Time to Say Goodbye to Facebook?


Facebook have once again been caught with their trousers down in the data-slurping stakes having broken Apple’s rules for iOS apps.

Rules?

iOS development comes in two flavours - a standard Developer certificate allows you to publish apps to the App Store. These apps are vetted (to a greater or lesser degree) by Apple for security purposes - to ensure for instance that they’re not doing anything that isn’t on the label - e.g. trying to phone home with 24/7 GPS data, snoop on your phone calls or even just listen to your microphone constantly.

Enterprise Certificates are designed to bypass this process for a company’s internal or in-development applications. Apps can be passed to other departments for feedback, or used for strictly internal processes (e.g. a private chat app, or internal directory and information apps). In businesses the size of Caterpillar or Google there are all sorts of internal systems that the public go blissfully unaware of, and Apple don’t really care if an enterprise is monitoring (say) network traffic on that enterprise’s own devices.

For those unaware, these “Certificates” are cryptographic certificates used to “sign” the app so that Apple devices will know that they’re from an Apple-approved developer. An iPhone or iPad will refuse to run an unsigned app (unless you’ve rooted your device).

So, what’s new?

Facebook’s “Onavo VPN” app (which basically sent 100% of your browsing data to Facebook) had already been banned from Apple’s App Store for breaching privacy guidelines. So they re-signed it using an Enterprise Certificate and distributed it for people to “side-load” as they would a legitimate internal enterprise app. This is strictly against Apple’s Terms and Conditions. But hey, what’s a few T&Cs amongst friends eh? And Facebook paid people to participate. Honest trade is no theft, surely?

Well, maybe, except that children as young as 13 were installing this app onto their devices and whilst they were receiving those rewards as payment for all their personal data, it cannot be argued that they had given their “informed consent” in any meaningful way to the sort of surveillance that Facebook was subjecting them to. If any of those kids were in the EU, I look forward to the impending GDPR slap-down.

On Wednesday, Apple revoked Facebook’s Enterprise Certificate, which meant that iOS devices stopped trusting those apps. It also had the effect of nuking a number of apps which Facebook employees were legitimately using internally.

Google then got the same treatment, as Apple realised that the “Screenwise Meter” app was also gobbling up user data.

Those certificates have now been reinstated, and the apps banished.

So what?

What this episode does, is underline Facebook’s deep disregard for privacy or indeed the law. They claim for instance that “they do not know if any EU citizens were affected”. I’m sorry, you intimately monitored thousands of devices and recorded all their traffic but can’t tell me what country they were in? Pull the other one!

Sadly, episodes like this (even in the wake of the Cambridge Analytica scandal) are unlikely to convince the majority to ditch Facebook, but they should. We should continue to move to less centralised or even self-hosted services where we can retain control of our data and move between service providers if one should prove untrustworthy.

Facebook have proved yet again that they are an untrustworthy business, unworthy of our time and unfit to hold our personal data.

Bootnote - WhatsApp Messenger?

If you didn’t know, Facebook own WhatsApp. They’ve already been in trouble for cross-referencing WhatsApp user data with Facebook data, but have gone ahead and announced that they will be merging the Facebook Messenger, Instagram and WhatsApp infrastructure. Given that those are three of the largest messaging services on the planet, there are obvious monopoly/anti-trust concerns. And the overarching ownership of Facebook reiterates privacy concerns. For what it’s worth, WhatsApp is just a reskinned version of Signal. Maybe use that instead.