Apple Says It's Banning Facebook's Research App That Collects Users' Personal Information (recode.net) 109
Facebook is at the center of another privacy scandal -- and this time it hasn't just angered users. It has also angered Apple. From a report: The short version: Apple says Facebook broke an agreement it made with Apple by publishing a "research" app for iPhone users that allowed the social giant to collect all kinds of personal data about those users, TechCrunch reported Tuesday. The app allowed Facebook to track users' app history, their private messages and their location data. Facebook's research effort reportedly targeted users as young as 13 years old.
As of last summer, apps that collect that kind of data are against Apple's privacy guidelines. That means Facebook couldn't make this research app available through the App Store, which would have required Apple approval. Instead, Facebook apparently took advantage of Apple's "Developer Enterprise Program," which lets approved Apple partners, like Facebook, test and distribute apps specifically for their own employees. In those cases, the employees can use third-party services to download beta versions of apps that aren't available to the general public. Update: The Verge reports: Apple has shut down Facebook's ability to distribute internal iOS apps, from early releases of the Facebook app to basic tools like a lunch menu. A person familiar with the situation tells The Verge that early versions of Facebook, Instagram, Messenger, and other pre-release "dogfood" (beta) apps have stopped working, as have other employee apps, like one for transportation. Facebook is treating this as a critical problem internally, we're told, as the affected apps simply don't launch on employees' phones anymore. Update 2: Apple says it shut down Facebook's app before the social company could voluntarily shut it down -- contrary to an earlier statement by Facebook, in which it said it was shutting down the app.
As of last summer, apps that collect that kind of data are against Apple's privacy guidelines. That means Facebook couldn't make this research app available through the App Store, which would have required Apple approval. Instead, Facebook apparently took advantage of Apple's "Developer Enterprise Program," which lets approved Apple partners, like Facebook, test and distribute apps specifically for their own employees. In those cases, the employees can use third-party services to download beta versions of apps that aren't available to the general public. Update: The Verge reports: Apple has shut down Facebook's ability to distribute internal iOS apps, from early releases of the Facebook app to basic tools like a lunch menu. A person familiar with the situation tells The Verge that early versions of Facebook, Instagram, Messenger, and other pre-release "dogfood" (beta) apps have stopped working, as have other employee apps, like one for transportation. Facebook is treating this as a critical problem internally, we're told, as the affected apps simply don't launch on employees' phones anymore. Update 2: Apple says it shut down Facebook's app before the social company could voluntarily shut it down -- contrary to an earlier statement by Facebook, in which it said it was shutting down the app.
Re: (Score:2)
I'm pretty sure women do not want Facebook to have records of their PMS periods.
Ban everything with Facebook (Score:1)
Anything associated with Facebook should be banned. Facebook is a company not interested in protecting their users they only want to exploit them for monetary gain.
Re: Ban everything with Facebook (Score:1)
#deletefacebook, its a platform designed to abuse and dehumanise people as data. It has been weaponised since the beginning when Zuck the Cuck used it as a stalking tool, and progressed to unlicensed unethical mood manipulation research on at risk teens amid soaring youth suicide. It enabled a lot of organised crime too, Facebook is in that category #deletefacebook
Re: (Score:1)
.. everything looks like a confederate flag.
Re:Bad Apple (Score:5, Insightful)
You make it sound as if Apple arbitrarily reached out and nuked an app. They didn’t. They nuked a app that showed a flagrant disregard for the rules that everyone had agreed to.
Facebook broke specific terms in the license that say enterprise apps are expressly disallowed from being used by customers unless they are being supervised physically by an employee or are being operated on the company’s premises. Facebook made no attempt at abiding by the rules and engaged in behavior that many people are suggesting may actually have been criminal in nature.
But hey, if you want to shill for them and blame Apple, go ahead.
Re:Bad Apple (Score:5, Informative)
Note: I have not read Apple's TOS for their enterprise application deployment.
If it is the case that Apple's enterprise application deployment license dictates that it's only to be used by employees or those being directly supervised by an employee, then, it's certainly fine for apple to ban this application for its flagrant disregard for their own terms. They want to control distribution of apps to the public through their app store, but allow for private distribution within enterprises. Facebook agreed to not try to go around this, but did so anyways.
Re: (Score:3, Informative)
I'm sorry but you are factually wrong on it being an overreach by Apple.
Apple's terms expressly allow certain use of their Enterprise certificates by developers, everything else not stated in the T&Cs is forbidden. Facebook broke the conditions set out in the T&Cs by distributing the app outside of its employees (not covered by any of the exceptions).
Apple have every right to revoke the app and would be within their rights to terminate the developer full stop (but obviously that won't happen in this
Re: (Score:3)
Re:No, bad apple (Score:5, Informative)
Apple didn't ban Facebook's app because it was spying on users or because it was offensive. Apple banned Facebook's app because it was being used by end users. Except in some VERY narrow cases that don't apply here, end users are expressly forbidden from using apps licensed under the terms of the Apple Developer Enterprise License Agreement [apple.com]—which is appropriately subtitled "(for in-house, internal use applications)"—that Facebook agreed to.
Companies are welcome to make anything they want for internal purposes, be it an app for inventory management, an app to order food from the in-house cafeteria, or an app to make coordinating human sacrifices to Satan easier, so long as the app remains internal. Facebook broke that cardinal rule.
Re: (Score:1)
So why is that restriction in place? It doesn't need to be.
I own my iPhone. If I want to run a Facebook app on it, that's my business. Not Apple's. The terms are there, but they are not reasonable.
Re: (Score:2)
So why is that restriction in place? It doesn't need to be.
Your statement is predicated on a willingness to compromise certain priorities. I presume Apple wants to provide certain minimum guarantees with regards to reliability and security and that they view those restrictions as a necessity in order to provide them. If that's the case, then they have no choice but to have those restrictions in place. You may think otherwise, but that seems to be because your priorities are misaligned with theirs, so you're having trouble understanding their perspective.
If I want to run a Facebook app on it, that's my business. Not Apple's.
Asserting a
Re: (Score:2)
Nope. It's because I'm not party to an agreement between Apple and Facebook.
Re: (Score:1)
Yes. It is OK for Apple to block any and all apps it deems offensive, inappropriate, or in violation of its T&C. Apple owns the distribution platform. It is not a public resource, it is owned by a corporation. And that corporation has every right to do with it as it pleases.
If you don't like it, don't use it, period.
Re: (Score:2)
Thats the sin of publication and the curating of the internet part
Does Apple have a DUTY to terminate? (Score:2)
Apple's terms expressly allow certain use of their Enterprise certificates by developers, everything else not stated in the T&Cs is forbidden. Facebook broke the conditions set out in the T&Cs by distributing the app outside of its employees (not covered by any of the exceptions).
Apple have every right to revoke the app and would be within their rights to terminate the developer full stop (but obviously that won't happen in this case).
The app was deliberately used to grossly violate user's rights.
Re: (Score:2)
This particular app was explicitly created and marketed as "give us your information, we'll pay you for it". This app does NOT violate the user's rights at all.
Agreed.
Re: (Score:2)
I am not defending facebook at all. I am just saying this a bit of an over-reach on the part of Apple I think.
What exactly do you think the appropriate response should be in dealing with what you term a "malicious actor?"
Re:Bad Apple (Score:5, Informative)
I think you're misunderstanding something about this story, but I'm not sure what. This seems to be what happened:
Apple has privacy protection built into their products to protect their customers. There are limits to the amount of control an App has over a device, and what data can be collected. They do things like, just as an example, prevent Facebook from snooping on every site you visit on your phone's browser just because Facebook's app is installed.
However, Apple doesn't these rules to hamstring large business customers from having control over their own devices. For example, maybe some company wants to use iPads for industrial purposes in their warehouses to track inventory. For iOS to be a good platform for that, the company wants to be able to develop their own app that can take greater control of the device than Apple normally allows. Ok, fine, Apple has a developer program for large businesses to cater to that kind of thing.
Apple lets big businesses have greater control over their own devices, but as part of the agreement to allow that, Apple specifies that they're only allowed to use this greater level of access on their own devices, and not use it to distribute apps to consumers. Otherwise, developers could just use this access willy-nilly to get past all of Apple's security and privacy protection. Seems reasonable enough, right?
Now along comes Facebook, and they do the exact thing Apple says not to do, and for the exact reason Apple says not to do it. They use their Enterprise program to sidestep Apple's privacy protections so that they can spy on Apple users. In response, Apple revokes their ability to distribute apps that way.
Now if I'm being honest, I'd prefer that Apple allowed us all to use apps from outside of the App store. I don't really like the walled garden, and I'd prefer that Apple not rely on walled gardens for security. However, given that there is a walled garden and Apple does rely on it to secure their devices, it only makes sense that they'd enforce it.
Ultimately, it boils down to this: Facebook entered into an agreement with Apple in order to receive a greater level of access than developers normally have. Facebook then violated both the letter and spirit of the agreement, so Apple responded by revoking that greater level of access. I don't see any valid interpretation for how Apple is in the wrong here.
Re:Bad Apple (Score:5, Informative)
Replying to myself since a lot of people seem to be under the woefully incorrect impression that Apple's license terms are in some way vague about this stuff. They aren't. Not at all. Facebook agreed to the Apple Developer Enterprise License Agreement [apple.com], which—I can't make this stuff up—is actually subtitled "(for in-house, internal use applications)". I'm not even kidding. And it appears it was last updated in October, well before this scandal made the news.
Emphasis is mine unless otherwise noted.
The Purpose section, right at the top of the document, starts with:
Your company [...] would like to use the Apple Software (as defined below) to develop one or more Internal Use Applications (as defined below) for Apple-branded products[...] and to deploy these Applications only for internal use within Your company [...]
In the very next paragraph is this note:
Note: This Program is for internal use, custom applications that are developed by You for Your specific business purposes and only for use by Your employees and, in limited cases, by certain other parties as set forth herein.
So how do they define "Internal Use Application"? Like this:
“Internal Use Application” means a software program [...] that is developed by You on a custom basis for Your own business purposes (e.g., an inventory app specific to Your business) [...] and solely for internal use by Your Employees or Permitted Users, or as otherwise expressly permitted in Section 2.1(f). Except as otherwise expressly permitted herein, specifically excluded from Internal Use Applications are any programs or applications that may be used, distributed, or otherwise made available to other companies, contractors [...], distributors, vendors, resellers, end-users or members of the general public.
So, basically, you can't distribute your apps outside your company. But just in case someone thinks they're being sly with mention of "Permitted Users" and "Section 2.1(f)":
“Permitted Users” means employees and contractors of Your Permitted Entity who have written and binding agreements with You or Your Permitted Entity to protect Your Internal Use Application from unauthorized use in accordance with the terms of this Agreement.
I.e. Not the sorts of people who were using the app in question. Not at all. And what about Section 2.1(f)? Section 2.1 lists out the comprehensive set of acceptable uses. They basically boil down to these:
- 2.1(a)(b)(c)(d)(g): Developers/testers working on the app are allowed to do typical developer/tester stuff for development/testing purposes
- 2.1(e): Your company's employees can install provisioning profiles to use the app for internal use only
- 2.1(f): Your customers can use the app, but only when they are "on [y]our physical premises" or under "the direct supervision and physical control of [y]our [e]mployees"
And then right after that section, they add:
Except as set forth in Section 2.1, You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers or to any third parties in any way
All of which is to say, Apple really couldn't get more explicit about the fact that this license is only for internal use only, which Facebook was grossly and flagrantly violating. The only way they couldn't have known better was if Facebook literally skipped the bolded subtitle of the document, the first paragraph, the second paragraph, all of the definitions of terms, and a section that was pointed to numerous times throughout the document that spells out appropriate uses.
Re: (Score:2)
Re:Bad Apple (Score:-1, Informative)
^^^
Well, In the typical Slashdot meme. Facts get -1 Informative. You can't make this shit up people! Goes to show, life is comedy. I love it.. lol
Re:Bad Apple (Score:5, Informative)
Re: (Score:2)
I don't think you understand how enterprise provisioning profiles work, given that they can bypass permissions altogether.
Re: (Score:3)
I am going say Bad Apple on this one. As I stated on the other article I am not sure that this app really could do a lot of the things that are being claimed. Terrible for privacy sure, but apps implementing ATS and other best practices should still have been secure.
So now we have Apple essentially ban hammering an application outside the app store. Think about that. If you have an enterprise, and your write an application, to run on devices you have purchased; Apple might still come along and disable it; if they don't like you or it!
This isn't really good for users, this is really anti-freedom/anti-ownership type action here. Just because it might protect a few dolts from malicious actors like facebook, does not automatically make it good.
Uhhh do you know how Apple devices work? The people installing this app basically gave Facebook enterprise control of their devices. This means that Facebook had access to EVERYTHING. Installed apps, text messages, call history, location data, etc is all available to an enterprise owner of a device. This is why you should not use BYOD with your personal phone if the employer requires enterprise provisioning of the device. And most people, including yourself it seems, are unaware that such a capability e
Re:Bad Apple (Score:4, Insightful)
I expect you just hate Apple because they are Apple.
However, this is a case where this Enterprise Developer Program which was given to trusted sources, and I expect were told to play by the rules, with their elevated rights and freedom, which Facebook abused.
It is like you welcomed a friend into you home. They are allowed to get some food out of the fridge if they were hungry or thirsty. They took the dessert you had made for after dinner, and it was rather obvious that was its intent. So this person abused the privilege they were granted, and you have the right to kick them out of your house or not invite them back in again.
From Star Trek VI: Let us redefine progress to mean that just because we can do a thing, it does not necessarily mean we must do that thing.
Re: (Score:1)
Re: (Score:2)
>I expect you just hate Apple because they are Apple.
I seriously detest Apple. But I've got to say they did the right thing here.
Re: (Score:3)
I am going say Bad Apple on this one.
And you are absolutely completely wrong on this.
Apple has an "Enterprise Developer" program that lets companies joining the program develop applications that they can download without any review by Apple to the phones owned by the enterprise. There is absolutely no permission to give these applications to anyone outside the company. The terms and conditions, which are in a contract signed by FaceBook, state very, very clearly that FaceBook had no permission to do what they did, and that violation of the
Re:Bad Apple (Score:5, Insightful)
So now we have Apple essentially ban hammering an application outside the app store. Think about that. If you have an enterprise, and your write an application, to run on devices you have purchased; Apple might still come along and disable it; if they don't like you or it!
F***ing nonsense. The whole point is that they _didn't_ run the app on devices that FaceBook purchased.
Re: (Score:2)
By "pulled for any reason", you apparently mean "flagrantly disregarded the cardinal rule of the license, which is spelled out in plain language in the subtitle, first paragraph, second paragraph, definitions, appropriate use section, etc. of the license to which they agreed". The license Facebook agreed to [apple.com] is subtitled "for in-house, internal use applications". It really couldn't be any clearer. You can make apps for internal use, so long as they remain internal.
I'd be freaking out if my enterprise app was based in i devices right now.
Why? Are you breaking the cardinal rule of t
Re: (Score:2)
Well, it is only partially nonsense. In this particular scenario, what he is saying is pointless... but this does actually point out the fact that Apple COULD deeply affect your business in this way even if you did not break a rule. That is the possibility that is scary. In this particular scenario, everything was kosher and above board. :)
Re: (Score:2)
Enterprise distribution requires a license and while apple does allow you certain ability to use undocumented APIs to do things that would not be allowed in the App Store there are still limits. Additionally enterprise distribution is for exactly that, enterprise, not distributing apps to the general public so that you can undermine the protections people assume are in place thanks to the App Store and get at their data.
If a company wants to do this with their employees devices thats one thing, distributin
Re: (Score:2)
So Facebook completely ignored the terms of the license they agreed to when purchasing the enterprise program. Even when you develop using the enterprise program you still have to register the certificate of your applic
Re: (Score:2)
Re: (Score:2)
I am going say Bad Apple on this one. As I stated on the other article I am not sure that this app really could do a lot of the things that are being claimed. Terrible for privacy sure, but apps implementing ATS and other best practices should still have been secure.
I'm not. The app installs a Facebook root certificate. Once that happens it's Game Over for any app to have any privacy.
Re: (Score:2)
I was honestly surprised that Apple banned this before Google did.
The more we learn about Facebook... (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
I think that's exactly what has happened, as evidenced by Apple's statement : Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data."
Re: (Score:2)
The enterprise cert is distinct from the App Store cert... I'm not sure if apple nuked the enterprise cert but it sure seems like facebook is still in the App Store.
Re: (Score:3)
Their enterprise account just got nuked (their Enterprise certificate probably got revoked, which kills al
Re: (Score:2)
Nope, all Enterprise Facebook apps down. (Score:2)
Reports are all Facebook internal iOS apps (and betas) are dead.
Re: (Score:2)
Re: (Score:2)
Nuking the enterprise cert is going to give Facebook some pain, making it harder to beta-test apps and harder to use iphones for internal applications, but it's likely to be manageable pain.
Nuking the facebook app from the appstore would likely to significant damage to both Apple and Facebook.
Dear Facebook Users... (Score:5, Informative)
Re: (Score:2)
Oh wait they paid people to use the VPN...
No, they paid people to install spyware on their device(s). Facebook paid them, in order to fend off the lawsuits that were sure to pop up later.
So congratulations, you sold almost all of your personal info for $20/month. But hey, you can tell your friends that you work for Facebook.
Well (Score:5, Insightful)
Re: (Score:2)
No, they revoked their developer certificate. That has huge ramifications.
https://www.independent.co.uk/... [independent.co.uk]
Apple controls critical infrastructure (Score:1)
Facebook is treating this as a critical problem internally, we're told, as the affected apps simply don't launch on employees' phones anymore.
So forget the Facebook VPN scandal for a moment here. Apple can, at their whim, make an application not work on your device. That's dangerous. The economic damage one company could do by simply revoking a critical app could outstrip the impact of the 9/11 attacks.
We absolutely must not allow companies to wield this kind of power. Amazon should not be able to revoke e-book licenses, Apple and Microsoft and Google should not be able to revoke application licenses, etc. Imagine if they chose to do it to a
Reminds me of cable vs. channel wars (Score:2)
From time to time a cable channel will spar with a provider, think TBS vs TimeWarner or whatever. Each one thinks their customer base will forgo the other one. In this case, lets say that Apple went full nuclear on FB and just stopped their app entirely. "Dear Apple iPhone user, you have 30 days then FB app stops working" I really wonder what people would trade, their iPhone or FB.
I think FB is like cable TV, people waste an inordinate amount of time on it, think they are dependent, but just like when
repeat offenders (Score:2)
"Facebook is treating this as a critical problem internally, we're told, as the affected apps simply don't launch on employees' phones anymore."
If they were not repeat offenders against user privacy and Apple's store policies, they might not get treated like this.
But they are and they do.
Research app? (Score:2)