Once again, Facebook has broken the trust of its users—this time, through reportedly paying people to give up their privacy by installing an application that sucks up huge amounts of sensitive data, and explicitly sidestepping Apple's Enterprise Developer program rules. In doing so, the company has repeated several of the privacy-abusive practices that it’s been chastised for before. This underscores just how little the company has learned from a year of user complaints, privacy group criticisms, and Congressional hearings, and it emphasizes the need for legislators to pass new laws to protect the public.

The backstory: In 2013, Facebook began offering a “secure” VPN app, Onavo Protect, as a way for users to supposedly protect their web activity from prying eyes. But Facebook simultaneously used Onavo to collect data from its users about their usage of competitors like Twitter. Last year, Apple banned Onavo from its App Store for violating its Terms of Service. Facebook then released a very similar program, now dubbed variously “Project Atlas” and “Facebook Research.” It used Apple’s enterprise app system, intended only for distributing internal corporate apps to employees, to continue offering the app to iOS users. When the news broke this week, Apple shut down the app and threw Facebook into some chaos when it (briefly) booted the company from its Enterprise Developer program altogether.

Facebook wasn’t the only company sidestepping Apple’s Enterprise Developer TOS to enable a highly invasive “market research” program. As TechCrunch reported, Google has been running a similar program for some time, using many of the same techniques as Facebook in addition to its own unique surveillance methods.

This is the latest in a long line of abusive behavior that has cost Facebook its users’ trust. But this time, Facebook went further than it has before, and instructed the app’s users to configure their device in a way that undermined their basic security.

You should never let an organization like Facebook pwn your devices so it can watch you use TikTok.

Root of All Evil

After Apple kicked Onavo out of the Apple Store, Facebook resorted to extraordinary measures to continue market research on iOS users. Specifically, it paid users to install an app distributed through Apple’s Enterprise Developer program, which required them to add a “trusted” root certificate from Facebook to their devices.

As a VPN, Onavo—which is still available from the Google Play store—can monitor device traffic at the same highly intrusive level as an Internet service provider (ISP). That means it can tell where your traffic is going and when. This is a tremendous amount of information, and it has given Facebook a privileged view of the usage trends and growth of its competitors.

VPN operators shouldn’t spy on their customers, period. But when they do, their ability to do so is limited by encryption, especially through TLS. Encryption prevents ISPs and VPNs like Onavo from seeing the contents of the traffic flowing to and from your device. For example, as you browse www.eff.org, all it sees is a garbled stream of nonsense flowing between you and EFF’s servers. But a root certificate changes that.

Root certificates are the “roots of trust” on your device. They let your device determine whether the server you’re talking to really is who it says it is, and this trust is the basis for most forms of encrypted communication your device engages in. When you install a custom root certificate on your phone, you give its creator the power to intercept, read, and even modify most of the encrypted traffic your device handles.

That power can be invaluable if you’re a security or privacy researcher, an app developer, or just a curious user. Using a custom root certificate, you can set up your device to monitor the traffic between your device and the Internet, including encrypted traffic to third parties. This allows researchers to analyze the privacy properties of mobile applications, including what data they actually collect and send. In the past, security researchers have used root certificates to help expose apps that peddle usage data to advertisers (like Facebook and Google) or exploit sensitive health information.

However, when you install a corporation’s root certificate for a “research” app, you’re also handing it the keys to your most private information. If Facebook can convince you to install its certificate on your device, it can execute a “machine-in-the-middle” attack to insert itself between you and whomever you’re trying to talk to. It sidesteps the security of websites that support HTTPS and most other TLS-encrypted communications. When you try to establish an encrypted connection between your device and, say, your bank, Facebook can silently intercept your traffic before it leaves your phone, collecting your private information before sending it on its way. Meanwhile, both your device and your bank’s server will think everything is A-OK.

This isn’t just a theoretical concern. Applause, one of the partners Facebook worked with to distribute its app, disclosed this on its (now defunct) signup page:

> You are also letting our client collect information about your internet browsing activity (including the websites you visit and data that is exchanged between your device and those websites) and your use of other online services. There are some instances when our client will collect this information even where the app uses encryption, or from within secure browser sessions.

We cannot overstate the power this gives the company. And though we’ve tried our best in this post, it’s hard to explain this power at all. So it’s disingenuous for Facebook to claim that its test subjects gave anything like informed consent—especially considering the company specifically advertised to kids. As Will Strafach, the researcher who analyzed Facebook’s app at the request of TechCrunch, put it:

This hands Facebook continuous access to the most sensitive data about you, and most users are going to be unable to reasonably consent to this regardless of any agreement they sign, because there is no good way to articulate just how much power is handed to Facebook when you do this.

Apple to the Rescue?

Last year, Apple removed Onavo from the Apple Store. And this week, Apple revoked Facebook’s Enterprise Developer Credentials, which blocked the research app as well as many of Facebook’s internal corporate tools. Which brings us to a separate problem:

On one hand, Facebook’s use of VPN data to feed its dystopian corporate panopticon is a surreptitious abuse of users’ trust. On the other hand, the fact that Apple has the power to effectively ban Onavo for all of its close-to-a-billion iOS users is also wrong. Apple’s app store has blocked apps on a variety of arbitrary, anticompetitive, or censorious grounds in the past, and the company makes it exceedingly difficult for users to install software from outside its crystal prison.

Furthermore, while Google and Facebook clearly broke Apple’s “Enterprise Developer Program” Terms of Service and abused root certificate power to perform market research, that doesn’t mean custom root certificates or “side-loaded” apps are the problem. You should always be able to do what you want with the devices you buy: you own it, you pwn it. But you should never let an organization like Facebook pwn your devices so it can watch you use TikTok.

The right solution to bad behavior by a tech giant like Facebook or Google is not unilateral action by another tech giant like Apple. We cannot stake our rights to privacy and security on corporate turf wars. Instead, we need to fight for reasonable limits on the ways companies can use our data, and demand that they act in our best interests as a matter of course. Facebook obviously needs a massive privacy and transparency overhaul—but it’s far from the only company violating user privacy. It’s time for legislatures at every level to establish carefully-tailored rules to protect user privacy, and to stop letting the companies with the worst privacy track records dictate users’ legal rights.