advertisement
The one thing that’s probably even more valuable these days than gold or oil is data. Data from millions of smartphone users around the globe. It allows companies like Facebook and Google to tailor-make ads, do targetted marketing and monitor user behaviour to create even more addictive smartphone experiences.
Every swipe on the phone, every minute spent on an app, every website visited, every photo clicked and every place visited is valuable data to these companies. The trouble is smartphone companies like Apple value user privacy quite highly and hence, don’t allow easy access to data that can track user behaviour among iphone users.
That’s where Facebook and Google have had to resort to underhand tactics to coerce some users in parting with their private data, in some cases without their full knowledge or consent to develop their apps. In late January 2019, Apple found out about these and pulled the plug on apps from Facebook and Google.
Facebook was found to be misusing an “enterprise-certificate” granted by Apple for its beta-testing apps. These enterprise certificates are issued to developers for internal use, to allow them to install apps on iPhones for development purposes, without having to place them on the App Store. The app, however, has to abide by Apple’s user policies.
What Facebook had done, was to use the same enterprise certificate to authenticate another “Research App” that it was distributing through third-party sources. This allowed iPhone users to download this app from outside the Apple app store and ensure it worked on their phones. This innocuous-looking “Research App”, however, was found to be collecting user data in violation of Apple’s user privacy policies.
And, of course, it was found to be using the wrong enterprise certificate, which led Apple to pull the plug on it, incapacitating all other Facebook internal developer apps also that were using the certificate. Apple has since restored access after Facebook took down the particular “Research App”.
Google was running an app called Screenwise Meter that it was distributing outside of Apple’s App Store through third-party sources. Again, like the Facebook Research app, this was using an enterprise certificate that was not meant for this particular app.
The Screenwise Meter App was meant to study user behaviour. It is a VPN (virtual private network app) which monitors all data traffic going in and out of a user’s phone. To incentivise users to use the app, Google was distributing gift cards to users who downloaded the app and ran it on their iPhones.
This was in direct violation of Apple’s privacy policy, although users did have to give their full consent to use their data. The app is still available to Android users, in case they wish to be guinea pigs for Google.
Apple has pretty strict data-privacy policy. Even data-privacy laws like the European GDPR frown upon sneaking data from users’ phones without their explicit content. However, for companies like Facebook and Google, studying the usage pattern of smartphone users is critical to their app development.
In Facebook’s case, some reports state, that the earlier Onavo Protect app that it had distributed, actually gave it a competitive advantage. It managed to figure out how applications like SnapChat were gaining popularity, and quickly the same features for Instagram and Facebook.
Since Apple’s App Store policy does not allow mining of user data, especially with VPN-like apps, both Google and Facebook had to distribute them through third-party app distributors. However, to get them to work on the iPhone, these apps needed a certificate of authentication – the enterprise certificate. Since Apple wouldn’t have granted a certificate for the purpose these apps were being developed, Google and Facebook resorted to using a fake enterprise certificate – originally meant for other developer apps.
Google’s Screenwise Meter app and Facebook’s Research app were both distributed in the form of VPN apps – Virtual Private Network apps that can emulate different locations by modifying the IP addresses used by these phones. VPNs are useful when you want to access content that’s not currently available in your region.
Now, in order for the VPN to function, it has to have all data traffic routed through it. This allowed Facebook and Google to access all data going to and from user’s phones. This includes websites visited, the time spent on sites, the kind of content being browsed etc. It’s not clear if passwords and personal data were also accessible by these apps.
However, since Facebook was paying people to use its Research App and even Google was doling out gift cards, users were kind of aware what they were signing up for.
That brings into question the legality of these apps. While the user agreements / privacy policy that users have to agree to when downloading these apps do mention that they will be accessing user data, not many users really read the fine print of the user data.
Since, they have agreed to use these apps and have downloaded them on their phones, it is technically legal. However, what’s illegal was the enterprise certificate that these apps were using to be able to function on iPhones. The enterprise certificate that Apple doled out to Facebook and Google were for other developer apps for internal purposes, which these companies used on these research apps.
That’s clearly a violation of Apple’s policy and hence is illegal.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)
Published: undefined