Facebook today released an internal memo to minimize damage to the morale of the TechCrunch survey, which revealed that it was paying people who were craving all their phone data. Designed by Business Insider's Rob Price, the memo by Pedro Canahuati, vice president of production engineering and security at Facebook, gives us more details about the data that Facebook was trying to collect from teenagers and adults in the United States and India. But he also tries to pretend that the program was not secretive or spying, and that Facebook did not see it as a violation of Apple's policy against the use of its enterprise certificate system to distribute applications to non-employees – despite Apple's sanctions. for the violation.
For reference, Facebook was recruiting users aged 13 to 35 to install a search application, a virtual private network (VPN), and give it access to the root network to analyze all their traffic. It's pretty risky to buy people's privacy, and although it's stopped on iOS, it still runs on Android.
Here we present the memo with the section-by-section responses to Facebook claims challenging the TechCrunch reports. Our answers are in bold and we added images.
Memo from Pedro Canahuati, vice president of Facebook
APPLE OF BUSINESS CERTS REINSTATED
Early this morning, we received the agreement from Apple issue a new business certificate; This allowed us to produce new versions of our public and enterprise applications for the use of employees and contractors. As we have a few dozen applications to rebuild, we focus first on the most critical, ranked by order of use and importance: Facebook, Messenger, Workplace, Work Chat, Instagram and Mobile Home.
New versions of these applications will be available soon and we will send an email to all iOS users for detailed instructions on how to reinstall. We will also publish on iOS FYI with all the details.
In the meantime, we are waiting for a New York Times follow-up article later today. I wanted to share a little more information and information on the situation..
On Tuesday, TechCrunch reported on our Facebook search program. It's a market research program that helps us understand consumer behavior and trends to create better mobile products.
TechCrunch hinted that we had hidden the fact that it was through Facebook, but not us. Participants must download an application called Facebook Research App to participate in the stud. They also called it espionage, which we do not agree with. People participated in this program knowing that Facebook sponsored this research and were paid for it. They can unsubscribe at any time. When creating this program, we especially wanted to make sure that we were as transparent as possible about what we were doing, what information we were collecting and why it was intended – see screenshots here. -Dessous.
Author's Response: To start with, "building better products" is a vague way of determining what is popular and how to acquire or build it. For years, Facebook has used competitive analytics collected by similar Onavo Protect and Facebook Research applications to identify applications that are gaining ground and integrating or packaging them. According to Onavo data, Facebook knew that WhatsApp was sending twice as many messages as Messenger, and it should invest $ 19 billion to acquire it.
Facebook claims to have not hidden the program, but it has never been officially announced, like all other Facebook products. There were no Facebook help pages, blog posts or company support information. He used the intermediaries Applause (who owns uTest) and CentreCode (who owned Betabound) to run the program under names such as Project Atlas and Project Kodiak. Users only discovered that Facebook was involved once they had started the registration process and signed a non-disclosure agreement preventing them from discussing it in public.
TechCrunch examined communications that Facebook would threaten lawsuits if a user publicly spoke about his membership of the research program. Although the program has been in existence since 2016, it has never been reported. We believe that these combined facts justify qualifying the program as a "secret"
How does this program work?
We work in partnership with two market research companies (Applause and CentreCode) to search and ship candidates based in India and the United States for this research project. Once the users are integrated via a generic registration page, they are informed that this search is for Facebook and that they may refuse to participate or withdraw at any time. We rely on a third party vendor for a number of reasons, including their ability to target a diverse and representative group of participants. They use a generic initial registration page to avoid prejudices in people who choose to participate.
After the generic integration, people are invited to download an application called "Facebook Search Application", which submits them via a consent flow that requires users to check boxes to confirm their understanding of the information that will be collected. As mentioned above, we have worked hard to make this as explicit and clear as possible.
This is part of a larger set of research programs that we are conducting. Asking users to allow us to collect data on the use of their devices is an extremely effective way to obtain industry data from closed ecosystems, such as iOS and other devices. Android. We believe that it is a valid method of market research.
Author's response: Facebook claims it was not "spying", but it never fully explained the types of information it would collect. In some cases, the descriptions of the data collection power of the application were included in a footnote. The program did not specify the specific types of data collected, simply stating that it would recover "what applications are on your phone, how and when you use them" and "information about your Internet browsing activity"
The Facebook and Applause Parental Consent Form does not list any of the types of data collected or the extent of access to Facebook. Under "Risks / Benefits", the form states "There is no known risk associated with this project, but you acknowledge that its inherent nature involves the tracking of personal information through the use of the applications by your child. Applause will compensate you for the participation of your child. Parents are not informed about the data their children give up.
Facebook claims to use third parties to target a diverse group of participants. Yet, Facebook itself manages other user comments and research programs, without it being necessary to resort to intermediaries obscuring its identity, and has led the program that in two countries. He claims to use a generic registration page to avoid choosing who will participate, but the financial incentive and the technical process of installing the root certificate also invite to participate, and intermediaries easily prevent that Facebook be publicly associated with the program. look of the eye. Meanwhile, other customers of the Betabound test platform, such as Amazon, Norton and SanDisk, unveil their names immediately before user registration.
Have we intentionally hidden our identity as Facebook?
No – The Facebook brand is very important throughout the download and installation process, prior to data collection. In addition, the name of the device application appears as "Facebook Search" – see the attached screenshots. We use third parties to identify participants in the research study to avoid bias in those who choose to participate. But as soon as they register, they become aware that there is a search for Facebook
Author's response: Facebook recognizes here that users did not know that Facebook was involved before registering.
What data do we collect? Do we read private messages from people?
No, we do not read private messages. We collect data to understand how users use the applications, but this market research was not designed to examine what they share or see. We are interested in information such as watch time, video duration and message length, not the actual content of videos, messages, stories or photos. The application specifically ignores shared information via financial or health applications.
Author's response: We have never reported that Facebook read private messages, but that it had the ability to collect them. Facebook admits here that the program was "not designed to look at what they share or see," but stops short of saying that the data was not collected. Fascinating, Facebook reveals that he was keeping a close eye on the time people spent on different types of media.
According to Apple, we violated their terms by laterally loading this application and they decided rules for their platform. We worked with Apple to solve all the problems; As a result, our internal applications are operational again. Our relationship with Apple is very important. Many of us use Apple products at work every day. We use iOS for most of our employees' applications. Therefore, we would not put this relationship in danger intentionally. Mark and other people will be available to discuss it in more detail during the question and answer session later today.
Author Response: TechCrunch reported that Apple's policy clearly states that the enterprise certificate program requires companies that they "distribute provisioning profiles only to your employees and only in conjunction with your applications." for internal use for the purpose of developing and testing. , distribute or otherwise make your in-house applications available to your customers. " In its statement, Apple claimed that Facebook was violating the rules of the program, stating that "Facebook uses its members to distribute a data collection application to consumers, which is a flagrant violation of their contract with Apple."
Since Facebook was distributing search applications to teenagers who had never signed a tax form or a formal employment contract, they were obviously neither employees nor contractors and were most likely using a service. owned by Facebook who called them customers. Plus, I'm pretty sure you can not pay employees with gift cards.