After Onavo, Facebook Found Paying Users To Spy On Them Using 'Facebook Research'

On the web with free things, user data is a commodity. Tech companies that thrive on user data, hunger for even more data. And this includes Facebook.

The social giant was reported to secretly pay people to install a 'Facebook Research' VPN that allows the company to gather practically anything from the users' phone and web activities.

This project is somehow similar to Facebook Onavo.

According to TechCrunch, Facebook Onavo was banned from Apple's App Store back in June, before being removed in August. Facebook bypassed this ban by rewarding people up to $20 a month (via e-gift cards), excluding referral fees, to sell their private data by sideloading and installing the Facebook Research app on their iOS and Android phones.

The app in question gives Facebook the root access to the users' phone network traffic, allowing to gather data on usage habits.

This program is administered through beta testing services Applause, BetaBound and uTest, to mask Facebook’s involvement. It has been referred to 'Project Atlas' to even masquerade its malicious purposes.

Facebook Research app
Facebook’s Research app requires Root Certificate access, allowing it to gather almost any data transmitted by the users' phone

As the largest social giant on the web, Facebook thrives on user data.

With billions of users 'trusting' their data, doesn't stop Facebook from becoming even hungrier. Since the competition tightens on the social media industry, the social giant is relentless in finding ways to keep its reign.

Facebook is particularly interested in teen users.

As users in the demographic has increasingly abandoned Facebook in favor of Snapchat, YouTube and also Instagram, Facebook wants to know more about users, which are beyond its reach. The insights also gives Facebook data about app usage on competing Chinese video music app TikTok.

The Facebook Research app, according to security expert Will Strafach from Guardian Mobile Firewall, "makes full use of the level of access they are given by asking users to install the Certificate."

With this ability, Facebook can have the ability to "continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed."

"The fairly technical sounding ‘install our Root Certificate’ step is appalling," said Strafach.

"This hands Facebook continuous access to the most sensitive data about you, and most users are going to be unable to reasonably consent to this regardless of any agreement they sign, because there is no good way to articulate just how much power is handed to Facebook when you do this."

While it's unclear how much data can Facebook extract from the app, but it's certain that the company can get nearly limitless access to a user’s device once they install the app.

"It is tricky to know what data Facebook is actually saving (without access to their servers). The only information that is knowable here is what access Facebook is capable of based on the code in the app. And it paints a very worrisome picture," Strafach explains.

The strategy shows how far Facebook is willing to pay to protect its dominance, even if that risk includes breaking the rules of Apple’s iOS platform in which it depends.

Facebook Onavo was the first time the company got involved in the data-sniffing business. After acquiring the VPN for around $120 million, the app helped users track and minimize their mobile data plan. But since the users' connection passes through Onavo's servers, this gave Facebook the necessary information regarding what apps users have installed.

It also gave Facebook deep analytics to uncover things like WhatsApp in sending more than twice as many messages per day as Facebook Messenger, for example.

And according to internal documents acquired by Charlie Warzel and Ryan Mac from BuzzFeed News, the data Facebook learned from Onavo, allowed it to boost WhatsApp's popularity even more.

While Onavo has been banned from Apple's App Store, the app remains on Google Play Store.

In response, a Facebook spokesperson confirmed that the company is running the program to learn how people use their phones and other services.

"Like many companies, we invite people to participate in research that helps us identify things we can be doing better. Since this research is aimed at helping Facebook understand how people use their mobile devices, we’ve provided extensive information about the type of data we collect and how they can participate. We don’t share this information with others and people can stop participating at any time," the spokesperson said.

While Facebook claimed that Onavo and Facebook Research are separate programs, the company admitted that the two app are managed by the same team, explaining why their code was similar.

"It's literally all just Onavo code with a different UI," said Strafach in a tweet.

A day later, Google was also found violating Apple's policy with its Screenwise Meter app.