As the true crime story of The Untouchables goes, federal agents targeted mob boss Al Capone for brazen acts of violence and smuggling, but ultimately jailed him for the white collar crime of tax evasion. The story illustrates that there are multiple ways for good guys to stop bad guys, and sometimes a comparatively pedestrian option works best.
Facebook isn’t the mob and Apple certainly isn’t untouchable, but over the past two days, the tech giants have been cast in villain and hero roles, as Apple punished Facebook for distributing a questionable app (Project Atlas!) that gathered unspecified data (!) on teens (!) in exchange for $20 monthly payments and referral fees (!). There was actually much more to the story, but given the nonstop wave of revelations about Facebook’s business practices, those details were enough for the court of public opinion to declare the company guilty — and shrug off Apple’s chosen punishment of disabling all of Facebook’s internal iOS apps.
Was Apple actually acting heroically here? No. And while Facebook has deservedly taken heat recently for many offensive activities (disclosure: I and members of my family have stopped using the service), this particular situation wasn’t as cut and dried as good finally prevailing over evil.
Similar to the Capone situation, Facebook’s data-gathering app wasn’t shut down because it was tangibly hurting or ripping off innocent people, but rather because it arguably — note the word arguably — violated either the word or spirit of Apple’s enterprise developer agreement. Unlike Apple’s standard developer agreement, which covers apps distributed to consumers, the enterprise agreement covers apps distributed to employees and contractors. Near the beginning of the enterprise document, Apple directly tells developers:
This Program is for internal use, custom applications that are developed by You for Your specific business purposes and only for use by Your employees and, in limited cases, by certain other parties as set forth herein.
The contract goes on for another 50 pages, but the gist is clear: Use enterprise certificates for internal employee/contractor apps, and standard certificates for consumer apps. If you try to distribute enterprise apps to consumers, or violate any one of hundreds of other rules, Apple may shut down all of your enterprise certificates and apps. So. Don’t. Do. Any. Of. That.
Once Facebook’s data gathering app started getting bad publicity, Apple apparently decided to make an example of the company, claiming that the app’s distribution to “consumers” was “a clear breach” of the enterprise agreement. Explaining the decision to yank Facebook’s enterprise app certificates, an Apple spokesperson said:
We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.
As it turns out, Facebook wasn’t the only gigantic company with an iOS enterprise program data-gathering app; Google was distributing its own version under the name “Screenwise Meter.” After Facebook’s app and enterprise certificates were yanked, TechCrunch tarred Google with the same general offense — using an iOS enterprise app to collect data — and asked whether Apple would disable Google’s enterprise certificate and apps, just like Facebook’s.
But Facebook and Google weren’t doing the exact same things. Google’s research panel had been running since 2012, hadn’t previously been banned by Apple, wasn’t being directly marketed to teens, and transparently disclosed what information it was gathering. Like Facebook, Google was paying people to participate, blurring the line between “contractor” and “consumer.” So it wouldn’t have made sense for Apple to suddenly shut down Google’s enterprise certificate over this after six years, even if there was some arguable violation of Apple’s enterprise development agreement.
Regardless, Google pulled the plug on Screenwise Meter for iOS before Apple took action. In a statement last night, the company said:
The Screenwise Meter iOS app should not have operated under Apple’s developer enterprise program — this was a mistake, and we apologize. We have disabled this app on iOS devices. This app is completely voluntary and always has been. We’ve been upfront with users about the way we use their data in this app, we have no access to encrypted data in apps and on devices, and users can opt out of the program at any time.
Putting my dusty intellectual property lawyer hat back on, I see two core issues here. First, were these apps for the developers’ internal use? Second, were these developers distributing these apps to employees/contractors or consumers?
Notwithstanding Apple’s statement and Google’s apology, my take is that both answers are gray rather than black or white. Apple would have had zero room to complain if the only people using these apps were employees sitting in Google’s offices. Instead, they were paid panelists — arguably limited purpose “contractors” providing data solely for the developer’s research purposes — and not locked in Google’s buildings.
That’s completely normal in the technology R&D world. As Apple’s famous “lost at a bar” iPhone 4 situation revealed, even the most secretive companies don’t conduct all their research and testing indoors at offices. There are plenty of valid and legal reasons to gather data in multiple locations across a geographic area, and in public, particularly when a developer’s trying to understand real-world app usage habits.
It’s not really clear whether Facebook and Google should really be distributing small panel research apps to the broad base of “consumers” in the iOS App Store. But for the time being, that appears to be their only option — assuming, of course, that their data collection isn’t running afoul of other Apple developer rules, such as privacy considerations. Unlike Google, Facebook was specifically blocked from offering a consumer version of its data research app to iOS users due to privacy issues.
In my view, it’s not fair to tar Facebook and Google with the same brush. At this point, it’s almost inconceivable that people wouldn’t know that Google was collecting data about them when it uses their services. It’s frankly more surprising that Google actually offered to pay Screenwise Meter users for their data, given that it has free access to more user information than any other company in the world.
I also have deep concerns about Apple’s ability to threaten use of a company-crippling tool in a situation like this, but if there’s any good news here, it’s that the company hasn’t used its kill switch apart from sketchy situations. Facebook mightn’t have been a mustache-twirling villain in this story, but it wasn’t innocent here, and pulling its app was the right thing for Apple to do. Here’s hoping that there isn’t a good need for the company to pull its developer certificates from anyone again.
You can't solo security COVID-19 game security report: Learn the latest attack trends in gaming. Access here