
Facebook has been paying people to install a “Research” VPN - randomacct3847
https://techcrunch.com/2019/01/29/facebook-project-atlas/
======
aresant
Some of the highlights from Will Strafach, who did the actual app research for
TechCrunch:

#1 "they didn't even bother to change the function names, the selector names,
or even the "ONV" class prefix. it's literally all just Onavo code with a
different UI."

#2 "the Root Certificate they have users install so that they can access any
TLS-encrypted traffic they'd like."

My editorializing - I have been suspicious of Facebook getting the "submarine"
treatment (1) but the insane scuminess of #1 above, which essentially is a big
fuck you to Apple, pretty well supports the recent view that FB will
essentially break any rule that serves to further their own ends.

via
[https://twitter.com/chronic/status/1090394419902197761](https://twitter.com/chronic/status/1090394419902197761)

(1)
[http://www.paulgraham.com/submarine.html](http://www.paulgraham.com/submarine.html)

~~~
varenc
Side note: This wouldn't get around cert-pinning? Even if a new trusted CA is
installed on the system, an app implementing cert pinning still wouldn't trust
this new CA. Seems that could be a wise move for Facebook's rivals that want
to limit snooping.

Edit: on 2nd thought even if Facebook can't decrypt a particular app's
traffic, just knowing how many requests it makes, how large they are, and how
often, could still provide some useful insights into an app's usage.

~~~
Gregordinary
If the app is hard coded it shouldn't trust another cert. Note though that
browsers, like Chrome, ignore cert pinning if the cert chains up to a locally
trusted CA. So the answer is more "It Depends".

> Chrome does not perform pin validation when the certificate chain chains up
> to a private trust anchor. A key result of this policy is that private trust
> anchors can be used to proxy (or MITM) connections, even to pinned sites.
> “Data loss prevention” appliances, firewalls, content filters, and malware
> can use this feature to defeat the protections of key pinning.

[http://www.chromium.org/Home/chromium-security/security-
faq#...](http://www.chromium.org/Home/chromium-security/security-faq#TOC-How-
does-key-pinning-interact-with-local-proxies-and-filters-)

EDIT: Spaced on the fact this is a phone app. While Chrome on Windows ignores
certificate pins, I'm unsure if this also applies to Android / iOS root stores
as well.

~~~
dzhiurgis
So what DOES pinning protect against? Certs generated by state actors with
access to CA’s?

~~~
frankchn
That, and (more commonly) CAs mis-issuing certificates to malicious actors due
to bugs or weak internal controls.

------
iGoog
How is this not in violation of most wiretapping laws? Facebook is not the
common carrier in these cases. Both parties of conversations with teens are
not consenting to the wiretapping, which is not allowed in many US states. I’m
not sure teenage consent is considered “consent” and the parents aren’t a
party to the conversations Facebook is wiretapping. Facebook is both paying
people and recording the electronic communications... So how the hell is this
legal under current laws?

~~~
modzu
im sure a disclaimer is in the eula (boo).. but if it were deemed illegal, i
suspect fb would just pay the fines, or more likely, be given time to come
into compliance with the law..

~~~
bencollier49
A 13-year-old can't make a contract in law, certainly not in the UK. Was the
app installed outside the US?

~~~
Twisell
A 19 year old can. If he access private discussion with his 13 year old
brother, indirectly the study will gather data of the kid. RGPD don’t care if
you gathered data directly or inderictly, you are liable.

------
Wowfunhappy
The fact that this exists makes me uncomfortable, but I'm having trouble
pinpointing a reason why it's bad. People are opting into the data collection.
Perhaps they don't know the full extent of what Facebook is tracking, but
sideloading apps on iOS is not a one-tap process—anyone who used this had a
sense of what they were doing.

And, $20 per month is pretty substantial compensation.

The way that Facebook is bypassing Apple's rules feels shady, but I've always
felt those rules were user-hostile to begin with. I firmly believe that users
should have control over their own devices, and that means letting users give
information to companies if they so choose—especially if they're being
financially compensated.

~~~
jolmg
Recently, there was an HN thread of a Chinese man who sold his kidney for an
iPhone at 17 years of age and 8 years later was bedridden for life because his
remaining kidney failed.[1]

You could say the people who bought his kidney for an iPhone did nothing
wrong. The kid had control over his own body and they made a deal the kid
thought was good.

I think, though, that he wasn't properly educated of the risks that doing such
a trade would leave him with, and that the people who offered him the deal
very well knew them, but targeted him for being a naive child who wouldn't
take them seriously.

I think this is the same case. People just don't understand or don't take the
risks of this seriously enough, and companies like Facebook take advantage of
that.

[1]
[https://news.ycombinator.com/item?id=18925780](https://news.ycombinator.com/item?id=18925780)

~~~
Wowfunhappy
You're implying (perhaps unintentionally) that selling an organ is equivalent
to selling information on what websites you visit. There's a reason selling
organs is illegal, at least in the US.

I don't think personal information is so valuable that we need to outlaw its
sale.

~~~
barrkel
Organ selling isn't illegal because organs are valuable.

~~~
grp000
Impingement on quality of life by the seller of an organ can be, and is
translated to a value statement. However, the paradoxical nature of human
beings which relies largely on emotional responses dictates that while we can
have people starving in the streets, because it would make society squeamish,
they can't be allowed to sell their organs, for the sake of their own human
dignity and quality of life, never mind that society stripped them of both
anyway.

~~~
Normal_gaussian
This isn't paradoxical at all, when both options are horrific there is little
benefit to cover up one with the other and claim a solution.

Furthermore a short term windfall from selling organs will not provide the
skills or assets required to prevent long term starvation and homelessness; so
now the horror has been compounded: homeless, starving, and prone to
debilitating illness.

~~~
grp000
The paradoxical nature is that being homeless and starving is horrifying but
something humans have become accustomed to, and yet the idea of selling organs
is embedded culturally as being shocking, even if the end result of being
starving and homeless is relatively equivalent to being desperate enough to
sell organs, so it's not allowed.

Also, how you mention as fact that money from selling organs won't prevent
long term starvation and homelessness is surprising; you don't know that's the
case one way or another but you're trying to pass off an opinion as fact. I
can't argue either that it would help with a clear and definite metric, but
the correlation of living conditions and money is clear. How real-life
application of such legalization or organ selling, with quality of surgery and
post-surgery care, legal predatory practices, and other factors are dealt with
are potential problems, but those are issues that exist in all commercial
domains.

I also never argued organ selling as a solution to a problem; as others
mentioned, it is a potential band-aid to a problem that lies in wealth
inequalities, but which I find interesting as a societal flashpoint that show
how knee-jerk emotional responses can cause logical paradoxes.

------
bschne
I recently came across a similar market research effort in Switzerland [1]
after I noticed the VPN symbol in the status bar on a relative's iPhone when
showing them something. I asked about why they (not very tech-savy otherwise)
were using a VPN and was told they were participating in a market research
project in exchange for some shopping gift cards. As is the case with FB, the
research company installs a VPN and their own root certificate.

Of course the implications are outlined in the fine print / data protection
agreement when signing up, but I doubt most of the participants are aware of
just how far the data collection they enable with this goes...

[1] [https://swissmediapanel.ch/](https://swissmediapanel.ch/) (Link in
German)

~~~
runeks
Seems to me like the law needs to be clearer about how to inform users in
cases like these. Surely, it's deceptive to tell someone they're getting paid
for installing a "market reasearch" app which actually records all online
activity. Charging companies, who knowingly deceive users like this, with
fraud sounds reasonable to me.

~~~
bschne
I agree that the law should probably be changed, but for slightly different
reasons.

They are clearly informed that the app will track information regarding their
online activities, device usage behavior and applications they use.

I think the main issue is that users without a tech background are just not
aware of the full implications of allowing a third party to collect this kind
of data, even decrypting their HTTPS traffic and tracking everything they do
online.

The statement by Strafach in the original article sums it up quite nicely:

“The fairly technical sounding ‘install our Root Certificate’ step is
appalling,” Strafach tells us. “This hands Facebook continuous access to the
most sensitive data about you, and most users are going to be unable to
reasonably consent to this regardless of any agreement they sign, because
there is no good way to articulate just how much power is handed to Facebook
when you do this.”

~~~
TheSpiceIsLife
You can’t be _clearly informed_ and _not aware_ at the same time.

Which makes this _fraud_ , right?

In the same way automotive manufacturers are held accountable even if their
was no intention to cause harm, the software industry needs to be held
accountable.

We need to have professional organisations, and government regulators, working
to ensure some kind of general industry best practice, where software
developers can initially start getting tapped on the shoulder, then given a
series of rapidly increasing penalties until the industry gets the point that
it can’t keep making out it’s the wild wild west.

And this is why I don’t believe software development is a proper serious
profession. The proper professions, here in Australia at least, are granted
the authority to witness statutory declarations. I can go to a qualified vet,
doctor, engineer, chiropractor(!), police officer, school teacher, postal
worker, the list goes on[1], because these _professions_ have a _chain of
trust_.

And yet we trust(?) software developers and their employees with our most
sensitive data!

1\. [https://www.ag.gov.au/Publications/Statutory-
declarations/Pa...](https://www.ag.gov.au/Publications/Statutory-
declarations/Pages/List-of-authorised-witnesses.aspx)

------
rlue
In an odd twist, this is precisely what some tech critics have been pushing
for—for consumers to be monetarily compensated for the data they're giving up
to tech giants:

[https://news.ycombinator.com/item?id=17595564](https://news.ycombinator.com/item?id=17595564)

~~~
larkeith
One issue with this is brought up in the article:

> “The fairly technical sounding ‘install our Root Certificate’ step is
> appalling,” Strafach tells us. “This hands Facebook continuous access to the
> most sensitive data about you, and most users are going to be unable to
> reasonably consent to this regardless of any agreement they sign, because
> there is no good way to articulate just how much power is handed to Facebook
> when you do this.”

~~~
gruez
right, but considering most web traffic is encrypted nowadays, it's pretty
much mandatory to do MITM to analyze traffic.

~~~
_jal
Perhaps that should be taken as a hint rather than a challenge.

------
734786710934
Being opt-in and getting compensated are the two things I've seen people want
from usage of their data. No one should have an issue with this since it does
both.

~~~
zecken
I harbor serious doubts that most of the 'volunteers' here know exactly what
it is they're providing -- the sign-up sheet probably didn't say "we will know
very specifically your porn-watching habits" e.g.

~~~
saagarjha
13 to 17 year olds aren't supposed to be able to access porn legally, so can
Facebook plausibly deny that this is something they are monitoring?

~~~
eipipuz
FB is not supposed to make deals with minors without adult supervision…

------
joshstrange
The group of people using this "App" by this can be broken up into 2 main
groups:

1\. Those who understand what they are signing away and need $20/mo more than
they need privacy

2\. Those who don't understand or don't understand fully what they are signing
away and see it as free money

Preying on either group is disgusting and wrong. I'm really interested to see
what Apple does here, they have taken a hard line on privacy and I don't doubt
they will kill this app but if FB wants to play wack-a-mole they WILL win (see
iOS sideloading scene), for me the big question is will Apple take down the FB
apps?

We've seen Netflix, Uber, FB, Amazon, and more skirt the rules of the App
Store in the past, they've barely gotten a slack on the wrist (in public at
least). At what point does Apple take a real stand and say no? Cause so far
$$$$$ has ALWAYS stopped them, I really do believe they care about privacy, I
don't know know if the shareholders do.

Edit: Typo

~~~
KaoruAoiShiho
Wait a sec, 2 is wrong but 1 sounds positive to me. For some people this money
could be incredibly important.

~~~
joshstrange
Are we, as a society, ok with people being desperate enough to need $20 more
than privacy?

Or maybe privacy isn't something we should care about or at least value as
much as we do as a society. Maybe I'm wrong. I _think_ I see the dangers down
the road but maybe it's just a mirage and privacy will die and it won't be
used against use by people in power or with money.

~~~
chrischen
This is probably something you should ask the person who's desperate enough to
need that $20, than to decide for them from your point of reference.

~~~
joshstrange
I'm not attacking them for taking it, I harbor no ill will toward either group
#1 or #2 of my original comment. I'm asking if we are ok with this being
necessary in the first place. I'm not ok with it.

~~~
anonymous5133
I have the app installed on my phone. I have it installed because I want the
$20 amazon. I don't know if I really "need" the $20 amazon but it is 100%
passive once it is installed. You literally need to do nothing. Every month
they send you $20. I would not uninstall it even given the privacy concerns.

If you guys are so concerned about it then create something that puts cash in
my pocket. I'll gladly run whatever app you want on my phone if you pay me.

~~~
matt4077
Now you actually do make me have ill will toward #2. Enjoy your $20. A free
lunch/month, right?

Edit: and now they shut it down. You can thank us privacy advocates later.

------
myth_buster
> Facebook first got into the data-sniffing business when it acquired Onavo
> [..] to learn that WhatsApp was sending more than twice as many messages per
> day as Facebook Messenger [...] and to spot WhatsApp’s meteoric rise and
> justify paying $19 billion to buy the chat startup

This makes a lot more sense now. At that time the tech sphere was surprised at
the price tag which is expected as people outside Fb perhaps didn't have these
metrics.

~~~
beezischillin
I know that it's not really insider trading, but the concept really does sound
similar..

~~~
bob_theslob646
It is actually crazy that this is not discussed more often.

How they heck is this fair?

~~~
beezischillin
I know, right? Spy on your competition without anyone's consent and then
simply make them an offer they can't refuse...

------
nxc18
I don't see why Apple couldn't take down _all_ Facebook apps until they
comply. It seems like Apple has the real power here.

~~~
joshstrange
Oh they could, I mean Apple could just keep killing their accounts they create
but is FB ballsy enough to keep opening them? It would be FB calling Apple's
bluff. Users would riot though. Apple has to decide between supporting privacy
or supporting their users' choice. Apple has made the decision to take away
users' choice in the past in the name of safety/protection, I could see them
doing it again.

I can bet this is the LAST thing they want to see in the headlines. It forces
them to address it, maybe they have a plan ready to go for this eventuality, a
whole PR push and I kind of hope they do. If they don't they either look weak
on privacy or have to roll out some half-baked plan/proposal/nebulous idea on
how to protect users privacy better in iOS 13 or something like that.

Right now Apple is doing a whole hell of a lot of taking out of both sides of
it's mouth and I understand it's a hard line to walk, I'm not saying I could
do it better. FB's practices in general are probably an affront to Apple in
general but skirting Apple's limitations to piss all over privacy and
essentially turn an iPhone into an Android-level of data collection, I can
imagine Apple is PISSED. I just really hope they had something planned for
this day.

~~~
JonathonW
> Oh they could, I mean Apple could just keep killing their accounts they
> create but is FB ballsy enough to keep opening them?

Enterprise developer accounts (the ones that can issue apps signed such that
they can be sideloaded on any device) aren't something just anyone can go
online and sign up for-- they require manual approval with proof of a
business's identity before they're created.

So, unless Facebook starts opening well-disguised shell companies or something
along those lines to circumvent any restrictions Apple might put on them, this
will be over as soon as Apple revokes Facebook's enterprise distribution
account. (Or, more likely, threatens Facebook into dropping the VPN app,
because FB probably doesn't want to lose the ability to distribute legitimate
internal-use apps to their employees.)

~~~
joshstrange
> Enterprise developer accounts (the ones that can issue apps signed such that
> they can be sideloaded on any device) aren't something just anyone can go
> online and sign up for-- they require manual approval with proof of a
> business's identity before they're created.

It's my understanding that faking these business identities is the entire
business model of iOS sideloaded services (see the subreddit for examples [0])
so I don't think it's that difficult to do. That said, I'd be shocked if Apple
let them go that far as to keep spinning out fake businesses but then again if
FB thinks it can get away with it what's stopping them?

[0]
[https://www.reddit.com/r/sideloaded/](https://www.reddit.com/r/sideloaded/)

~~~
morpheuskafka
That would be getting into serious fraud, arguably criminal under CFAA.
Normally Apple isn't interested in prosecuting these people as its just
sideloading, which is some minor copyright violations and a security risk in
their view, but if Facebook did it after having been banned themselves, having
a written statement from Apple that these apps were violating, and then they
go and pay a third party or deliberately make a shell company to defraud
Apple? That could provoke a total business embargo between the companies which
would suffocate FB.

------
mychael
What I want to know is:

Why is Josh Constine still covering Facebook at TechCrunch? Is there no
accountability for journalists who totally failed us?

For context, he's the guy who was supposed to be covering Facebook over the
last 10 years, but instead of hard hitting journalism, we got nothing more
than press releases and pro-FB articles.

See for yourself:

[https://www.google.com/search?q=Josh+constine+facebook+site:...](https://www.google.com/search?q=Josh+constine+facebook+site:techcrunch.com)

~~~
dkrich
I think a lot has to do with media outlets like TechCrunch having an “oh shit”
moment wherein they realize Facebook is taking their profit machine from them
(advertising). He even admits as much in the Twitter comments where he posted
this.

If people at this point doubt that traditional media is waging war against
Facebook as a means of survival and masquerading as a bastion of privacy as a
means to an ends they are willfully delusional. These organizations show much
more intrusive ads to me than Facebook. Also they treat Twitter with kid
gloves because Twitter is useful for them to gain a following and disseminate
their posts. Twitter has also shown me much more politically motivated ads
recently than Facebook has.

~~~
roguecoder
Why aren't you using an ad blocker?

~~~
artificial
What are your suggestions for blocking ads inside of the Twitter app?

~~~
giornogiovanna
There are browsers for Android that have ad-blockers (e.g. Firefox for
Android). You can use Twitter's mobile website in one of these browsers.

------
anonymous5133
I have this app installed on my phone and I have chosen to have it installed
by choice. I am getting paid $20 amazon per month to have it installed.

Why do I do this? Because I enjoy making side hustle money with my phones.
This research app in particular is very useful to me because it is 100%
passive. If you are concerned with privacy you can always just use a crap side
phone to run the app.

~~~
lostlogin
> 100% passive.

Can you explain what you mean by this? I wouldn’t like it because I would
consider it to be watching me, and I don’t think that’s passive.

~~~
nebulous1
I'm pretty sure he just means he doesn't have to set aside any time to
directly interact with the app himself

------
Gioni06
I'm not a law expert, but IMO FB should seriously lawyer up. I can say that
this kind of misconduct would almost certainly end up in court in Germany. A
13 years old consent with a cryptic data protection policy is not legally
binding and luring kids in need of protection with money to give up
fundamental rights can be viewed as an act of non-physical abuse.

~~~
anonymous5133
I have this app installed on my phone. When you sign up you purposefully have
to get consent from an adult to sign up as a minor.

~~~
bencollier49
I'm not sure that works in law. A 13-year-old could click "consent" and not
make a contract with FB.

~~~
Gioni06
I agree. That can also be called "common law" in Germany. Contracts with
people who are not entitled to sign contracts on their behalf are not
considered legally binding.

In that sense, it shall be treated as if there hasn't been a contract at all.
The process is purposefully designed to get a signed contract as fast as
possible. The technology to make proper ID (Age) verification is available,
but my understanding is, that it is not used by facebook and its partners.

~~~
morpheuskafka
COPPA doesn't require foolproof age verification IIRC, otherwise the regular
Facebook app and nearly every app on the planet that just asks for a birth
data with no verification would be illegal.

~~~
Gioni06
That is 100% true. It's a regulatory issue that politics could address. Having
no proper age verification is not illegal.

I mixed two points here. Contracts that contradict the law and my wish for
better regulations.

------
saagarjha
Apple should just pull their Enterprise certificate so the app stops working.

~~~
Benjamin_Dobell
Apple should pull their entire developer program account! This is insane abuse
of either Enterprise signing or developer signing - it could be either
depending on the setup process.

------
pinewurst
The actual article title is "Facebook pays teens to install VPN that spies on
them".

~~~
lupire
And that's a sensationalist title, since it's not spying, it's consensual
informed monitoring.

~~~
supergauntlet
"it's not an explosion, it's a rapid oxidation event"

~~~
bobsil1
Rapid unscheduled disassembly

------
schappim
Whilst not technically correct (Facebook is not getting "root access" to the
device), paying teens to install a VPN that spies on them is just gross!

------
seem_2211
This all seems like a rerun of Uber - bad news on bad news compounding on bad
news. Something is very rotten at Facebook and has been for a long time now.

~~~
misiti3780
Ya, and Uber had a change of leadership, lets hope something like that happens
at facebook too.

~~~
wmf
I guess the difference is that Zuck has over 60% voting control of Facebook so
he can't be forced out.

~~~
roguecoder
Facebook's record is the best argument for banning dual share classes: if you
want to keep control of your company, you shouldn't be able to do that at the
same time as selling most of it off. If you are running a public company, you
should be accountable to your shareholders.

~~~
swift532
I disagree, those shareholders know what they're getting into when they buy
the stock. I do agree with just about 95% of criticism directed at Facebook,
so this isn't me defending them specifically. I just don't see why dual share
classes should be forbidden as long as people are properly informed when
purchasing non voting ones.

If I offered you 10% of my bakery's profits but told you explicitly that you'd
have no voice in how I run it, it could be a good deal for both of us and we'd
both know what we're getting into.

~~~
roguecoder
It's not about whether it's a "good deal" for the investors: it is that as a
society allowing unaccountable business dudes to run roughshod over society
isn't working out so well.

~~~
wmf
If you eliminate dual share classes then those dudes will remain unaccountable
by never going public.

------
0x0
Those enterprise code signing certificates and provisioning profiles probably
won't have much life left if Apple is awake at the wheel.

Seems like a risky game to play, likely staking their appstore developer
account at the same time. High stakes.

~~~
eunoia
I really hope not. Enterprise distribution has been hugely useful as an
internal tool at just about every company I have worked for.

They seem to have broken the cardinal rule though. Namely the somewhat
ambiguous "Don't use your Enterprise account to bypass the App Store."

~~~
roguecoder
If they ruin this for the rest of us, I will never forgive Facebook. I hope
Apple comes down on them like a bag of bricks instead of f'king up my beta
testing.

~~~
randomsearch
Hard to forgive Facebook for undermining democracy, mass behavioural
manipulation, privacy violation, monopolistic practices, and a gazillion other
things.

But I agree, add this to the "unforgivable" pile.

------
maxxxxx
Maybe I am getting old but I am really becoming more and more skeptical of
anything that's coming out of Silicon Valley. Everything Google, Facebook and
other ad-supported companies produce seems to be designed to do something
behind the backs of users. If the trends continue these companies will soon
have world-wide full surveillance of almost everything which then will be
perfect infrastructure for dictatorships. And with the growth expectations
these companies will have to do more and more sleazy stuff to keep growing.

~~~
jsemrau
You are not getting old. In the past SV solved the "hard" problems for the
military. Now it's solving perceived first world problems

~~~
randomsearch
The problem is simple and relatively recent: advertising business models lead
to unethical behaviour. That’s all. The worst companies are those most
dependent on advertising.

------
lucb1e
This is hardly different from all those ad supported platforms we use every
day. For privacy invasion, you get compensation. Usually you get to use a
service free of charge, in this case (because the invasion is worse) you get
financial compensation.

If you mind this, you should be honest with yourself and compare it to all the
other deals you're striking with many services.

~~~
cheschire
Let's put it this way, imagine if everything that you ever said in various
businesses was recorded and publicly available. That's analogous to the "many
services" you're referring to.

Now imagine if people were being offered the chance to get some gift cards in
exchange for strapping a microphone to their face 24/7, regardless of
location. That's analogous to what's happening here.

Anything you do, visit, etc, can be collected. Your bank app traffic, your
location data that any app requests, the contents of your data voice calls
over non-FB apps, etc.

~~~
lucb1e
I understand the implications.

But I don't see a fundamental difference between strapping a microphone over
someone's mouth 24/7, and only strapping the mic on (or, more practically,
turning it on) when the user uses certain applications. In both cases you're
compensated and in the former we feel violated, and in the latter it's all
fair game and business.

------
josefresco
Reminds me of those old "dial up" Internet access offers that offered to pay
you to surf the web. Being a broke college kid, my friends and I quickly
learned we could game the system by installing software that moved our mouse
and clicked randomly. Made for a pleasant and sometimes shocking surprise when
waking up in the morning and checking to see where your PC navigated to the
previous night.

~~~
degenerate
Yes, AllAdvantage was the biggest:
[https://en.wikipedia.org/wiki/AllAdvantage](https://en.wikipedia.org/wiki/AllAdvantage)

I only got paid $31 for a month. Even as a kid, it wasn't worth the effort
required due to their constant updates.

The real hidden gems were NetZero and K-Mart's BlueLight. Both were completely
free dial-up internet providers, paid for by a banner ad program that was easy
to hide with window killers.

Netzero went on to acquire BlueLight and many other free internet providers,
and eventually turned into a paid internet service:
[https://www.mybluelight.com/](https://www.mybluelight.com/)

~~~
josefresco
>I only got paid $31 for a month. Even as a kid, it wasn't worth the effort

My exp exactly.

>The real hidden gems were NetZero and K-Mart's BlueLight.

Yes and Yes! Used both, both were a giant pain but fun to mess around with.
Now that I'm thinking about it, I'm not sure why I bothered as our family had
dialup (I was probably just bored)

------
buildbot
At what point does Apple pull Facebook's developer licenses? as people have
mentioned, this appears to be a violation of the enterprise account program.

~~~
saagarjha
It's important to note that Facebook has at least two "licenses" here: one is
used to push their apps to the App Store, and another to sign enterprise apps
(like this one). Pulling one should not affect the other.

~~~
kerbs
But to the point - this should at least result in a revocation of the
Enterprise account.

------
warent
Well, this is the final straw for me. Facebook has been so repugnant lately
that it's time to delete my account. Does anyone here recommend an
alternative? Right now I'm considering Mastodon and MeWe.

EDIT: I ultimately went with MeWe because it's more user-friendly to non-tech
people i.e. most of my relatives.

~~~
ardy42
> Well, this is the final straw for me. Facebook has been so repugnant lately
> that it's time to delete my account.

Don't delete your account. Just delete all your posts and change your profile
pic to something that tells everyone you've ditched Facebook. It'll
continually remind everyone you've left and make Facebook seem more like a
dying community to those who are still on it.

Then finally delete your account once it's as dead as MySpace.

------
rdl
Would joining FB as a Privacy Czar or whatever be a job one should rightly
wish on a highly competent privacy person, or is it a new form of torture in
Hades alongside Sisyphus and others?

~~~
abraae
Perhaps a bit like Baghdad Bob's job as Saddam Hussein's Information Minister:
[https://en.wikipedia.org/wiki/Muhammad_Saeed_al-
Sahhaf](https://en.wikipedia.org/wiki/Muhammad_Saeed_al-Sahhaf)

------
product50
What is the problem here? They are literally paying users to get their data.
Seems like a fair tradeoff right?

~~~
blub
The problem is some things should not be for sale at all, otherwise we end up
in some kind of undignified nightmare of a society.

Human beings, body parts, privacy, those kind of things.

~~~
the_reformation
And who will make this decision for me? You?

~~~
jasonlfunk
You, of course. No one is arguing that you should be forced to sell your
privacy.

~~~
berti
Except it’s a very one-sided deal when “you” doesn’t fully understand (or even
begin to understand) what’s being given up.

Find me five people off the street who can explain the implications of tapping
yes to install that root cert.

------
sbr464
How are they able to pay or contract with users under the age of 18? Or do
they get parental consent. Not sure how that works. Referring to the 20/month,
I assume under 18.

~~~
judge2020
The article goes into that, they compensate the parent with the $20/month.

------
sftwds
I... I... I just can’t even...

What is Facebook thinking?? Shouldn’t a company which is already getting bad
PR for its handling of private data be extra careful about how much personal
data it gathers and what it does with it?

~~~
jeromegv
The funny part is you always have those people that show up and say that we
are "too hard" on Facebook, and that the NYTimes is just pushing too much and
that it's just bad PR, not really bad actions. And yet, after all this bad PR,
Facebook keeps being a shitty company.

~~~
beezischillin
Sort-of.

I mean Facebook does deserve the negative PR it's receiving, don't get me
wrong. I finally deleted my account, too, since it's become too much. It does
seem to me like it's very much in their interest of the media to keep
attacking Facebook now that it's socially acceptable (Cambridge Analytica
stuff and all), since Facebook's one of the companies that greatly influenced
and interfered with their possibility to generate an income.

------
gerbilly
Why are there always so many people willing to defend the oppressor?

This story is full of people making apologias for facebook's shady behaviour.

I just don't get the urge in some people to defend the rich and powerful.

They don't need you to defend them, they are probably 100000x richer than all
of us discussing this here put together.

This is an honest question because I can't understand the motivation behind
it. If you are one of those people defending facebook, why are you doing it?

~~~
bob_theslob646
>This is an honest question because I can't understand the motivation behind
it.

How informed should the user be? What qualifies as an informed user?

This is getting into some dangerous territory because it because implies so
some sort of contract literacy.

~~~
gerbilly
> This is getting into some dangerous territory because it because implies so
> some sort of contract literacy.

We already have laws forbidding certain types of deceptive contracts.

The average user can't be expected to understand the consequences of
installing facebooks 'trusted' root certificate.

------
kstenerud
I recently had something similar on Google Fi. One day my phone had a pop-up
offering to connect me to their beta VPN automatically for security.

Of course, while connected to the VPN you can't connect to anything on the
LAN, and I'm not sure how regular users would be able to disable the thing.

And, of course, the problem of Google sniffing everything you do.

~~~
Corrado
I have Google Fi and I'm not sure this is the same thing. The Google VPN
doesn't install a root CA (AFAIK) and merely acts like a normal VPN. It _does_
terminate at Google's servers so they can peek at your traffic, but not any
more so than a traditional ISP.

The "secure" VPN dialog only comes up for certain WiFi connections that Google
has some knowledge about. For example, when I'm in Chick-fil-A I get the
"Secure this connection?" dialog, but I never get it at home or work. I've
never had a need to disable it to reach local resources, but I'm guessing you
could turn off WiFi and turn it back on to rejoin the network and not accept
the VPN connection. I've never had the need to do that so I don't know if it
would work or not. :/

~~~
kstenerud
No, this was different from the automatic per-known-wifi connection securing
that it normally does. It was an actual VPN, that I had to manually remove
because I could no longer access anything on my LAN.

------
burlesona
Who is surprised? This is Facebook’s DNA.

------
newscracker
It's no surprise that over and over again, Facebook has shown us that it will
stop doing some of the bad things it does only when it's caught red handed.
Until then, the employees who work there won't have any ethical qualms and the
company won't care much about the impact either. Every time some news like
this comes out, the PR department probably shrugs its shoulders and says "What
are the users gonna do now? Quit our platform? Where will they even go to?"
and just laughs out loud.

If a person were to adopt this behavior, we would call them a criminal.
Facebook, on similar lines, is a criminal enterprise that hasn't been punished
appropriately so far!

------
qwerty456127
> Facebook sidesteps the App Store and rewards teenagers and adults to
> download the Research app and give it root access

But how? I didn't knew this is possible to do on iPhones except really old
models. If it is I'd love to know how.

~~~
saagarjha
The article is misleading; the app does not have root access, it has access to
web traffic via a trusted root certificate. The app is distributed outside the
App Store through the enterprise developer program.

~~~
eunoia
It's worth noting that one of the main rules of these Enterprise accounts is
that they are not to be used to bypass the App Store.

For example, we use them to distribute frictionless test builds internally.

~~~
saagarjha
Yes, I know what the enterprise program is for; this is a clear violation of
those rules. But Facebook is not getting root access to your device, as the
title of this post and the article claims.

~~~
eunoia
Yeah I can tell you have experience with iOS code signing.

I just wanted it to be clear to others that this is NOT the intended purpose
of the Enterprise program.

~~~
blattimwind
I'm looking forward to Apple revoking Facebook's access to it.

~~~
morpheuskafka
It appears to be their main In-House Enterprise cert, so it may well cause
some major chaos as all internal apps go dead.

------
malloreon
Apple should remove all facebook apps from the app store till facebook
employees decide evil isn't worth it.

------
nullandvoid
For anyone reading this now good news -
[https://news.ycombinator.com/item?id=19033451](https://news.ycombinator.com/item?id=19033451)

------
zenexer
“Root access” and “root certificate” are entirely unrelated, but this article
seems to conflate the two terms.

~~~
snazz
“Root access” isn’t in the original article title.

Edit: HN title has changed to remove this part completely.

~~~
zenexer
It was in the original article title when I posted this; I believe they edited
it.

------
dorchadas
Tangentially related, but his leads to an issue I try to stress this to my
students all the damn time, but they just don't care. Like, they all try to
download any free VPN that'll connect so they can play Fortnite during school,
without ever looking to see what they give away. Hell, I'm not convinced they
wouldn't _consent_ even if it was told, as long as they get their fix while at
school. There's a huge problem nobody wants to try to fix.

~~~
roguecoder
The arms race between school administrators and people who wanted to connect
to things they shouldn't has been going on for decades and is one of the major
sources of sys admins. The problem here is that installing a VPN is far too
easy and doesn't teach children where /etc/host is located.

~~~
morpheuskafka
At my school, they have default "teacher" for external events that use school
facilities, usernames and passwords based on each school code that bypass all
filters, but somehow no one has found it leading to insane workarounds. Sadly,
people used to use web.archive.org as a workaround (like dude, just go home
and look stuff up?) so they blocked it, which breaks a lot of research and
sources on Wikipedia.

------
amluto
I wonder if a party at the _remote_ end of the traffic that Facebook is
monitoring could have valid grounds for damages against Facebook.

------
bsbechtel
As an app developer, is there anything that can be done to prevent Facebook
from spying on your traffic?

~~~
spricket
Certificate pinning. And perhaps warning your users about potential baddies if
someone tries to change it.

Elsewhere in the article it mentions people were paid to screenshot their
Amazon order history. Why would they do that if they could read all app
traffic? My guess, Amazon is smart enough to use certificate pinning and/or
not trust root certs

------
mklarmann
I wonder if Apple considers options to take the Facebook Apps out of the App
Store.

------
glitchc
I don’t know how I feel about this. On the one hand Facebook is working around
Apple’s terms and conditions, and enticing underage kids to compromise their
phones. On the other hand, there’s no law broken here, Apple’s terms and
conditions are not generally fair to users, and the kids know all of their
data is being tracked for money ( and presumably are happy with it). Plus,
freedom to use the personal device you bought as you see fit is preferred to
Apple deciding what you can and cannot have on your phone. So, how should I
feel about this?

~~~
dannyr
> Slavery in 1800s

> glitchc: there’s no law broken here. So, how should I feel about this?

~~~
forgotmyhnacc
You're comparing owning a person to people voluntarily downloading apps ?

~~~
dannyr
What I'm implying is the original commenter's reasoning is faulty.

But you can interpret it whatever you wish.

~~~
glitchc
Actually it's your reasoning that's faulty. All crimes are not equal. That's
why society deems it appropriate to outfit different crimes with different
punishments.

Let's not forget that until mid-20th century, adultery was illegal in most
states...

------
quickthrower2
Facebook. Preying on kids again.

------
morpheuskafka
Damn, I tried DM'ing some security researchers about this a week ago, looks
like I should have just sent it here. I've got some added details from my
research into it.

1) Regarding distribution channels, I have only once had the program
advertised, via an Instagram ad. I have my real age on Insta (I know, I
know...) so targeting younger users may have played a role. I first saw the ad
in June 2018, and decided to click through to see how bad it was from a
security standpoint. IIRC I never installed it, but I got an email to my
throwaway account a few weeks ago asking to reinstall, so I decided to give it
a run-through for research. They refer to is as "Research Application," and
avoid mentioning FB, their email the first time was
facebookresearch@applause.com and it is now sent through a mailer with no
mention of FB in email address. The contractor was Applause/uTest, they
offered $10/month via PayPal (which <18 technically aren't allowed to have).
Since uninstalling, they sent an email saying it hadn't heard from the app in
24-hours and you must participate 23/days month to be paid.

2) The install link is at [https://m.facebook.com/facebook-
study/f8854f1fb9f4f57bf0d861...](https://m.facebook.com/facebook-
study/f8854f1fb9f4f57bf0d861c03528ce4c/<unique_code>), and the IP used by the
VPN is vpn-sjc1.v.facebook-program.com / 185.89.216.194. On iOS, the "Connect
on Demand" feature is used to render the normal VPN off switch useless, one
must uninstall the app or turn off COD on the VPN info page. Outgoing traffic
goes through a regular FB IP (I wonder if any IP-based authentication on their
systems might be weakened by doing this?).

3) I definitely agree with TechCrunch that this is an Apple ToS issue,
however, they are wrong to say that FB "avoided TestFlight." TestFlight is for
closed _betas_ only, and this app is not a beta of anything, so it is patently
ineligible. Interestingly, if Apple revokes their cert in response (as they
due to shell company certs used for sideloading marketplaces), it would result
in an immediate shutdown of all Facebook's legit internal apps, because Apple
only (afaik) issues one cert to each DUNS number. Notably, the cert says
"Facebook, Inc. (In-House)" not just "Facebook Research, Inc." so it looks
like the main cert. I've sent a complaint to Apple Privacy about this, will
report back if they reply.

3b) Apple's Enterprise Dev Program ToS[1] excludes from allowed internal apps
those that are, "used, distributed, or otherwise made available to other
companies, contractors (except for contractors who are developing the Internal
Use Application for You on a custom basis and therefore need to use or have
access to such Application), distributors, vendors, resellers, end-users or
members of the general public." It does allow the use of written, binding
agreements to enable contractors to use the app, but it seems doubtful that
this would extend to those ostensibly participating in social research for a
nominal compensation.

4) Most users need to be clearly told that installing a "trusted root" cert is
the keys to the kingdom. Providing a normal VPN honestly wouldn't be that bad,
as TLS protects everything but the domain name. So they could see
"morpheuskafka made 200 requests to reddit.com in an hour," but not the
content, much less my login and password. Most people who know what a VPN is
are familiar with the idea of their network traffic being rerouted and
monitored at the ISP level, but they could easily think they were installing
the VPNs server certificate or a client certificate to access it. It's
staggering to think that . Also remember that Facebook owns the certs for its
own platforms, so they could (ethically) monitor your use of their own
services w/out this. Remember "don't even give the IT people your password?"
Fill out any login in form and FB has your password (and can use the same IP
to sign in without raising suspicion). Job or college app? SSN, tax info, etc.
Only e2e is safe. Notable, Caddy's MITM detector cannot detect this "research
app."

I hope they do revoke the signing cert, and will enjoy seeing all their
internal apps stop working in the chaos. And I hope that Google and other
large companies send password change warning to anyone who has logged in from
these IPs.

[1]
[https://download.developer.apple.com/Documentation/License_A...](https://download.developer.apple.com/Documentation/License_Agreements__Apple_Developer_Enterprise_Program/Apple_Developer_Enterprise_Program_License_Agreement_20181019.pdf)
[can sign in with any Apple ID to view]

Sorry for the long post, but this is truly outrageous.

------
radicaldreamer
I’m sure this was approved by product counsel (most features go through legal
reviews at large companies like Facebook) and was justified (even using the
Enterprise certificate) by arguing that the teens are actually contractors
working for Facebook who’re being paid and are have consented (along with
their parents, if necessary).

------
pavelludiq
Your phone doesn't just contain private data about you, it contains private
data about people you know. Selling them out like this is a scumbag thing to
do, not to mention it's probably a TOS violation of every service you interact
with. FB basically solicited people unwittingly commit crimes on their behalf.

------
S_A_P
when is “too far”? I’m certainly thinking that we are there, but when does
most of the world get to that point?

------
bashwizard
I'm curious what devs working at Facebook feel about the shitstorm surrounding
Facebook the last couple of years. Do you still work there and is the money
the only incentive for doing so? Would you jump the ship if you got the
chance? Or are you ok with everything that Facebook does?

------
jorblumesea
I don't get it, does FB need more negative press? Regardless of the true
intentions, this looks bad.

------
shrimpx
A simple UI change like making the root certificate trusting UI look like
you're about to do something extremely dangerous would likely stop a lot more
users from giving their data away like this. But instead, Apple shows you a
benign-looking "warning."

------
aboutruby
Any other company would have all their certificates revoked and certificates
revoked

------
loriverkutya
I'm really curious, how the average Facebook engineer feels about this data
mining and when is the point when they think they should stop building tools
to allow Facebook to do this.

------
ledriveby
It sounds like an Internet equivalent of a Nielsen box?

------
justfor1comment
What could be more ironic than your VPN spying on you? The very thing you use
to avoid the watchful eye of elder siblings.

~~~
Skunkleton
I think it is safe to assume that any free VPN is spying on you.

~~~
userbinator
Except the one you set up yourself... or rather, you can spy on yourself with
that one, so your point still stands. ;-)

~~~
Skunkleton
The one you setup your self isn't free...right? But yeah, I tamper with DNS
requests on my home network, so fair point lol.

------
kevintb
Holy shit. This is beyond the pale.

------
z3t4
The most scary thing is that someone is willing to pay $20 /month for this
data.

------
nightsd01
Isn’t this....kind of what the entire tech community has been PUSHING Facebook
to do? Paying you for your data instead of acquiring it through shady
means...?

I’m sorry but...it’s not as if they’re using this data to do evil things.
They’re trying to target advertisements. Whooptie doo. So evil.

------
morpheuskafka
Didn't want to edit my already too long comment, but it's worth noting that on
a closer read of the Apple Enterprise Terms, they state that they have the
ability to notify users at 5.3: "[Facebook] understand and agree that Apple
may notify end-users of Covered Products that are signed with Apple
Certificates when Apple believes such action is necessary to protect the
privacy, safety or security of end-users, or is otherwise prudent or necessary
as determined in Apple’s reasonable judgment." __We need to call on them to do
so immediately and fully remove the profile, apps, and certs issued by this
and any other programs of FB. __

I don 't recall the app having any mechanism to filter EU/EEA nationals, so
the GDPR shitshow is about to explode in Facebook's face as well.

------
Negitivefrags
How is this any different than how TV ratings are gathered?

~~~
wklauss
There's only one activity you do when watching TV and that is... watch TV.
Even on SmartTV sets, the amount of data the screens can gather is limited in
scope and quantity.

There are all sorts of things you do with your smartphone and this VPN tracks
all of them.

~~~
Negitivefrags
People also agree to lower insurance premiums in exchange for having a GPS
tracker installed on their car.

I guess my point is that the concept of being directly paid to give up
elements of privacy is a well established concept.

I also think it's extremely patronising to the poor to assume that they don't
understand what trade off they are making.

~~~
supergauntlet
>People also agree to lower insurance premiums in exchange for having a GPS
tracker installed on their car.

and that should make you uncomfortable too! how on earth can you justify this
with an equally insane analogue?

~~~
fromMars
Just because it makes you uncomfortable doesn't mean it makes everyone
uncomfortable.

I agree with the previous user that it isn't that different than what Nielsen
does to collect TV ratings.

Maybe Facebook's execution here wasn't the best, i.e., I agree that a better
device would have some limitations as to what kind of data it could access.

------
dschuetz
Facebook certainly has established itself as a rouge data mining company.

------
hoppelhase
Any European people affected? How does this play with the GDPR? Are the user's
over 16? Anyone tried to file a GDPR data request?

------
minimaxir
The HN title/article is slightly misleading with its use of "root access"; the
iOS Enterprise Root certs give increased data access outside of an app (e.g.
decrypted SSL traffic, like what this app was doing), but not "root access" in
the Unix sense.

You can play with them using mitmproxy to generate a Cert and intercept SSL
traffic.

~~~
merlincorey
It is "root" in the sense of "root certificate"[0] which allows, potentially,
the ability to MITM essentially any TLS connection transparently to the user.

[0]
[https://en.wikipedia.org/wiki/Root_certificate](https://en.wikipedia.org/wiki/Root_certificate)

~~~
threeseed
"root access" has a different meaning than "root certificate"

~~~
merlincorey
Yes, I'm aware of that, which is why I "translated" for the article.

------
scottmcdot
Why has this been hidden from the front page?

------
adamnemecek
Are we out of the Facebook crisis yet? Do they not realize this is really not
helping their case?

------
AnaniasAnanas
> Children, specifically.

I fail to see how this is supposed to make it in any way worse.

~~~
MBCook
Children don’t have fully developed minds, can’t appreciate the consequences
of their actions (especially in the long term) and are easy to manipulate with
bribes ($20/mo).

This isn’t a bunch of adults deciding to sell their privacy. It’s children who
have no hope of understanding what they’re doing.

~~~
TheSpiceIsLife
To be fair, you could replace the word _children_ with the word _adult_ in
your first paragraph and it would all still hold.

Adults might have fully developed brains from a biology perspective, and I
recognise this is what you meant, but I believe there is a strong argument to
be made that many adults, myself included, are heavily lacking in the
_development of mind_ department. Mark Zuckerberg surely is, either that or
he’s _actually Satan_.

I definitely have an undeveloped appreciation of the consequences of my
actions, and I’m easily manipulated. I’m rapidly approaching 40 laps around
the sun!

My greater point here is that I don’t find your argument for why it’s worse
_because children_ particularly compelling. Or, perhaps, _insufficient_. So
I’ll replace with my own:

Society at large has a long history of, and a cultural and biological
evolutionary adaptation, to _protect children_ more strongly than adults,
because we are born vulnerable and take a long time to reach sexual
reproductive age. We’ve only made it this far because we’re not descended from
parents who let their kids stumble in to sabretooth tiger territory. (As an
aside, I appreciate that the greatest threat to children’s health and
development is their immediate family. But here we are).

The worrying thing is, now the sabretooth tiger is a guy who’s surname
translates from the mother tongue, German, to English as _candy mountain_ ,
Google translate actually says “pile of sugar”, and comes with a family
friendly large blue thumbs up symbol. So the threat is _difficult to discern_.

I’d actually be more worried if I didn’t have a seizure like laughing fit
every time I think about the whole scenario. It’s a coping mechanism I guess.

I mean, is this really happening? I wish Bill Hicks was still alive! Aaah, he
lives on through those who carry the flame!

