by Lisa Vaas
For three years, Facebook has been secretly paying volunteers – including teens – to install a virtual private network (VPN) app called Facebook Research that plants a root certificate on their phones, according to Tech Crunch.
That certificate gets the company “nearly limitless access” to the device, TechCrunch reports.
It’s unclear exactly what data the Facebook Research app is sniffing for, but Will Strafach, a security expert with Guardian Mobile Firewall, said that it can get anything it wants:
If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.
When the BBC visited one of the app’s sign-up pages, it stated that Facebook would use the information to improve its services, and that there are “some instances” when the data is collected “even where the app uses encryption, or from within secure browser sessions”.
Yes, this is for real, Facebook says, but it was so not secret. The app’s name had “Facebook” in it, the company said in a statement:
Key facts about this market research program are being ignored. Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market …
Author: Lisa Vaas