Facebook admits 18% of Research spyware users were teens, not
Facebook has changed its story after initially trying to downplay how it targeted teens with its Research program that a TechCrunch investigation revealed was paying them gift cards to monitor all their mobile app usage and browser traffic. “Less than 5 percent of the people who chose to participate in this market research program were teens” a Facebook spokesperson told TechCrunch and many other news outlets in a damage control effort 7 hours after we published our report on January 29th. At the time, Facebook claimed that it had removed its Research app from iOS. The next morning we learned that wasn’t true, as Apple had already forcibly blocked the Facebook Research app for violating its Enterprise Certificate program that supposed to reserved for companies distributing internal apps to employees.
It turns out that wasn’t the only time Facebook deceived the public in its response regarding the Research VPN scandal. TechCrunch has obtained Facebook’s unpublished February 21st response to questions about the Research program in a letter from Senator Mark Warner, who wrote to CEO Mark Zuckerberg that “Facebook’s apparent lack of full transparency with users – particularly in the context of ‘research’ efforts – has been a source of frustration for me.”
In the response from Facebook’s VP of US public policy Kevin Martin, the company admits that (emphasis ours) “At the time we ended the Facebook Research App on Apple’s iOS platform, less than 5 percent of the people sharing data with us through this program were teens. Analysis shows that number is about 18 percent when you look at the complete lifetime of the program, and also add people who had become inactive and uninstalled the app.” So 18 percent of research testers were teens. It was only less than 5 percent when Facebook got caught. Given users age 13 to 35 were eligible for Facebook’s Research program, 13 to 18 year olds made of 22 percent of the age range. That means Facebook clearly wasn’t trying to minimize teen involvement, nor were they just a tiny fraction of users.
WASHINGTON, DC – APRIL 10: Facebook co-founder, Chairman and CEO Mark Zuckerberg testifies before a combined Senate Judiciary and Commerce committee hearing in the Hart Senate Office Building on Capitol Hill April 10, 2018 in Washington, DC. (Photo by Chip Somodevilla/Getty Images)
Warner asked Facebook “Do you think any use reasonable understood Facebook was using this data for commercial purposes includingto track competitors?” Facebook response indicates it never told Research users anything about tracking “competitors”, and instead dances around the question. Facebook says the registration process told users the data would help the company “understand how people use mobile apps,” “improve . . . services,” and “introduce new features for millions of people around the world.”
Facebook had also told reporters on January 29th regarding teens’ participation, “All of them with signed parental consent forms.” Yet in its response to Senator Warner, Facebook admitted that “Potential participants were required to confirm that they were over 18 or provide other evidence of parental consent, though the vendors did not require a signed parental consent form for teen users.” In some cases, underage users merely had to check a box to claim they had parental consent, and there was no verification of users’ ages or that their parents actually approved.
Facebook pays teens to install VPN that spies on them
So to quickly recap:
TechCrunch reports on January 29th that Facebook is paying teens and adults up to $20 in gift cards per month to install a Research VPN with Root network access to spy on all their mobile app activity, web browsing, and even encrypted communications.
TechCrunch informs Facebook and Apple that Facebook’s Research app violates Apple’s Enterprise Certificate rules.
That night, Facebook claims it shut down the Research app on iOS but didn’t violate Apple’s policy, and tells reporters only 5 percent of Research users were teens and they all had signed parental consent forms.
The next morning, Apple tells TechCrunch that it forcibly shut down Facebook Research on iOS for violating the Enterprise Certificate rules, and invalidates Facebook’s Certificate thereby breaking its internal iOS apps for 30 hours, including its Workplace chat and task management apps as well as its shuttle schedule and lunch menu
TechCrunch reports Google’s Screenwise Meter market research app was also breaking Apple’s Enterprise Certificate rules, but it quickly apologies and shuts down the app on iOS though it still has its internal iOS apps invalidated for 6 hours.
Senator Warner issues a letter demanding answers about Facebook Research from Mark Zuckerberg, while Senators Blumenthal and Markey also issue sternly worded reprimands of Facebook.
Facebook’s VP of production engineering and security Pedro Canahuati publishes an internal memo disputing our reporting by saying the program was never secret, but its points are swiftly dismantled by TechCrunch after we reveal that legal action was threatened if a Research user spoke publicly about the app.
TechCrunch reports that Apple failed to block dozens of hardcore pornography and real-money gambling apps abusing Enterprise Certificate program to sidestep the App Store’s rules, and Apple shuts them down.
Facebook tells TechCrunch on February 21st that it’s ceased recruiting users for its Research program on Android where it was still running, and that it will shut down its similar Onavo market research spyware VPN on Android after Apple banned it last year.
That same day, Facebook issues this response to Senator Warner that shows its initial response to reporters wasn’t accurate.
Facebook targeted teens with ads on Instagram and Snapchat to join the Research program without revealing its involvement
The contradictions between Facebook’s initial response to reporters and what it told Warner, who has the power to pursue regulation of the the tech giant, shows Facebook willingness to move fast and play loose with the truth when it’s less accountable. It’s no wonder the company never shared the response with TechCrunch or posted a blog post or press release about it.
Facebook’s attempt to minimize the issue in the wake of backlash exemplifies the trend of of the social network’s “reactionary” PR strategy that employees described to BuzzFeed’s Ryan Mac. The company often views its scandals as communications errors rather than actual product screwups or as signals of deep-seeded problems with Facebook’s respect for privacy. Facebook needs to learn to take its lumps, change course, and do better rather than constantly trying to challenge details of negative press about it, especially before it has all the necessary information. Until then, the never-ending news cycle of Facebook’s self-made disasters will continue.
Below is Facebook’s full response to Senator Warner’s inquiry, and following that is Warner’s original letter to Mark Zuckerberg.
View this document on Scribd
Additional reporting by Krystal Hu