Apple says it’s banning Facebook’s research app that collects users’ personal information

By Kurt Wagner

Facebook CEO Mark Zuckerberg.
Alex Wong/Getty Images

Facebook is at the center of another privacy scandal — and this time it hasn’t just angered users. It has also angered Apple.

The short version: Apple says Facebook broke an agreement it made with Apple by publishing a “research” app for iPhone users that allowed the social giant to collect all kinds of personal data about those users, TechCrunch reported Tuesday. The app allowed Facebook to track users’ app history, their private messages, and their location data. Facebook’s research effort reportedly targeted users as young as 13 years old.

As of last summer, apps that collect that kind of data are against Apple’s privacy guidelines. That means Facebook couldn’t make this research app available through the App Store, which would have required Apple approval.

Instead, Facebook apparently took advantage of Apple’s “Developer Enterprise Program,” which lets approved Apple partners, like Facebook, test and distribute apps specifically for their own employees. In those cases, the employees can use third-party services to download beta versions of apps that aren’t available to the general public.

Apple doesn’t review and approve these apps the way it does for the App Store because they’re only supposed to be downloaded by employees who work for the app’s creator.

Facebook, though, used this program to pay non-employees as much as $20 per month to download the research app without Apple’s knowledge.

Apple’s response, via a PR rep this morning: “We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”

Translation: Apple won’t let Facebook distribute the app anymore — a fact that Apple likely communicated to Facebook on Tuesday evening. Apple’s statement also mentions that Facebook’s “certificates” — plural — have been revoked. That implies Facebook cannot distribute other apps to employees through this developer program right now, not just the research app.

Prior to Apple’s statement but after the TechCrunch story broke, Facebook had already said it was ending its research program. But it pushed back on the idea that it did anything wrong in collecting the user data. Facebook says this program has been ongoing since 2016, which could be evidence that the company wasn’t trying to skirt Apple’s new policies. Facebook did not, however, comment on whether or not it violated Apple’s policies by distributing the app through the Developer Enterprise Program.

Here’s Facebook’s statement:

Key facts about this market research program are being ignored. Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms.

The most important part of this story may be that Facebook appears to have pissed off Apple, a company that it relies on to deliver all of its apps to iPhone users around the world. It’s highly unlikely Apple would pull Facebook, Instagram, or WhatsApp from the App Store, but it’ll be telling to see if Apple tries to punish Facebook in some other way.

The two companies already have a contentious relationship, and this won’t help.

The story also shows how important it is for Facebook to collect data on other apps people use on their phones. It’s a big competitive advantage, and collecting this kind of data isn’t foreign to Facebook. The company actually collected similar user data through a separate app Facebook owns called Onavo Protect, which was just removed from the App Store in August for violating Apple’s guidelines. (It’s still available for Android users.)

Onavo is a virtual private network, which means that users who downloaded it agree to route their internet traffic through a Facebook-owned server. Facebook, in exchange, helps people monitor how much data they’re using and will alert users for issues, like if their “internet connection is not secure.”

But Onavo’s real value to Facebook is that it allows the company to collect all kinds of behavior data from people’s phones — such as competitive data like which apps they use. Data from Onavo helped Facebook execs learn that Snapchat user growth was slowing after it copied Snapchat’s popular Stories product, according to the Wall Street Journal. Facebook also used Onavo to track WhatsApp’s growing user base before buying the messaging platform for $19 billion back in 2014, BuzzFeed found.

In other words: There are a lot of reasons Facebook wants to know what apps people are using, which explains why it went to such lengths to get around Apple’s App Store guidelines.

It’s unclear if Facebook’s actual data collection through this research app poses any risks to the company. Facebook did pay users for using the app. But Facebook is also under investigation from the FTC, which is looking into its data privacy practices. Anything that feels fishy will most certainly attract regulators’ attention.