Furious Apple revokes Facebook's enty app cert after Zuck's crew abused it to slurp private data

Internal FB apps in chaos, lawmaker on warpath

Facebook has yet again vowed to "do better" after it was caught secretly bypassing Apple's privacy rules to pay adults and teenagers to install a data-slurping iOS app on their phones.

The increasingly worthless promises of the social media giant have fallen on deaf ears however: on Wednesday, Apple revoked the company's enterprise certificate for its internal non-public apps, and one lawmaker vowed to reintroduce legislation that would make it illegal for Facebook to carry out such "research" in future.

The enterprise cert allows Facebook to sign iOS applications so they can be installed for internal use only, without having to go through the official App Store. It's useful for intranet applications and in-house software development work.

Facebook, though, used the certificate to sign a market research iPhone application that folks could install it on their devices. The app was previously kicked out of the official App Store for breaking Apple's rules on privacy: Facebook had to use the cert to skirt Cupertino's ban.

"We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization," said Apple in a statement.

"Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data."

With its certificate revoked, Facebook employees are reporting that their legitimate internal apps, also signed by the cert, have stopped working. The consumer iOS Facebook app is unaffected.

Trust us, we're Facebook!

At the heart of the issue is an app for iPhones called "Facebook Research" that the company advertised through third parties. The app is downloaded outside of the normal Apple App Store, and gives Facebook extraordinary access to a user's phone, allowing the company to see pretty much everything that person does on their device. For that trove of personal data, Facebook paid an unknown number of users aged between 13 and 35 up to $20 a month in e-gifts.


Europe taps Facebook, Google, Twitter on the shoulder. So about those promises to stamp out lies, bots, dodgy ads?


The VPN-based app is similar to one Facebook used to offer called Onavo Protect, which also logged and forward user activity to Facebook, but that app was specifically banned by Apple last year over privacy concerns.

Facebook wasn't able to get a similar app approved due to changes in Apple's rules, and so it used the aforementioned enterprise certificate program, run by Apple, that is only for internal-use apps to get around the restrictions, an investigation by TechCrunch this week revealed.

In Facebook's case, it knowingly broke those rules by encouraging third parties – including children – to download the app and use it. And it paid them to do so. And then, as its activity was exposed, embarked – yet again – on a series of half-truths and lies rather than acknowledge what it was really doing.

Here are just a few of them:

  • Facebook said it was pulling its app in response to criticism. Whereas in fact Apple revoked its certificate due to breaking the terms of the program, and so Facebook had no choice but to end it.
  • Facebook claimed that parental consent was received by every user under the age of 18 that had downloaded and installed the app. Whereas in fact there was no check on whether that parental consent was real: two kids with two phones would be able to confirm an account. It was literally a check-box exercise.
  • Facebook claimed that it was open about its app, that it was obviously monitoring the users' online activity from the description of the software, and pointed to the fact it was called "Facebook Research" as evidence. Whereas in fact users were approached through third parties, and Facebook's involvement was hidden until after users started the sign-up process.

Here come the regulators

Meanwhile, the news has caught the attention of a US lawmaker. Senator Ed Markey (D-MA) is furious that Facebook "has been offering teens financial compensation for access to vast amount of those minors’ personal information, including personal messages, web history, and photos."

He vowed on Tuesday to reintroduce legislation – which was termed the Do Not Track Kids Act – in order to update privacy laws and make it illegal for companies to pay children to hand over their private data.

"It is inherently manipulative to offer teens money in exchange for their personal information when younger users don’t have a clear understanding of how much data they’re handing over and how sensitive it is," he said in a statement.

The news that Facebook knowingly bypassed privacy rules to grab teenagers' person data follow on the heels of revelations that the company knowingly manipulated children into spending their parents’ money without permission while playing games on Facebook.

And following recent changes in its code that were designed to stop independent reviewers from keeping an eye on the company's controversial political ad service that has been used repeatedly in recent years to spread misinformation during election campaigns.

Facebook has promised in each case to do better. ®

PS: Looks like Google has a similar certificate-signed iOS app, Screenwise Meter, which has now been disabled amid the outcry over Facebook.

Other stories you might like

  • New audio server Pipewire coming to next version of Ubuntu
    What does that mean? Better latency and a replacement for PulseAudio

    The next release of Ubuntu, version 22.10 and codenamed Kinetic Kudu, will switch audio servers to the relatively new PipeWire.

    Don't panic. As J M Barrie said: "All of this has happened before, and it will all happen again." Fedora switched to PipeWire in version 34, over a year ago now. Users who aren't pro-level creators or editors of sound and music on Ubuntu may not notice the planned change.

    Currently, most editions of Ubuntu use the PulseAudio server, which it adopted in version 8.04 Hardy Heron, the company's second LTS release. (The Ubuntu Studio edition uses JACK instead.) Fedora 8 also switched to PulseAudio. Before PulseAudio became the standard, many distros used ESD, the Enlightened Sound Daemon, which came out of the Enlightenment project, best known for its desktop.

    Continue reading
  • VMware claims 'bare-metal' performance on virtualized GPUs
    Is... is that why Broadcom wants to buy it?

    The future of high-performance computing will be virtualized, VMware's Uday Kurkure has told The Register.

    Kurkure, the lead engineer for VMware's performance engineering team, has spent the past five years working on ways to virtualize machine-learning workloads running on accelerators. Earlier this month his team reported "near or better than bare-metal performance" for Bidirectional Encoder Representations from Transformers (BERT) and Mask R-CNN — two popular machine-learning workloads — running on virtualized GPUs (vGPU) connected using Nvidia's NVLink interconnect.

    NVLink enables compute and memory resources to be shared across up to four GPUs over a high-bandwidth mesh fabric operating at 6.25GB/s per lane compared to PCIe 4.0's 2.5GB/s. The interconnect enabled Kurkure's team to pool 160GB of GPU memory from the Dell PowerEdge system's four 40GB Nvidia A100 SXM GPUs.

    Continue reading
  • Nvidia promises annual updates across CPU, GPU, and DPU lines
    Arm one year, x86 the next, and always faster than a certain chip shop that still can't ship even one standalone GPU

    Computex Nvidia's push deeper into enterprise computing will see its practice of introducing a new GPU architecture every two years brought to its CPUs and data processing units (DPUs, aka SmartNICs).

    Speaking on the company's pre-recorded keynote released to coincide with the Computex exhibition in Taiwan this week, senior vice president for hardware engineering Brian Kelleher spoke of the company's "reputation for unmatched execution on silicon." That's language that needs to be considered in the context of Intel, an Nvidia rival, again delaying a planned entry to the discrete GPU market.

    "We will extend our execution excellence and give each of our chip architectures a two-year rhythm," Kelleher added.

    Continue reading
  • Amazon puts 'creepy' AI cameras in UK delivery vans
    Big Bezos is watching you

    Amazon is reportedly installing AI-powered cameras in delivery vans to keep tabs on its drivers in the UK.

    The technology was first deployed, with numerous errors that reportedly denied drivers' bonuses after malfunctions, in the US. Last year, the internet giant produced a corporate video detailing how the cameras monitor drivers' driving behavior for safety reasons. The same system is now apparently being rolled out to vehicles in the UK. 

    Multiple camera lenses are placed under the front mirror. One is directed at the person behind the wheel, one is facing the road, and two are located on either side to provide a wider view. The cameras are monitored by software built by Netradyne, a computer-vision startup focused on driver safety. This code uses machine-learning algorithms to figure out what's going on in and around the vehicle.

    Continue reading
  • AWS puts latest homebrew ‘Graviton 3’ Arm CPU in production
    Just one instance type for now, but cheaper than third-gen Xeons or EPYCs

    Amazon Web Services has made its latest homebrew CPU, the Graviton3, available to rent in its Elastic Compute Cloud (EC2) infrastructure-as-a-service offering.

    The cloud colossus launched Graviton3 at its late 2021 re:Invent conference, revealing that the 55-billion-transistor device includes 64 cores, runs at 2.6GHz clock speed, can address DDR5 RAM and 300GB/sec max memory bandwidth, and employs 256-bit Scalable Vector Extensions.

    The chips were offered as a tech preview to select customers. And on Monday, AWS made them available to all comers in a single instance type named C7g.

    Continue reading

Biting the hand that feeds IT © 1998–2022