Facebook 0, Apple 1; Google is Collateral Damage

January 31, 2019 CyberCecurity Leave a comment

You would think that in light of all of the negative publicity that Facebook has had, it would reign in some of it’s badder practices, but maybe they are just daring Congress to regulate them.

Facebook created a VPN product called Onavo Protect. The public claim was that it was designed to protect your traffic, but in reality, it was a data collection tool since every web site that you visited, every search query you made and every link that you clicked on while using their VPN was visible and captured (and sold) by Facebook.

When the Ka-Ka hit the proverbial rotating air movement device (AKA the sh*t hit the fan) Apple banned the product from the iWorld.

Well Facebook is not easily deterred.

Unlike Android, Apple makes it difficult for developers to bypass the Apple store, in part to protect users and in part so that Apple can control developers. But, in order to get enterprises to allow employees to use iPhones for work, Apple created an Enterprise signing certificate. According to the rules, apps signed with those certificates can only be used inside a company.

Facebook decided that those rules did not apply to them and used that enterprise certificate to distribute an app to users age 13 to 35 where Facebook paid users up to $20 a month plus referral fees to install an app called Facebook Research. Under the hood, it is just Onavo Protect that collects all of a user’s Internet activity so that they can better target that high value demographic. To hide what they were doing, they offered it through several “beta testing” firms.

After Apple found out about it they REVOKED – aka invalidated – Facebook’s enterprise certificate. Not only did this shut down the Facebook Research app, but also shut down any iPhone apps that Facebook was using internally to run it’s business. This gave Apple a huge crowbar to swing at Facebook’s head to get them to change their ways.

As a side note, Google was also doing the same thing (with a product called Screenwise), although not quite so covertly and Apple also revoked their enterprise cert. Of course, 99% of the people at Google likely use Google or other Android phones, so the impact on Google is likely a lot less than at Facebook. Google shut down the service before Apple whacked them and apologized. Facebook did neither of those.

After some behind the scenes begging, no doubt, Apple restored Facebook’s cert after a day and a half.

Facebook is saying that users should trust them. Some Congress-people are suggesting a new law may be required. Certainly, they are not doing a great job at building trust.

So what does all this mean to a user?

Since this was targeted, in part, at kids under 18, parents need to educate kids that they should not sell their soul for $20 a month. Apparently both Facebook and Google think this is a good business model.

It also indicates how much your data is worth. There were millions of copies installed and if they were paying $20 a month per user plus other perks, that means that the data was worth hundreds of millions of dollars a month to them.

If adults think that selling all of their data – every single click that they make online plus all of the data going up and down – for $20 a month, I guess that is okay, but kids are probably not in a position to make an informed decision.

By the way, because of how the software was installed, they would have the ability to see every password, your banking information and your health information, in addition to your surfing habits.

But trust them; they wouldn’t keep that data. Or use it. Or sell it.

Definitely a case of buyer beware.

Information from the post came from Apple Insider, here and here.