle attacks? By using any VPN aren't you introducing a man in the middle? If you were running a VPN would you not be logging all the activity and thinking of ways of monetising it or gaining other insights?
Re: (Score:2, Informative)
By using any VPN aren't you introducing a man in the middle?
Trusted root signing certificates can protect against just that sort of hijacking, even by the operator of a VPN. Of course, that only works when the VPN operator hasn't added itself to the trusted root certificate store on your device, as Facebook has done here. It's the difference between your device trusting the slashdot.org certificate issued by "Let's Encrypt" vs the one issued on the fly and signed by "Facebook Trusted Root", which is obviously forged but trusted by your device because your device tru
Re: (Score:2)
Facebook got around this protection by asking you to give it root access to your device so that it could install its signing certificate in the trusted root certificates on your device, right along side VeriSign, DigiCert and the other majors.
Note that Facebook can't ask for "root access" on Android or iOS, at least not as "root" is commonly interpreted in Unix-like OSes (which both Android and iOS are). It can ask you to install a new trusted root certificate.
The term "root" is overloaded here, but "root access" sounds like something different from what this is.
Use a burner phone kids (Score:2)
Skeptical (Score:3)
if Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps
I am not sure this true, but It would not surprise me if some of the changes Google and Apple have made in recent years are a response to stuff like this. You essentially can't modify the Trust store on Android anymore unless you root the device. You can not for example install a private CA certificate on an android phone. Rig up the DNS server on your network with an A rec www.facebook.com 192.168.1.10 and put a server there with a www.facebook.com cert you have issues and go view in in chrome on that android phone without getting a cert warning... (you can do this on a rooted device though)
Similarly on an Apple device if the apps are using ATS, and certs are already pinned etc you will also have problems even if you install an in house CA.
Trust me I know this because i have to test a lot of mobile apps and this all makes it excruciatingly painful. Usually requiring either rooted devices or patching the applications just to get a look at the web services conversation they are using.
Where do I sign up? (Score:2)