Is Facebook the real bogeyman? Social media giant oblivious to users' privacy

By Stephen L. Carter

This week brings a useful reminder that Facebook is not in the helping-you-keep-in-touch-with-friends business. It’s in the ad-selling business — a business that requires data. Lots of data.

Long story short: On Wednesday, Apple shut down a research app Facebook had distributed to some iPhone and iPad users, paying them up to $10 in exchange for downloading the app, and $20 a month to keep it installed. The app allowed Facebook to collect an enormous amount of user data. News coverage has emphasized the privacy aspects of the story, painting the issue principally in terms of good and evil. Apple is again portrayed as the champion of user protection; Facebook, as usual, is the bogeyman, indifferent to the privacy of its users.


Facebook seems clearly to have earned its latest privacy black eye, but it’s important not to overstate what’s going on here. This is essentially a contract dispute.

Some background. In addition to services that allow companies to distribute software to consumers in the form of apps, Apple also offers something called the Developer Enterprise Program, which provides a certificate that allows distribution of apps to multiple iOS users within a firm, bypassing the App Store. For example, the firm can develop a communications app for internal use and, using the certificate, download it to all employee iPhones and iPads. It can use the same process to share beta versions of potential apps among its in-house researchers.

As first reported by TechCrunch, however, since 2016 Facebook has been using its certificate to offer users the opportunity to participate in a “paid social media research study.” The offer, made through ads on Snapchat and Instagram, targeted users between 13 and 35, but was mainly aimed at teens aged 13 to 17. (Parental permission was required before teens could participate.) Those who signed up would receive money in exchange for Facebook’s ability to collect browsing history, location data, content of messages and more — including “which apps are on your phone” and “how and when you use them.”

To install the app, users were not directed to the App Store or Apple’s beta-testing system, either of which would have allowed Apple review the app before it could be installed on consumer devices. Instead, those who signed up for the research program were sent to a Facebook site from which they could download its certificate. That’s where the problem arose. The certificate does not permit distribution of apps to users outside the company.

Apple’s response, as quoted by TechCrunch, was immediate and harsh: “Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”



The revocation is no trivial matter. Again, the certificate grants permission for the company to distribute apps internally. With its certificate disabled, Facebook will have to find a workaround.

Still, let’s be clear about what constitutes Facebook’s “clear breach.” The problem isn’t the vacuuming up of consumer data. It’s that Facebook has done so in a way that violates the terms of the enterprise certificate. Apple’s concern about its “users and their data” might well be sincere, but this particular dispute isn’t about the fact that Facebook collected user data; it’s about the way that Facebook collected user data.

That’s it. That’s the whole case.

I’m not suggesting that what Facebook has done isn’t serious. But neither is it the end of user privacy as we know it. Yes, had Facebook sent the app through normal channels, Apple might well never have approved it. And, yes, users who downloaded the app allowed Facebook extraordinary access to their online activity. But users seemed to know what they were getting into — and were also paid for the privilege.

Twenty dollars per month might not sound like a lot to, say, the typical Bloomberg reader. So imagine Facebook instead had promised one free local Uber ride per month. Or a free digital subscription to the New York Times. It turns out that $20 per month can buy a lot.

That’s not a defense of Facebook’s apparent breach of its agreement with Apple. I’m just suggesting that users who allowed Facebook to install the app on their iPhones were not necessarily being exploited. Freedom to contract doesn’t seem terribly high on our list of fundamental values these days, but some of us still insist upon its importance.

As to the misuse of the certificate, I assume the two companies will swiftly work things out. (Google has voluntarily ended a similar program.) The revocation of the certificate is a pain, but in the end it’s likely to prove mostly symbolic, a useful weapon in the never-ending public relations war between Apple and Facebook over which cares more about data privacy. The skirmish will be brief, because the two companies need each other. In fact, I wouldn’t be a bit surprised if Facebook’s enterprise developer certificate has been restored by the time you read these words.

But the contretemps still matters because public image matters. Apple will once more steal a march on Facebook in their continuing privacy wars. Maybe six months from now nobody will remember the details, but people will remember that Facebook goofed on privacy again. The goofs are starting to add up. The company has to reverse this trend. Even when you’re the only game in town, sooner or later reputation affects your bottom line.