Facebook is continuing to defend its controversial user data harvesting program to its employees, as Apple restores the company’s developer certificate and brings to an end two days of internal chaos.
In an internal memo obtained by Business Insider, Facebook exec Pedro Canahuati on Thursday addressed Apple’s decision to revoke Facebook’s certificate over a “Facebook Research” app that spied on users in exchange for cash, thereby crashing Facebook’s suite of internal employee apps that also relied on the certificate.
“Asking users to allow us to collect data on their device usage is a highly efficient way of getting industry data from closed ecosystems, such as iOS and Android,” he wrote. “We believe this is a valid method of market research.”
The memo, which has not been previously reported, offers the fullest accounting yet of what Facebook says the purpose of the app was and the specific data it was harvesting — and also offers a rare window into how the Silicon Valley tech giant attempts to spin scandals and crises to its employees in a positive light.
Canahuati said the app didn’t read users’ private messages, but instead looked at information like message length and video watch time. “We collect data to understand how people use apps, but this market research was not designed to look at what they share or see. We’re interested in information such as watch time, video duration and message length, not that actual content of videos, messages, stories or photos,” he wrote. “The app specifically ignores information shared via financial or health apps.”
The memo danced around whether Facebook broke Apple’s rules, saying that “Apple’s view is that we violated their terms,” but “we wouldn’t put that relationship at risk intentionally.
Facebook declined to comment.
The outage caused havoc at Facebook, with internal apps used for everything from communicating with colleagues to company transportation failing. Internally, Facebook employees were furious about the move,sources previously told Business Insider, alternately blaming their own colleagues responsible for the offending research app and Apple, who some theorized was out to get Facebook.
All in all, “a few dozen” apps were affected, Canahuati wrote, and in getting systems back up and running Facebook is prioritizing ones based on usage and importance — namely “Facebook, Messenger, Workplace, Work Chat, Instagram, and Mobile Home.”
A Facebook spokesperson did not immediately respond to Business Insider’s request for comment. In a statement issued earlier today about the restoration of its iOS developer certificate, the company said: “We have had our Enterprise Certification, which enables our internal employee applications, restored. We are in the process of getting our internal apps up and running. To be clear, this didn’t have an impact on our consumer-facing services.”
Facebook’s research project, known internally as “Project Atlas,” has also faced criticism for appearing not to clearly inform users signing up that Facebook was behind it. Canahuati said this was to avoid “bias”:”[The third party research firms] use a generic initial registration page to avoid bias in the people who choose to participate.”
Do you work at Facebook? Were you affected?Contact this reporter via Signal or WhatsApp at +1 (650) 636-6268 using a non-work phone, email at [email protected], Telegram or WeChat at robaeprice, or Twitter DM at@robaeprice. (PR pitches by email only, please.) You can alsocontact Business Insider securely via SecureDrop.
Here’s the full memo:
APPLE ENTERPRISE CERTS REINSTATED
Early this morning, we received agreement from Apple to issue a new enterprise certificate; this has allowed us to produce new builds of our public and enterprise apps for use by employees and contractors. Because we have a few dozen apps to rebuild, we’re initially focusing on the most critical ones, prioritized by usage and importance: Facebook, Messenger, Workplace, Work Chat, Instagram, and Mobile Home.
New builds of these apps will soon be available and we’ll email all iOS users for detailed instructions on how to reinstall. We’ll also post to iOS FYI with full details.
Meanwhile, we’re expecting a follow-up article from the New York Times later today, so I wanted to share a bit more information and background on the situation.
On Tuesday, TechCrunch reported on our Facebook Research program. This is a market research program that helps us understand consumer behavior and trends to build better mobile products.
TechCrunch implied we hid the fact that this is by Facebook – we don’t. Participants have to download an app called Facebook Research App to be involved in the stud. They also characterized this as “spying,” which we don’t agree with. People participated in this program with full knowledge that Facebook was sponsoring this research, and were paid for it. They could opt-out at any time. As we built this program, we specifically wanted to make sure we were as transparent as possible about what we were doing, what information we were gathering, and what it was for — see the screenshots below.
We used an app that we built ourselves, which wasn’t distributed via the App Store, to do this work. Instead it was side-loaded via our enterprise certificate. Apple has indicated that this broke their Terms of Service so disabled our enterprise certificates, which allow us to install our own apps on devices outside of the official app store for internal dogfooding.
How does this program work?
We partner with a couple of market research companies (Applause and CentreCode) to source and onboard candidates based in India and USA for this research project. Once people are onboarded through a generic registration page, they are informed that this research will be for Facebook and can decline to participate or opt out at any point. We rely on a 3rd party vendor for a number of reasons, including their ability to target a Diverse and representative pool of participants. They use a generic initial Registration Page to avoid bias in the people who choose to participate.
After generic onboarding, people are asked to download an app called the ‘Facebook Research App,’ which takes them through a consent flow that requires people to check boxes to confirm they understand what information will be collected. As mentioned above, we worked hard to make this as explicit and clear as possible.
This is part of a broader set of research programs we conduct. Asking users to allow us to collect data on their device usage is a highly efficient way of getting industry data from closed ecosystems, such as iOS and Android. We believe this is a valid method of market research.
Did we intentionally hide our identity as Facebook?
No — The Facebook brand is very prominent throughout the download and installation process, before any data is collected. Also, the app name of the device appears as “Facebook Research” — see attached screenshots. We use third parties to source participants in the research study, to avoid bias in the people who choose to participate. But as soon as they register, they become aware this is research for Facebook.
What data do we collect? Do we read people’s private messages?
No, we don’t read private messages. We collect data to understand how people use apps, but this market research was not designed to look at what they share or see. We’re interested in information such as watch time, video duration and message length, not that actual content of videos, messages, stories or photos. The app specifically ignores information shared via financial or health apps.
Did we break Apple’s terms of service?
Apple’s view is that we violated their terms by sideloading this app, and they device the rules for their platform, We’ve worked with Apple to address any issues; as a result, our internal apps are back up and running. Our relationship with Apple is really important — many of us use Apple products at work every day, and we rely on iOS for many of our employee apps, so we wouldn’t put that relationship at any risk intentionally.
Mark and others will be available to talk about this further at Q&A later today.