Facebook Has Just Been Caught Spying On Users’ Private Messages And Data — Again
The last week has seen an immense global backlash following the news that Facebook plans to integrate its three powerhouse messaging platforms – Messenger, WhatsApp and Instagram – into one giant data quarry. If anyone was holding out for some tangible reason to fear the data implications of this, then perhaps the news just in that Facebook has been caught paying teens and young adults for (almost) unfettered access to the private data on their phones will be it.
You get the sense with Facebook, that data exploitation, treating the information exchanged by its billions of users, as a legitimate domain within which it can casually, commercially trawl, has become so entrenched in the DNA of the organization that it literally can’t help itself. The reports overnight, first broken by TechCrunch, are that “desperate for data on its competitors, Facebook has been secretly paying people to install a ‘Facebook Research’ VPN that lets the company suck in all of a user’s phone and web activity.”
Big Tech, Big Questions
The question is often raised about BigTech as to whether they have now reached a size and scale where the lack of controls have become a major issue. “Facebook admitted to TechCrunch it was running the Research program to gather data on usage habits, and it has no plans to stop.” How about that as a pointer to the answer?
The method deployed in this instance is a VPN that bypasses the safeguards of the app stores and is ‘sold’ as a research project. The access granted in the installation process leaves private messages and chats, web activity and emails open. Last year, Apple removed the Israeli Onavo app, acquired by Facebook in 2013 for up to $200 million, for “snooping” on users in violation of its rules.
With Apple, Facebook has carefully bypassed limits on user numbers and any scrutiny of the app by avoiding the usual TestFlight route. Given Apple’s response to Onavo, it’s no surprise that they have responded equally strongly to this news. In a statement today, they said: “We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple.”
Facebook had already made it clear that they would withdraw this application from the iOS platform, ahead of Apple’s statement. But Facebook also made it clear that they didn’t consider there to be any wrongdoing on their part and there was full disclosure at all times. Apple has blocked Facebook’s data plans on their platforms in the past, and, with the social media giant in mind, CEO Tim Cook said last year that “the ability of anyone to know what you’ve been browsing about for years, who your contacts are, who their contacts are, things you like and dislike and every intimate detail of your life — from my own point of view, it shouldn’t exist.”
The linkage between Onavo and Facebook Messenger (and the intelligence garnered by the app as to the relative usage of Messenger and WhatsApp) will have been part of the equation in California as to whether Facebook’s PR machine was too holed beneath the waterline to convince WhatsApp users it could be trusted. The irony that WhatsApp’s success has been built on trust and security, which now risks being dismantled by the big kid who can’t help eyeing the cookie jar, has not been lost on the data privacy and security communities.
Stemming The Tide Or More Of The Same?
It has also just been announced that Nate Cardozo, Senior Information Security Counsel at the Electronic Frontier Foundation, is to join WhatsApp as ‘privacy-guardian-in-chief’. This is intended to help assuage concerns. But this latest news about the continued usage of a research VPN to harvest data will dampen the positive impact of this. It goes to credibility. And asking for forgiveness, rather than for permission, is essentially cultural. For WhatsApp users, and to a lesser extent those on Instagram, there will be worries as to how long the walled garden around WhatsApp can remain in place. The bricks in that wall won’t come down all at once, but trust is a delicate and precious thing – years to build but only days to all come crashing down.
Facebook has three of the world’s leading messaging platforms, servicing 2.6 billion people globally. As first reported last weekend by the New York Times, “the [messaging] services will continue to operate as stand-alone apps, but their underlying technical infrastructure will be unified.” And whilst Facebook has also promised to extend the end-to-end encryption that leading grown-up messaging apps such as WhatsApp promote, that will mean balancing the polarized needs of data exploitation and data security.
The billions paid by Facebook for WhatsApp in 2014 always carried the risk of this kind of move. Facebook has built a business where it supplies convenience and functionality in return for data exploitation. In essence, you pay for all the fun with the understanding that you are being farmed around the world’s largest bloc of advertisers, who spend increasing percentages of their budgets selling something specifically designed to appeal to you, or someone very like you.
Instagram, also being integrated under these new plans, is less of a stretch. Their entire commercial model fits with Facebook’s. In fact, through their influencer model, they arguably have an even more powerful and future-proofed platform. Although, again, this has not been without controversy. The photo service hit the news this month, with some of the best known of its influencers agreeing to be more open about where they are being paid to promote.
Facebook Responds And Pulls The App
Following the news, Facebook responded by pulling the app and defending its use. “Despite early reports, there was nothing ‘secret’ about this,” they said in a statement, “it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear onboarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms.”
Despite this, what has been seen today is the new reality for Facebook. The coming months will be dominated by headlines over any perceived data breach or misuse, as the company continues to put its PR low points of 2018 behind it. Their challenge is getting the clear blue water from scandal and controversy to make that possible. This last weekend saw the messaging integration controversy followed by Instagram (and others) caught up in the U.K. teen-suicide scandal, followed now by this. The 10-year-challenge meme earlier in the month, where users quickly questioned Facebook’s motives and whether this was indeed just the harmless fun the company claimed or a clever-ish facial recognition training exercise, show what they’re up against.
Ultimately though, this is about culture and fundamental respect for privacy. If user data is treated as a commodity to be traded, and if safeguards are treated as a challenge to be overcome, then self-regulation will not suffice. The problem, as seen with everything from tax to national security, is that companies that deal in billions of users and operate globally are hard to pin down. And so, self-evidently, it will come down to the users themselves. As long as we complain but do nothing more, as long as we continue to become ever more entrenched in our social media platforms with all the good and bad they bring, then the cookie jar will get ever bigger, and the kid eyeing it ever greedier.