Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Facebook Privacy Security Social Networks Software The Internet Technology

Facebook Pays Teens To Install VPN That Spies On Them (techcrunch.com) 82

A new report from TechCrunch details how "desperate" Facebook is for data on its competitors. The social media company "has been secretly paying people to install a 'Facebook Research' VPN that lets the company suck in all of a user's phone and web activity," a TechCrunch investigation confirms. "Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity." From the report: Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android "Facebook Research" app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook's involvement, and is referred to in some documentation as "Project Atlas" a fitting name for Facebook's effort to map new trends and rivals around the globe.

We asked Guardian Mobile Firewall's security expert Will Strafach to dig into the Facebook Research app, and he told us that "If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps -- including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed." It's unclear exactly what data Facebook is concerned with, but it gets nearly limitless access to a user's device once they install the app.

This discussion has been archived. No new comments can be posted.

Facebook Pays Teens To Install VPN That Spies On Them

Comments Filter:
  • by smartr ( 1035324 ) on Tuesday January 29, 2019 @08:00PM (#58043058)
    If you encourage someone to commit a crime and help them along the way, you are an accessory to that crime. How is paying teenagers to silently send over private communications without broadcasting that fact not a violation of existing privacy laws?
    • What crime? They are asking users to take money to share that information for money. There is no deception, these idiots are agreeing to it. How is it a breach of privacy laws if these drones have agreed to this data collection, and are taking payment for it?

      • by smartr ( 1035324 )
        Did the third party that's communicating with the idiots agree to have their communication snooped by Facebook?
      • by grumpy-cowboy ( 4342983 ) on Tuesday January 29, 2019 @08:25PM (#58043166)
        Asking minors to do something like this without parental consent is a crime (at least in Canada).
        • by smartr ( 1035324 )
          Is it legal to record private conversations without telling the party you are communicating with, or to record private conversations without being a party of the conversation?
          • In Canada : The Criminal Code, R.S.C. 1985, c. C-46 [Criminal Code] imposes a
            general prohibition on interception (recording) of private communications, but
            then provides an exception where one of the parties to the private communication
            consents to the interception of that communication. Thus, broadly speaking,
            Canadians can legally record their own conversations with other people, but not
            other peoples' conversations that they are not involved in.

            ref: https://legaltree.ca/node/908
            • I'm not sure you can SHARE this record with a party not involved in the
              conversion. So in this case, what Facebook is doing is probably illegal here.
          • Is it legal to record private conversations without telling the party you are communicating with, or to record private conversations without being a party of the conversation?

            it is in Texas as we are a one-party consent state. as long as one party knows they are recording, its legal, and that one party normally can be/is the person doing the recording.

            Texas Wiretapping Law. Texas's wiretapping law is a "one-party consent" law. Texas makes it a crime to intercept or record any "wire, oral, or electronic communication" unless one party to the conversation consents. Texas Penal Code 16.02.

            • by smartr ( 1035324 )
              There are many two-party consent states. Also, how far does consent of a teenager go, even if a parent signs off on it? Teenagers are generally not of the age of "consent", and the "consenting" adults aren't members of the conversations that are being recorded.
            • Even in Texas, Facebook isn’t considered a party to the conversation. It’d be illegal wiretapping.

      • by umghhh ( 965931 )
        Is the VPN not sold with an argument about protecting privacy? If so then any abuse of it would be invalidating the commercial claim which in some jurisdictions is a crime which is prosecuted if people complain.
    • they would and people would insert it gladly. Fortunately they haven't... yet.

    • using google as your DNS also provides all your surfing habits and a lot of other stuff to google. They could if they wanted to reroute all your content through google with the power of DNS they just haven't as far as I know.

      • by Anonymous Coward

        Ayup. Fortunately, Cloudflare's 1.1.1.1 seems to have all the advantages, and none of those privacy implications.

        From the site:
        "Privacy First: Guaranteed.
        We will never sell your data or use it to target ads. Period.
        We will never log your IP address (the way other companies identify you). And we’re not just saying that. We’ve retained KPMG to audit our systems annually to ensure that we're doing what we say."

  • by Picodon ( 4937267 ) on Tuesday January 29, 2019 @08:12PM (#58043106)

    ...where the johns are corporations and naïve/desperate teens (and others) are exploited as usual.

    I’m especially astounded at the installation of a root certificate. This allows Facebook “researchers” to mount man-in-the-middle attacks on any of their “secure” transactions. It’s hard to believe that their suppliers/victims truly understood the implications when they signed up for it. I’m also wondering about the legality of such paid surveillance with minors (assuming they can legally consent to that).

    • Ah, I had missed the paragraph that says that Facebook obtained parental consent for minors. (apologies)
      However, I find Facebook’s assertion “There are no known risks associated with the project” rather... interesting.

      • Sure. That guy that drove up to my house in a sports car the other day, and offered me prime investment opportunities in luxury homes in the UAE, hardwood plantations in the Amazon, and even a mutual fund with a guaranteed monthly 10% return, also told me “there are no known risks associated with these projects”. My dealer also tells me heroin and krokodil are perfectly safe.
  • by AlanObject ( 3603453 ) on Tuesday January 29, 2019 @08:23PM (#58043154)

    I only learned this adage just recently (don't know where it came from) but I haven't ever seen a more clear example:

    If the product is free then you are the product.

    In this case since the cost is negative, so it seems the saying has to be extended somehow.

  • by stevez67 ( 2374822 ) on Tuesday January 29, 2019 @08:27PM (#58043180)

    How's that working for ya?

    • In America, the home of corporatism, where big companies pay for laws to be passed? Did you forget where you live?
  • by nehumanuscrede ( 624750 ) on Tuesday January 29, 2019 @08:37PM (#58043230)

    While I'm obviously preaching to the choir here, why do you think everyone and their brother wants you to use their " app " instead of a simple webpage ?
    They like to pretend it's for your " convenience ". Remember this story the next time you decide to download that " free " app.

    For those who have yet to understand this: Nothing is free. Everything comes with a price.

    Sometimes, it just isn't quite so obvious what that price is.

  • by CanadianMacFan ( 1900244 ) on Tuesday January 29, 2019 @09:08PM (#58043360)

    They've deliberately abused the application testing program in order to harvest user data that they couldn't get by getting that application deployed through the App Store. If almost any other company did that I bet Apple would kick them off the App Store and make an announcement about how they are protecting your privacy. But since it's Facebook and they provide so much money to Apple I figure that the project will be closed but Facebook will just start a new one.

    • "They've deliberately abused the application testing program in order to harvest user data that they couldn't get by getting that application deployed through the App Store."
      The reason they are distributing that way is because... Apple threw the original app out of the App Store.

  • 20$ does sound good (Score:3, Interesting)

    by OppMan29 ( 1270518 ) on Tuesday January 29, 2019 @10:07PM (#58043600)
    install it on a phone I never use and has no other apps,,, Profit from Facebook
  • Seriously, how much more of this shit are people going to put up with before they demand that Facebook be burned to the ground?
  • by Darkling-MHCN ( 222524 ) on Wednesday January 30, 2019 @12:51AM (#58044046)

    I've always wondered about the wisdom of people paying for access to VPNs to hide their nefarious activities (mostly downloading GOT). Have these people not heard of man in the middle attacks? By using any VPN aren't you introducing a man in the middle? If you were running a VPN would you not be logging all the activity and thinking of ways of monetising it or gaining other insights?

    • Re: (Score:2, Informative)

      by Anonymous Coward

      By using any VPN aren't you introducing a man in the middle?

      Trusted root signing certificates can protect against just that sort of hijacking, even by the operator of a VPN. Of course, that only works when the VPN operator hasn't added itself to the trusted root certificate store on your device, as Facebook has done here. It's the difference between your device trusting the slashdot.org certificate issued by "Let's Encrypt" vs the one issued on the fly and signed by "Facebook Trusted Root", which is obviously forged but trusted by your device because your device tru

      • Facebook got around this protection by asking you to give it root access to your device so that it could install its signing certificate in the trusted root certificates on your device, right along side VeriSign, DigiCert and the other majors.

        Note that Facebook can't ask for "root access" on Android or iOS, at least not as "root" is commonly interpreted in Unix-like OSes (which both Android and iOS are). It can ask you to install a new trusted root certificate.

        The term "root" is overloaded here, but "root access" sounds like something different from what this is.

  • Have one phone with your day to day activity. Another burner with your bullshit facebook spyware. Use the burner to browse a few sites and simulate some activity so you get your $20 but otherwise don't do anything that compromises your privacy.
  • by DarkOx ( 621550 ) on Wednesday January 30, 2019 @08:17AM (#58044968) Journal

    if Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps

    I am not sure this true, but It would not surprise me if some of the changes Google and Apple have made in recent years are a response to stuff like this. You essentially can't modify the Trust store on Android anymore unless you root the device. You can not for example install a private CA certificate on an android phone. Rig up the DNS server on your network with an A rec www.facebook.com 192.168.1.10 and put a server there with a www.facebook.com cert you have issues and go view in in chrome on that android phone without getting a cert warning... (you can do this on a rooted device though)

    Similarly on an Apple device if the apps are using ATS, and certs are already pinned etc you will also have problems even if you install an in house CA.

    Trust me I know this because i have to test a lot of mobile apps and this all makes it excruciatingly painful. Usually requiring either rooted devices or patching the applications just to get a look at the web services conversation they are using.

  • I've got an old phone in a drawer doing nothing, when it could be earning me $20/mo!

Some people pray for more than they are willing to work for.

Working...