The Value of Privacy: How Facebook Paid for Access to the Personal Data of Teens and Adults

Crystal N. Lowery

Associate Editor

Loyola University Chicago School of Law, JD 2020

On January 29, 2019, TechCrunch released an investigation finding that Facebook had been paying users as young as 13 for unlimited access to their data. Facebook marketed the  application, not available through the iOS app store, to users aged 13-to-35 by offering to pay $20 per month plus referral fees for downloading and using a “Facebook Research” app. The app, once downloaded, provided Facebook with unrestricted access to all private data on the users iPhone including messages, photos and videos, and website usage. This was not the first app launched by Facebook to track user’s data, Apple removed a similar app called Onavo from the app store in 2018. This app is a clear violation of the 2011 consent decree Facebook signed with the Federal Trade Commission.

The Requirements

Apple provides a Developer Enterprise Program allowing companies to distribute apps for internal company usage. The Enterprise Program provides developers an opportunity to download and test beta versions of apps not yet available to the public. These apps are not accessed via the app store, but downloaded via company websites. The Enterprise Program policies limit the developer’s usage to in-house apps, and states that any developer distributing apps to consumers will lose access to the program. These apps allow users to consent to root network access, which provides the developer with access to users’ app activity, web searches, encrypted data, and even private messages.

The Violations

Facebook began marketing a Facebook Research app, sometimes referred to as Project Atlas, primarily to teens via Instagram. The Research app requested root access to the user’s phone, and went as far as to ask users to screenshot Amazon order history page to collect data about purchasing history. In return, Facebook paid $20 per month to users in the form of electronic gift cards. The app collected “private messages in social media apps, chats from in instant messaging apps, photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps” that were installed. Facebook has not released information on how the data was stored or used, or how whether the data will be sold or destroyed.

Facebook argued that any user who installed the app was fully aware of the data collection. The Research user agreement required consumers consent to allowing Facebook collecting information about which apps were installed on the phone and how they were used, data produced from those apps, and how other people interact with the consumer on the apps. The users also consented to letting Facebook collect internet browsing activity and information shared between the consumer and websites. Facebook used these apps in the past to collect user information when purchasing or building new platforms and expanding user experience. Facebook initially denied violating Apple’s user agreements, but later agreed to remove the Research app.

The Resolutions

After TechCrunch released its investigation, Facebook agreed to shut down the Research app, however Apple was first to the scene and immediately blocked the app. Additionally, Apple removed Facebook’s access to the Enterprise Program, blocking Facebook’s access to all apps used in-house.  Apple restored Facebook’s access to the Enterprise program two days later, allowing Facebook employees to use in-house apps.

The exposure of the Research app has far bigger implications for Facebook in the wake of Federal Trade Commission (FTC) violations and fines. In 2011, Facebook signed a consent decree with the FTC as part of Cambridge Analytica scandal. In its consent decree, Facebook agreed to obtain express consent from users of any Facebook product or service. Additionally, Facebook agreed to not to misrepresent the extent to which it maintains the privacy or security of user information, and to provide a “data use policy”. This includes expressly notifying users of any third-party access to their data. In the consent decree, Facebook also agreed to comply with any privacy, security, or compliance program sponsored by a third party.

While the violation of Apple’s Enterprise Program appears to be resolved, Facebook is in clear violation of the FTC consent decree. Violations of the consent decree include revocation of the agreed upon decree, monetary penalties, and harsh privacy agreements which could affect Facebook’s ability to obtain any consumer data. The consent decree states that the FTC can fine Facebook up to $16,000 per day for each violation. The FTC could fine Facebook for each user of the Facebook Research app, an amount of people that is currently unknown.

Over the past few years, Facebook has shown clear apathy for the protection of user data and the privacy rights of consumers. With such blatant violations of third-party and governmental regulations, Facebook continues to collect, use, store, and sell individual user data. United States Senators have questioned Facebook’s use of the Research app and intend legislate the use personal data by creating privacy safeguards for teens and children.