Credit to Author: Issie Lapowsky| Date: Thu, 07 Feb 2019 20:30:00 +0000
Three of the Senate’s biggest privacy advocates are sending letters to Facebook, Google, and Apple executives Thursday, following a recent TechCrunch report that Facebook used an iOS and Android app to monitor the phones of users as young as 13 years old. The app, called Research and sometimes referred to as Project Atlas, gave Facebook complete visibility into users' app activity, web searches, encrypted data, and even private messages.
Now, senators Richard Blumenthal (D-Connecticut), Ed Markey (D-Massachusetts), and Josh Hawley (R-Missouri) want more information from Facebook CEO Mark Zuckerberg, Apple CEO Tim Cook, and Google’s senior vice president of platforms, Hiroshi Lockheimer, about the origins of the app and the information it collected, particularly from minors.
“These reports fit with long-standing concerns that Facebook has used its products to deeply intrude into personal privacy,” the letters to all three companies read. (All three letters are published in full below.) Taken together, the lawmakers' questions reckon with the three giants' awesome and unprecedented power, and seek answers about the tactics they use to retain it.
The bulk of the senators’ questions are reserved for Facebook and revolve around the company’s alleged attempt to target teenagers and sidestep device makers' privacy policies. Facebook has said that only 5 percent of the app’s users were teenagers, but the lawmakers still want to know if Facebook specifically targeted teens with ads about Atlas. They also ask why the parental consent form that the app’s teenage users had to submit was “less strict” than the one required by Messenger Kids.
Then there are questions about how Facebook distributed the app. Prior to debuting the Research iOS app, Facebook operated a similar tool called Onavo on iOS. Apple removed it from the App Store last year, saying that apps which collect data on other third-party apps are prohibited. With the Research app, Facebook avoided the App Store entirely by using a feature of Apple's Developer Enterprise Program that allowed iOS users to download the app from their browser instead. But the program is intended for companies to share app updates with their own employees, not consumers. Facebook shut down its iOS app after TechCrunch’s report.
Perhaps the most pressing question is what information Facebook actually used and why. Experts have noted that the Research app installed what’s known as a “root certificate” on users’ phones, which granted the company unlimited visibility into users' actions. But it’s still unclear whether Facebook actually analyzed and retained all of that information. The lawmakers are hoping to clear that up.
In particular, they want to know whether Facebook collected and saved data on messages that Research users received from other people. Facebook has defended itself against these reports saying that users were fully informed of the sort of access the app would have and that they were even being paid to download the app. “Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App,” a Facebook spokesperson told TechCrunch at the time. “It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate.”
But third parties who messaged those users presumably would have had no idea their information was being collected. Facebook has not responded to WIRED's questions on this subject.
While Facebook has taken the brunt of the scrutiny, Blumenthal, Markey, and Hawley also have questions for Apple and Google. Google operated a similar app called Screenwise Meter, which also bypassed Apple’s review process using the same enterprise program loophole. A Google spokesperson later told WIRED that using this program in this way was "a mistake, and we apologize."
After the news broke, Apple temporarily suspended both Facebook and Google from the enterprise program, which also meant that employees at Facebook and Google couldn’t access their company’s internal apps for a short period of time.
“Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple,” the company told WIRED when it suspended Facebook.
Apple eventually restored both companies’ access. Now, the lawmakers want to know what the long-term penalties are for developers that violate Apple’s policies and whether Apple is investigating further violations by Facebook and Google.
Google, meanwhile, is facing questions both about its own Screenwise app and the Facebook Research app. The senators want to know why Google has continued to allow Onavo to operate in the Play store and what parental consent assurances Google received from teenage users of the Screenwise app.
Finally, the lawmakers ask all three companies whether they would support legislation to create new privacy safeguards for children and teens. Both Markey and Blumenthal have repeatedly called for this sort of legislation during their time in the Senate. Hawley, who joined the Senate in January, investigated both Google’s and Facebook’s privacy policies as attorney general of Missouri.