The "Facebook Research" VPN is an app that circumvents Apple's ban on certain kinds of surveillance by cloaking itself as a beta app and distributing through the Applause, Betabound and Utest services, rather than Apple's App Store: users get up to $20/month, plus referral fees, to run the app, which comes with a man-in-the-middle certificate that lets Facebook intercept "private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed."
It's not clear which of these data-types Facebook is harvesting from users of the app, which is codenamed "Project Atlas."
The program recruits users aged 13 to 35, and has been running since 2016. Facebook confirmed that it uses the app to "gather data on usage habits."
Facebook previously faced disgrace and crisis when it was revealed that Onavo, a so-called VPN app that was actually grabbing a huge tranche of data from users; Apple subsequently removed Onavo from its app store. Facebook does not distribute the "Research" app through Apple's own beta-test program, choosing instead to launder it through third parties. Facebook is pretty clearly violating Apple's policies in doing this.
Once installed, users just had to keep the VPN running and sending data to Facebook to get paid. The Applause-administered program requested that users screenshot their Amazon orders page. This data could potentially help Facebook tie browsing habits and usage of other apps with purchase preferences and behavior. That information could be harnessed to pinpoint ad targeting and understand which types of users buy what.
TechCrunch commissioned Strafach to analyze the Facebook Research app and find out where it was sending data. He confirmed that data is routed to "vpn-sjc1.v.facebook-program.com" that is associated with Onavo's IP address, and that the facebook-program.com domain is registered to Facebook, according to MarkMonitor. The app can update itself without interacting with the App Store, and is linked to the email address PeopleJourney@fb.com. He also discovered that the Enterprise Certificate indicates Facebook renewed it on June 27th, 2018 — weeks after Apple announced its new rules that prohibited the similar Onavo Protect app.
"It is tricky to know what data Facebook is actually saving (without access to their servers). The only information that is knowable here is what access Facebook is capable of based on the code in the app. And it paints a very worrisome picture," Strafach explains. "They might respond and claim to only actually retain/save very specific limited data, and that could be true, it really boils down to how much you trust Facebook's word on it. The most charitable narrative of this situation would be that Facebook did not think too hard about the level of access they were granting to themselves . . . which is a startling level of carelessness in itself if that is the case."
Facebook pays teens to install VPN that spies on them [Josh Constine/Techcrunch]