Connect with us

Mobile

Facebook pays teens to install VPN that spies on them – TechCrunch

Published

on

Desperate for data on its competitors, Facebook has been secretly paying people to install a “Facebook Research” VPN that lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August. Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access to network traffic in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity, a TechCrunch investigation confirms.

Facebook admitted to TechCrunch it was running the Research program to gather data on usage habits, and it has no plans to stop.

Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android “Facebook Research” app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook’s involvement, and is referred to in some documentation as “Project Atlas” — a fitting name for Facebook’s effort to map new trends and rivals around the globe.

Facebook’s Research app requires users to ‘Trust’ it with extensive access to their data

We asked Guardian Mobile Firewall’s security expert Will Strafach to dig into the Facebook Research app, and he told us that “If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.” It’s unclear exactly what data Facebook is concerned with, but it gets nearly limitless access to a user’s device once they install the app.

The strategy shows how far Facebook is willing to go and how much it’s willing to pay to protect its dominance — even at the risk of breaking the rules of Apple’s iOS platform on which it depends. Apple could seek to block Facebook from continuing to distribute its Research app, or even revoke it permission to offer employee-only apps, and the situation could further chill relations between the tech giants. Apple’s Tim Cook has repeatedly criticized Facebook’s data collection practices. Facebook disobeying iOS policies to slurp up more information could become a new talking point. TechCrunch has spoken to Apple and it’s aware of the issue, but the company did not provide a statement before press time.

Facebook’s Research program is referred to as Project Atlas on sign-up sites that don’t mention Facebook’s involvement

“The fairly technical sounding ‘install our Root Certificate’ step is appalling,” Strafach tells us. “This hands Facebook continuous access to the most sensitive data about you, and most users are going to be unable to reasonably consent to this regardless of any agreement they sign, because there is no good way to articulate just how much power is handed to Facebook when you do this.”

Facebook’s surveillance app

Facebook first got into the data-sniffing business when it acquired Onavo for around $120 million in 2014. The VPN app helped users track and minimize their mobile data plan usage, but also gave Facebook deep analytics about what other apps they were using. Internal documents acquired by Charlie Warzel and Ryan Mac of BuzzFeed News reveal that Facebook was able to leverage Onavo to learn that WhatsApp was sending more than twice as many messages per day as Facebook Messenger. Onavo allowed Facebook to spot WhatsApp’s meteoric rise and justify paying $19 billion to buy the chat startup in 2014. WhatsApp has since tripled its user base, demonstrating the power of Onavo’s foresight.

Over the years since, Onavo clued Facebook in to what apps to copy, features to build and flops to avoid. By 2018, Facebook was promoting the Onavo app in a Protect bookmark of the main Facebook app in hopes of scoring more users to snoop on. Facebook also launched the Onavo Bolt app that let you lock apps behind a passcode or fingerprint while it surveils you, but Facebook shut down the app the day it was discovered following privacy criticism. Onavo’s main app remains available on Google Play and has been installed more than 10 million times.

The backlash heated up after security expert Strafach detailed in March how Onavo Protect was reporting to Facebook when a user’s screen was on or off, and its Wi-Fi and cellular data usage in bytes even when the VPN was turned off. In June, Apple updated its developer policies to ban collecting data about usage of other apps or data that’s not necessary for an app to function. Apple proceeded to inform Facebook in August that Onavo Protect violated those data collection policies and that the social network needed to remove it from the App Store, which it did, Deepa Seetharaman of the WSJ reported.

But that didn’t stop Facebook’s data collection.

Project Atlas

TechCrunch recently received a tip that despite Onavo Protect being banished by Apple, Facebook was paying users to sideload a similar VPN app under the Facebook Research moniker from outside of the App Store. We investigated, and learned Facebook was working with three app beta testing services to distribute the Facebook Research app: BetaBound, uTest and Applause. Facebook began distributing the Research VPN app in 2016. It has been referred to as Project Atlas since at least mid-2018, around when backlash to Onavo Protect magnified and Apple instituted its new rules that prohibited Onavo. [Update: Previously, a similar program was called Project Kodiak.] Facebook didn’t want to stop collecting data on people’s phone usage and so the Research program continued, in disregard for Apple banning Onavo Protect.

Facebook’s Research App on iOS

Ads (shown below) for the program run by uTest on Instagram and Snapchat sought teens 13-17 years old for a “paid social media research study.” The sign-up page for the Facebook Research program administered by Applause doesn’t mention Facebook, but seeks users “Age: 13-35 (parental consent required for ages 13-17).” If minors try to sign-up, they’re asked to get their parents’ permission with a form that reveal’s Facebook’s involvement and says “There are no known risks associated with the project, however you acknowledge that the inherent nature of the project involves the tracking of personal information via your child’s use of apps. You will be compensated by Applause for your child’s participation.” For kids short on cash, the payments could coerce them to sell their privacy to Facebook.

The Applause site explains what data could be collected by the Facebook Research app (emphasis mine):

“By installing the software, you’re giving our client permission to collect data from your phone that will help them understand how you browse the internet, and how you use the features in the apps you’ve installed . . . This means you’re letting our client collect information such as which apps are on your phone, how and when you use them, data about your activities and content within those apps, as well as how other people interact with you or your content within those apps. You are also letting our client collect information about your internet browsing activity (including the websites you visit and data that is exchanged between your device and those websites) and your use of other online services. There are some instances when our client will collect this information even where the app uses encryption, or from within secure browser sessions.”

Meanwhile, the BetaBound sign-up page with a URL ending in “Atlas” explains that “For $20 per month (via e-gift cards), you will install an app on your phone and let it run in the background.” It also offers $20 per friend you refer. That site also doesn’t initially mention Facebook, but the instruction manual for installing Facebook Research reveals the company’s involvement.

Facebook’s intermediary uTest ran ads on Snapchat and Instagram, luring teens to the Research program with the promise of money

 

Facebook seems to have purposefully avoided TestFlight, Apple’s official beta testing system, which requires apps to be reviewed by Apple and is limited to 10,000 participants. Instead, the instruction manual reveals that users download the app from r.facebook-program.com and are told to install an Enterprise Developer Certificate and VPN and “Trust” Facebook with root access to the data their phone transmits. Apple requires that developers agree to only use this certificate system for distributing internal corporate apps to their own employees. Randomly recruiting testers and paying them a monthly fee appears to violate the spirit of that rule.

Security expert Will Strafach found Facebook’s Research app contains lots of code from Onavo Protect, the Facebook-owned app Apple banned last year

Once installed, users just had to keep the VPN running and sending data to Facebook to get paid. The Applause-administered program requested that users screenshot their Amazon orders page. This data could potentially help Facebook tie browsing habits and usage of other apps with purchase preferences and behavior. That information could be harnessed to pinpoint ad targeting and understand which types of users buy what.

TechCrunch commissioned Strafach to analyze the Facebook Research app and find out where it was sending data. He confirmed that data is routed to “vpn-sjc1.v.facebook-program.com” that is associated with Onavo’s IP address, and that the facebook-program.com domain is registered to Facebook, according to MarkMonitor. The app can update itself without interacting with the App Store, and is linked to the email address PeopleJourney@fb.com. He also discovered that the Enterprise Certificate indicates Facebook renewed it on June 27th, 2018 — weeks after Apple announced its new rules that prohibited the similar Onavo Protect app.

“It is tricky to know what data Facebook is actually saving (without access to their servers). The only information that is knowable here is what access Facebook is capable of based on the code in the app. And it paints a very worrisome picture,” Strafach explains. “They might respond and claim to only actually retain/save very specific limited data, and that could be true, it really boils down to how much you trust Facebook’s word on it. The most charitable narrative of this situation would be that Facebook did not think too hard about the level of access they were granting to themselves . . . which is a startling level of carelessness in itself if that is the case.”

“Flagrant defiance of Apple’s rules”

In response to TechCrunch’s inquiry, a Facebook spokesperson confirmed it’s running the program to learn how people use their phones and other services. The spokesperson told us “Like many companies, we invite people to participate in research that helps us identify things we can be doing better. Since this research is aimed at helping Facebook understand how people use their mobile devices, we’ve provided extensive information about the type of data we collect and how they can participate. We don’t share this information with others and people can stop participating at any time.”

Facebook’s Research app requires Root Certificate access, which Facebook gather almost any piece of data transmitted by your phone

Facebook’s spokesperson claimed that the Facebook Research app was in line with Apple’s Enterprise Certificate program, but didn’t explain how in the face of evidence to the contrary. They said Facebook first launched its Research app program in 2016. They tried to liken the program to a focus group and said Nielsen and comScore run similar programs, yet neither of those ask people to install a VPN or provide root access to the network. The spokesperson confirmed the Facebook Research program does recruit teens but also other age groups from around the world. They claimed that Onavo and Facebook Research are separate programs, but admitted the same team supports both as an explanation for why their code was so similar.

Facebook’s Research program requested users screenshot their Amazon order history to provide it with purchase data

However, Facebook claim that it doesn’t violate Apple’s Enterprise Certificate policy is directly contradicted by the terms of that policy. Those include that developers “Distribute Provisioning Profiles only to Your Employees and only in conjunction with Your Internal Use Applications for the purpose of developing and testing”. The policy also states that “You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers” unless under direct supervision of employees or on company premises. Given Facebook’s customers are using the Enterprise Certificate-powered app without supervision, it appears Facebook is in violation.

Facebook disobeying Apple so directly could hurt their relationship. “The code in this iOS app strongly indicates that it is simply a poorly re-branded build of the banned Onavo app, now using an Enterprise Certificate owned by Facebook in direct violation of Apple’s rules, allowing Facebook to distribute this app without Apple review to as many users as they want,” Strafach tells us. ONV prefixes and mentions of graph.onavo.com, “onavoApp://” and “onavoProtect://” custom URL schemes litter the app. “This is an egregious violation on many fronts, and I hope that Apple will act expeditiously in revoking the signing certificate to render the app inoperable.”

Facebook is particularly interested in what teens do on their phones as the demographic has increasingly abandoned the social network in favor of Snapchat, YouTube and Facebook’s acquisition Instagram. Insights into how popular with teens is Chinese video music app TikTok and meme sharing led Facebook to launch a clone called Lasso and begin developing a meme-browsing feature called LOL, TechCrunch first reported. But Facebook’s desire for data about teens riles critics at a time when the company has been battered in the press. Analysts on tomorrow’s Facebook earnings call should inquire about what other ways the company has to collect competitive intelligence.

Last year when Tim Cook was asked what he’d do in Mark Zuckerberg’s position in the wake of the Cambridge Analytica scandal, he said “I wouldn’t be in this situation . . . The truth is we could make a ton of money if we monetized our customer, if our customer was our product. We’ve elected not to do that.” Zuckerberg told Ezra Klein that he felt Cook’s comment was “extremely glib.”

Now it’s clear that even after Apple’s warnings and the removal of Onavo Protect, Facebook is still aggressively collecting data on its competitors via Apple’s iOS platform. “I have never seen such open and flagrant defiance of Apple’s rules by an App Store developer,” Strafach concluded. If Apple shuts the Research program down, Facebook will either have to invent new ways to surveil our behavior amidst a climate of privacy scrutiny, or be left in the dark.

Additional reporting by Zack Whittaker.

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Mobile

Google consolidates its Chrome and Android password managers – TechCrunch

Published

on

Google today announced an update to its password manager that will finally introduce a consistent look-and-feel across the service’s Chrome and Android implementations. Users will soon see a new unified user experience that will automatically group multiple passwords for the same sites or apps together, as well as a new shortcut on the Android home screen to get access to these passwords.

In addition to this, Google is also now adding a new password-related feature to Chrome on iOS, which can now generate strong passwords for you (once you set Chrome as an autofill provider).

Image Credits: Google

Meanwhile, on Android, Google’s password check can now also flag weak and re-used passwords and help you to automatically change them, while Chrome users across platforms will now see compromised password warnings.

With this release today, Google will now also finally let you manually add passwords to its passwords manager (“due to popular demand,” Google says) and the company is bringing Touch-to-Login to Chrome on Android to log you in to supported sites with a single tap.

Image Credits: Google

Continue Reading

Mobile

TaskHuman lands $20M to expand its virtual coaching platform – TechCrunch

Published

on

TaskHuman, a professional development platform focused on coaching, today announced that it raised $20 million in Series B funding led by Madrona with participation from Impact Venture Capital, RingCentral Ventures, Sure Ventures, USVP, Gaingels, PeopleTech Angels, Propel(x) and Zoom Ventures. The latest infusion brings the company’s total raised to $35 million, which CEO Ravi Swaminathan said is being put toward product development, marketing and sales efforts.

Swaminathan and Daniel Mazzella co-founded TaskHuman in 2017, with the goal of connecting users with specialists on topics related to their personal and professional lives. Swaminathan was previously a program and logistics manager at Dell and VP of software solutions at SanDisk, while Mazzella was a system admin at Stamps.com. The two met at Wizr, a startup developing AI systems to analyze security camera footage.

“When it comes to learning and personal development, no amount of generic articles or watching pre-recorded videos [can replace] a real person with experience in a given area. Creating TaskHuman was our response to solve this challenge,” Swaminathan told TechCrunch in an email Q&A. “We started by offering foundational needs, including health and wellness, physical fitness, mental, spiritual, emotional wellbeing, and more. Since then, we’ve continued to expand and support the entire needs of an individual for personal and professional growth, like financial wellbeing, sales and leadership coaching, pet training, travel planning, and more.”

TaskHuman users connect with experts over live video chats. The company claims to have a network of over 1,000 “coaches” across nearly 50 countries, each specializing in distinctive areas. An AI-powered search feature lets users search for topics and coaches in natural language (e.g., “I want to lose weight”), while a recommendation engine attempts to personalize the browsing experience by suggesting, for example, similar coaches based on past sessions.

“TaskHuman has a direct relationship with each coach, and we pay them according to the terms of our relationship for their coaching contributions. They are all contractors globally,” Swaminathan said, when asked about the coaching payment structure.

Users can buy access to the TaskHuman network with “TaskHuman minutes,” which can be applied to a chat session with any specialist or topic, Swaminathan says. Alternatively, companies can subscribe to TaskHuman to offer unlimited access to their employees as well as in-app content and group sessions.

Image Credits: TaskHuman

Swaminathan makes the case that the enterprise in particular stands to benefit from TaskHuman’s platform. It’s true that corporate training programs tend to be a mixed bag, with only 25% of respondents to a McKinsey survey saying that their company’s training improved their job performance. According to another survey, 75% of managers were dissatisfied with their company’s learning and development function in 2019.

“At the board and C-suite level, many companies view insufficient attention to employee well-being as a threat to productivity and, conversely, a strong commitment to each worker’s physical, mental, and spiritual prosperity as a competitive advantage for recruiting and retaining talent in a time of labor shortages and the ‘Great Resignation,’” Swaminathan said. “From case studies, we have found return on investment in four main areas: preventing burnout, reducing employee attrition, improving employee engagement and recruitment, and reducing medical cost claims.”

Competition in the crowded e-learning field spans BetterUp, CoachHub and Torch. Swaminathan argues that his company’s offering is broader in scope, however, and offers superior access to specialists because it doesn’t require scheduling sessions in advance.

“We have found that the pandemic really allowed people to go beyond their comfort zones and embrace video technologies like TaskHuman, Zoom, RingCentral, and others,” Swaminathan said. “We feel a need to accelerate our mission during these difficult times to help people in both their personal and professional lives, and we feel an urgency to combat the current mental health crisis and Great Resignation culture by fulfilling the dire craving for 1:1, personalized engagement for personal and professional growth.”

Certainly, TaskHuman has benefited from the pandemic, which spurred coaches of all types to move online. According to a 2021 survey by the International Coaching Federation, 83% of coaches increased their use of audio-video platforms for coaching during the health crisis while 82% saw a decrease for in-person sessions.

TaskHuman says that its customers include Zoom, Dr. Scholl’s, RingCentral and public and government institutions like Purdue University, Oakland Housing Authority and Job Corps centers run by the U.S. Department of Labor. While Swaminathan declined to disclose financials, he said that annual recurring revenue has grown by more than 5 times year over year.

“Our company is laser-focused on global expansion and scaling its network of coaches,” Swaminathan said. “We will be continually adding to the set of human experience and expertise that are available on the platform and expanding support for providers in even more languages and countries around the world.”

Continue Reading

Mobile

European Union keeps mobile roaming fees at bay for another decade – TechCrunch

Published

on

Five years ago, the European Union passed rules which largely ended mobile roaming fees for citizens traveling with their devices across borders within the bloc. Today lawmakers are reupping the regulation that lets EU citizens “roam like at home” for a full decade, meaning European consumers can keep avoiding most extra fees when travelling within another of the 27 EU Member States (or the EEA) until at least 2032.

The updated regulation also brings some new additions — including a focus on quality of service, with a requirement that consumers have access to the same services abroad in the EU as at home when the same networks and technologies are available on the network in the visited Member State.

This means, for example, that a roaming customer who can use 5G services at home should also have 5G roaming services — where they are available — in the visited Member State.

The quality of service provision does not mean a guarantee of getting the same mobile network speed when roaming, since network speeds can vary, but the Commission says the new rules “aim to ensure that when similar quality or speeds are available in the visited network, the domestic operator should ensure the same quality of the roaming service”.

Operators are also required to inform their customers of the quality of services they can expect while roaming by stating this in the roaming contract and publishing information on their website.

The Commission argues that quality of service will be increasingly important as 5G rollouts expand and mobile network technology continues to evolve (its PR includes the phrase “future 6G” — alongside talk of the EU “investing in developing and using innovative digital solutions”).

“As concerns 5G services, it will become more and more important for consumers travelling abroad to know if they could be affected by limitations in available network quality when using certain applications and services,” it suggests. “The new roaming rules aim to enable innovation and business development, ensuring the widest use of innovative services and minimising the risk that citizens would not be able to use certain applications requiring the latest network technology, such as 5G, when crossing internal EU borders.”

The EU’s executive also frames the updated roaming regulation as a boon to digital innovation by reducing the risk of usage disruption since consumers can continuously use their apps and services as they travel across borders in the EU.

The Commission’s PR makes no mention of contrasting recent developments in the UK — which ceased to be an EU Member on January 31 2020, following the 2016 ‘Brexit’ referendum vote to leave the bloc — and where, since the EU roaming regulation ceased to apply, most of the big carriers have quietly announced they will be reintroducing roaming charges for their UK subscribers travelling in the EU.

But UK mobile users are unlikely to have missed the fact that Brexit has meant a return of roaming fees when they want to travel in Europe.

Some Brits may therefore detect a faint trace of trolling in this statement from Thierry Breton, the EU’s commissioner for the internal market, commenting on the extension of fee-free roaming inside the EU, who said: “Remember when we had to switch off mobile data when travelling in Europe — to avoid ending up with a massive roaming bill? Well this is history. And we intend to keep it this way for at least the next 10 years. Better speed, more transparency: We keep improving EU citizens’ lives.”

Transparency

Another focus for the EU’s updated regulation is around increasing transparency about the types of services that can still bring additional costs when roaming, such as calling customer service numbers, helpdesks or insurance companies — to help travellers in the bloc avoid related ‘bill shocks’.

The Commission says consumers who are roaming should receive an SMS about “potential increased charges” from using such services.

“The SMS should include a link to a dedicated webpage providing additional information on the types of services and, if available, about the relevant phone numbering ranges,” it notes, suggesting operators may also include information about the types of services that may be subject to higher charges in roaming in their contracts with the consumers.

The updated rules are also intended to improve information provision about and access to emergency communications across the EU — such as via the single European emergency number, 112.

“Dialing the emergency numbers and transmitting information on the location of the caller while roaming should be seamless and for free. Likewise, citizens who cannot place a call to 112 should be able to access emergency services free of charge through alternative means when roaming, for example through real time text or a smartphone application,” says the Commission.

“The new roaming rules also reinforce access to emergency services, through calls and alternative means of communications in case of cross border use. It will also ensure that the transmission of caller location will be seamless and free of charge while using roaming services.”

The EU is continuing to regulate wholesale caps — controlling the maximum prices a visited operator may charge for the use of its network by another operator in order to provide roaming services — with the Commission describing this as “an essential element for the sustainability of ‘roam like at home’ for operators”. Its review of the roaming market concluded that wholesale caps should be further reduced.

“The co-legislators agreed on a gradual reduction of the wholesale caps from 2022 onwards,” it notes. “These caps reflect decreasing operators’ wholesale costs of providing roaming services, provide sufficient investment incentives and maximise sustainability for EU operators.”

The Commission expects these wholesale cost reductions to lead to benefits for consumers — such as more generous data allowances while roaming and less likelihood of consumers having to pay surcharges for data usage that exceeds contract allowances.

Operators will still be able to apply a ‘fair use’ policy — meaning that if a person moves to live in another EU country it will be better for them to move to a local contract, as permanent roaming is no longer considered ‘fair use’.

Continue Reading

Trending