Legislators want more information about Facebook’s Project Atlas program, which collected data from adolescents and circumvented the privacy policies of device manufacturers.
Following a recent TechCrunch report that Facebook used an iOS and Android app to monitor the phones of users as young as 13, THREE of the Senate’s most prominent privacy advocates are sending letters to executives at Facebook, Google, and Apple on Thursday. Research, also known as Project Atlas, was an app that provided Facebook with complete visibility into users’ app activity, web searches, encrypted data, and even private messages.
Now, senators Richard Blumenthal (D-Connecticut), Ed Markey (D-Massachusetts), and Josh Hawley (R-Missouri) want more information from Facebook CEO Mark Zuckerberg, Apple CEO Tim Cook, and Google’s senior vice president of platforms, Hiroshi Lockheimer, regarding the app’s origins and the information it collected, particularly from minors.
The letters to all three companies read, “These reports align with long-standing concerns that Facebook has used its products to deeply invade personal privacy.” (Each letter is reproduced in its entirety below.) Taken as a whole, the legislators’ questions acknowledge the colossal and unprecedented power of the three giants and inquire about the strategies they employ to maintain it.
The majority of senators’ questions are directed at Facebook and center on the company’s alleged efforts to target adolescents and circumvent device manufacturers’ privacy policies. Facebook stated that only 5% of the app’s users were teenagers, but lawmakers are still interested in whether Facebook specifically targeted teens with Atlas advertisements. In addition, they question why the parental consent form that the app’s teen users were required to submit was “less stringent” than the one that Messenger Kids required.
There are also questions regarding how Facebook distributed the application. Before the release of the Research iOS app, Facebook operated a comparable iOS application called Onavo. Apple removed it from the App Store last year, citing a prohibition on apps that collect data from other third-party apps. Facebook avoided the App Store entirely with the Research app by utilizing a feature of Apple’s Developer Enterprise Program that allowed iOS users to download the app from a web browser. However, the program is designed for businesses to distribute app updates to their employees, not to consumers. Facebook terminated its iOS application following TechCrunch’s report.
The question of what information Facebook used and why is likely the most pressing. Experts have observed that the Research app installed what is known as a “root certificate” on users’ phones, granting the company complete visibility into users’ activities. However, it remains unclear whether Facebook analyzed and stored all of that data. Legislators hope to clarify the matter.
Specifically, they want to know if Facebook collected and stored data regarding the messages Research users received from others. Facebook has responded to these reports by stating that users were informed of the app’s access capabilities and were even compensated for downloading the app. “Contrary to early reports, there was nothing secret about this; it was called the Facebook Research App,” a Facebook representative stated at the time to TechCrunch. “It was not spying because everyone who signed up to participate went through a clear onboarding process asking for permission and was compensated for their participation.”
However, third parties who sent messages to these users likely had no idea their information was being collected. Facebook did not respond to WIRED’s inquiries regarding this topic.
Blumenthal, Markey, and Hawley have questions for Apple and Google in addition to Facebook. Using the same enterprise program loophole, Google’s Screenwise Meter app also circumvented Apple’s review process. A Google spokesperson later told WIRED that the use of this program in this manner was “in error, and we apologize.”
After the news broke, Apple temporarily suspended both Facebook and Google from the enterprise program, preventing Facebook and Google employees from accessing their company’s internal applications.
When Apple suspended Facebook, the company told WIRED: “Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear violation of their agreement with Apple.”
Apple eventually restored access for both companies. Now, lawmakers want to know what the long-term consequences are for developers who violate Apple’s policies and if Apple is investigating Facebook and Google for additional violations.
Meanwhile, Google is being questioned about both its Screenwise app and the Facebook Research app. The senators want to know why Google has allowed Onavo to continue operating in the Play store and what parental consent assurances Google received from teen users of the Screenwise app.
Finally, the legislators inquire of all three companies whether they would support legislation establishing new privacy safeguards for children and adolescents. During their time in the Senate, both Markey and Blumenthal have repeatedly called for this type of legislation. As Missouri’s attorney general, Hawley investigated both Google and Facebook’s privacy policies before joining the Senate in January.