vpn

Auto Added by WPeMatico

Google’s BeyondCorp Enterprise security platform is now generally available

Google today announced that BeyondCorp Enterprise, the zero trust security platform modeled after how Google itself keeps its network safe without relying on a VPN, is now generally available. BeyondCorp Enterprise builds out Google’s existing BeyondCorp Remote Access offering with additional enterprise features. Google describes it as “a zero trust solution that enables secure access with integrated threat and data protection.”

Over the course of the last few years, Google — and especially its Cloud unit — has evangelized the zero trust model and built a large partner network around this idea. Those partners include the likes of Check Point, Citrix, CrowdStrike, Symantec and VMWare.

As part of BeyondCorp Enterprise, businesses get an end-to-end zero trust solution that includes everything from DDoS protection and phishing-resistant authentication, to the new security features in the Chrome browser and the core continuous authorization features that protect every interaction between users and resources protected by BeyondCorp.

“The rapid move to the cloud and remote work are creating dynamic work environments that promise to drive new levels of productivity and innovation. But they have also opened the door to a host of new security concerns and sparked a significant increase in cyberattacks,” said Fermin Serna, chief information security officer at Citrix. “To defend against them, enterprises must take an intelligent approach to workspace security that protects employees without getting in the way of their experience following the zero trust model.”

Powered by WPeMatico

Ivanti has acquired security firms MobileIron and Pulse Secure

IT security software company Ivanti has acquired two security companies: Enterprise mobile security firm MobileIron and corporate virtual network provider Pulse Secure.

In a statement on Tuesday, Ivanti said it bought MobileIron for $872 million in stock — with 91% of the shareholders voting in favor of the deal — and acquired Pulse Secure from its parent company Siris Capital Group, but did not disclose the buying price.

The deals have now closed.

Ivanti was founded in 2017 after Clearlake Capital, which owned Heat Software, bought Landesk from private equity firm Thoma Bravo, and merged the two companies to form Ivanti. The combined company, headquartered in Salt Lake City, focuses largely on enterprise IT security, including endpoint, asset and supply chain management. Since its founding, Ivanti went on to acquire several other companies, including U.K.-based Concorde Solutions and RES Software.

If MobileIron and Pulse Secure seem familiar, both companies have faced their fair share of headlines this year after hackers began exploiting vulnerabilities found in their technologies.

Just last month, the U.K. government’s National Cyber Security Center published an alert that warned of a remotely executable bug in MobileIron, patched in June, allowing hackers to break into enterprise networks. U.S. Homeland Security’s cybersecurity advisory unit CISA said that the bug was being actively used by advanced persistent threat (APT) groups, typically associated with state-backed hackers.

Meanwhile, CISA also warned that Pulse Secure was one of several corporate VPN providers with vulnerabilities that have since become a favorite among hackers, particularly ransomware actors, who abuse the bugs to gain access to a network and deploy the file-encrypting ransomware.

Powered by WPeMatico

A SonicWall cloud bug exposed corporate networks to hackers

A newly discovered bug in a cloud system used to manage SonicWall firewalls could have allowed hackers to break into thousands of corporate networks.

Enterprise firewalls and virtual private network appliances are vital gatekeepers tasked with protecting corporate networks from hackers and cyberattacks while still letting in employees working from home during the pandemic. Even though most offices are empty, hackers frequently look for bugs in critical network gear in order to break into company networks to steal data or plant malware.

Vangelis Stykas, a researcher at security firm Pen Test Partners, found the new bug in SonicWall’s Global Management System (GMS), a web app that lets IT departments remotely configure their SonicWall devices across the network.

But the bug, if exploited, meant any existing user with access to SonicWall’s GMS could create a user account with access to any other company’s network without permission.

From there, the newly created account could remotely manage the SonicWall gear of that company.

In a blog post shared with TechCrunch, Stykas said there were two barriers to entry. Firstly, a would-be attacker would need an existing SonicWall GMS user account. The easiest way — and what Stykas did to independently test the bug — was to buy a SonicWall device.

The second issue was that the would-be attacker would also need to guess a unique seven-digit number associated with another company’s network. But Stykas said that this number appeared to be sequential and could be easily enumerated, one after the other.

Once inside a company’s network, the attacker could deliver ransomware directly to the internal systems of their victims, an increasingly popular tactic for financially driven hackers.

SonicWall confirmed the bug is now fixed. But Stykas criticized the company for taking more than two weeks to patch the vulnerability, which he described as “trivial” to exploit.

“Even car alarm vendors have fixed similar issues inside three days of us reporting,” he wrote.

A SonicWall spokesperson defended the decision to subject the fix to a “full” quality check before it was rolled out, and said it is “not aware” of any exploitation of the vulnerability.

Powered by WPeMatico

‘One day we were in the office and the next we were working from home’

Scott Kinka
Contributor

Scott Kinka serves as CTO for Evolve IP. An award-winning, 20-year technology veteran with expertise in virtualization, cloud security and telecommunications, he designs the Evolve IP roadmap, leads its project team and works closely with customers and partners.

Ryan Easter couldn’t believe he was being asked to run a pandemic business continuity test.

It was late October, 2019 and Easter, IT Director and a principal at Johnson Investment Counsel, was being asked by regulators to ensure that their employees could work from home with the same capabilities they had in the office. In addition, the company needed to evaluate situations where up to 50% of personnel were impacted by a virus and unable to work, forcing others to pick up their internal functions and workload.

“I honestly thought that it was going to be a waste of time,” said Easter. “I never imagined that we would have had to put our pandemic plan into action. But because we had a tested strategy already in place, we didn’t miss a beat when COVID-19 struck.”

In the months leading up to the initial test, Johnson Investment Counsel developed a work anywhere blueprint with their technology partner Evolve IP. The plan covered a wide variety of integrated technologies including voice services, collaboration, virtual desktops, disaster recovery and remote office connectivity.

“Having a strategy where our work anywhere services were integrated together was one of the keys to our success,” said Easter. “We manage about $13 billion in assets for clients across the United States and provide comprehensive wealth and investment management to individual and institutional investors. We have our own line of mutual funds, a state-chartered trust company, a proprietary charitable gift fund, with research analysts and traders covering both equity and fixed income markets. Duct taping one-off solutions wasn’t going to cut it.”

Easter continued, “It was imperative that our advisors could communicate with clients, collaborate with each other and operate the business seamlessly. That included ensuring we could make real-time trades and provide all of our other client services.”

Five months later, the novel coronavirus hit the United States and Johnson Investment Counsel’s blueprint test got real.

Powered by WPeMatico

Flaw in Cyberoam firewalls exposed corporate networks to hackers

Sophos said it is fixing a vulnerability in its Cyberoam firewall appliances, which a security researcher says can allow an attacker to gain access to a company’s internal network without needing a password.

The vulnerability allows an attacker to remotely gain “root” permissions on a vulnerable device, giving them the highest level of access, by sending malicious commands across the internet. The attack takes advantage of the web-based operating system that sits on top of the Cyberoam firewall.

Once a vulnerable device is accessed, an attacker can jump onto a company’s network, according to the researcher who shared their findings exclusively with TechCrunch.

Cyberoam devices are typically used in large enterprises, sitting on the edge of a network and acting as a gateway to allow employees in while keeping hackers out. These devices filter out bad traffic, and prevent denial-of-service attacks and other network-based attacks. They also include virtual private networking (VPN), allowing remote employees to log on to their company’s network when they are not in the office.

It’s a similar vulnerability to recently disclosed flaws in corporate VPN providers, notably Palo Alto Networks, Pulse Secure and Fortinet, which allowed attackers to gain access to a corporate network without needing a user’s password. Many large tech companies, including Twitter and Uber, were affected by the vulnerable technology, prompting Homeland Security to issue an advisory to warn of the risks.

Sophos, which bought Cyberoam in 2014, issued a short advisory this week, noting that the company rolled out fixes on September 30.

The researcher, who asked to remain anonymous, said an attacker would only need an IP address of a vulnerable device. Getting vulnerable devices was easy, they said, by using search engines like Shodan, which lists around 96,000 devices accessible to the internet. Other search engines put the figure far higher.

A Sophos spokesperson disputed the number of devices affected, but would not provide a clearer figure.

“Sophos issued an automatic hotfix to all supported versions in September, and we know that 99% of devices have already been automatically patched,” said the spokesperson. “There are a small amount of devices that have not as of yet been patched because the customer has turned off auto-update and/or are not internet-facing devices.”

Customers still affected can update their devices manually, the spokesperson said. Sophos said the fix will be included in the next update of its CyberoamOS operating system, but the spokesperson did not say when that software would be released.

The researcher said they expect to release the proof-of-concept code in the coming months.

Powered by WPeMatico

Homeland Security warns of security flaws in enterprise VPN apps

Several enterprise virtual private networking apps are vulnerable to a security bug that can allow an attacker to remotely break into a company’s internal network, according to a warning issued by Homeland Security’s cybersecurity division.

An alert was published Friday by the government’s Cybersecurity and Infrastructure Security Agency following a public disclosure by CERT/CC, the vulnerability disclosure center at Carnegie Mellon University.

The VPN apps built by four vendors — Cisco, Palo Alto Networks, Pulse Secure and F5 Networks — improperly store authentication tokens and session cookies on a user’s computer. These aren’t your traditional consumer VPN apps used to protect your privacy, but enterprise VPN apps that are typically rolled out by a company’s IT staff to allow remote workers to access resources on a company’s network.

The apps generate tokens from a user’s password and are stored on their computer to keep the user logged in without having to reenter their password every time. But if stolen, these tokens can allow access to that user’s account without needing their password.

But with access to a user’s computer — such as through malware — an attacker could steal those tokens and use them to gain access to a company’s network with the same level of access as the user. That includes company apps, systems and data.

So far, only Palo Alto Networks has confirmed its GlobalProtect app was vulnerable. The company issued a patch for both its Windows and Mac clients.

Neither Cisco nor Pulse Secure have patched their apps. F5 Networks is said to have known about storing since at least 2013 but advised users to roll out two-factor authentication instead of releasing a patch.

CERT warned that hundreds of other apps could be affected — but more testing was required.

Powered by WPeMatico

Cloudflare’s Warp is a VPN that might actually make your mobile connection better

Since its launch on our stage way back in 2010, Cloudflare has focused on making the internet faster and more modern — but the mobile internet has until recently been beyond its reach. Today the company introduced a new service called Warp described as “the VPN for people who don’t know what VPN stands for.”

In case you’re one of those people, and there’s no shame in it, a VPN is a virtual private network: something that acts as an intermediary between you and the wider internet, allowing you to customize how you connect in many helpful ways, such as changing your apparent location or avoiding IP-based tracking.

The trouble with these services is that many of them just aren’t very good. Trusting a company you’ve never heard of with all your internet traffic just isn’t generally a good idea, and even the biggest and most proven VPN providers are far from household names. What’s more, they can introduce latency and performance issues, which on the mobile web are already trouble enough. In the best case they may take configuration and tweaking that casual users aren’t up to.

Warp, according to a blog post by CEO Matthew Prince, will provide many of the benefits of a VPN with none of the drawbacks, speeding up your connection while adding privacy and security.

“We’ve been tinkering with this idea for three or four years,” Prince told me. Originally there was the idea of making a browser, “but that’s insane,” he said; Apple and Google would crush it. Besides, everything is going app-based and mobile — the real opportunity, they perceived, lay in the layer between those things and the broader internet: “So, a VPN, and it made all the sense in the world for us.”

But they didn’t want to simply compete with a bunch of small providers appealing to a variety of niche power users.

“To be honest, for the vast majority of existing VPN users, this is probably not the right solution for them,” admitted Prince. “If you want to change your country to access Netflix while you’re traveling, there are lots of people that offer that service, but that’s not the market we’re getting into. We wanted something with mass appeal instead of trying to cannibalize what’s out there.”

In order to become a drawback-free default for millions of users, Cloudflare didn’t so much build something from the ground up as adapt nascent work by developers on the cutting edge of networking. It rewrote the already efficient open-source VPN layer created by Wireguard to be even more so, and added a UDP-based protocol created by Neumob, a company it bought in late 2017. Add to this the large network of Cloudflare servers all around the world and it’s a recipe for a quick, secure service that could very well be both better and faster than your existing connection.

You may remember that at this time last year, Cloudflare debuted its DNS service, 1.1.1.1, both for desktops and mobile (via the 1.1.1.1 app). It’s leveraging this presence to offer Warp as an optional and free upgrade.

So what is it? When your mobile wants to make a connection for a Google search or to get an update for an app or whatever, there’s a whole process of reaching out on the internet, finding the right IP to talk to, establishing a secure connection and so on. Cloudflare’s Warp VPN (like other VPNs) takes over this process, encrypting where it otherwise might not be, but also accelerating it by passing the requests over its own network using that Neumob protocol.

The technical aspects will no doubt be exposed and inspected in time, but Cloudflare claims that using Warp should improve your connection and make it more secure, while preventing your DNS lookup data (which says exactly which sites you request to connect to) from being collected and sold. Prince said his post lacked direct comparisons to existing VPNs because they don’t think those are relevant for the millions of non-VPN-using people they’re targeting with Warp.

“Will people do comparisons? Yes. Will I retweet those when they make us look good? Yes,” Prince said. “But we don’t expect to take a lot of users from them. We want the market to expand — we want to be the biggest VPN in the world without taking a single user from any other provider.”

Part of that is the lack of some of existing VPNs’ most attractive features, such as blocking ads at the IP level. Prince said he and the others at the company were uncomfortable with the idea of picking and choosing content, not least because many of their customers are ad-supported sites. “There’s just something creepy about when the internet’s underlying pipes start making editorial decisions,” Prince said. “When we start messing with the contents of a page, even if people want us to, it sets a dangerous precedent.”

Warp can be offered for free because the company is planning a more high-end service that it’ll sell for a monthly fee. Later, an enterprise version could be sold to replace the clunky ones currently out there (which many of our readers likely have already had the pleasure of using). Prince says he envisions a day when a kid can walk into the living room at home and say, “Mom, the internet is being slow, can I use your corporate VPN?” Unlikely, but even CEOs of major infrastructure companies have dreams. Be kind.

Until then, like the rest of Cloudflare’s connectivity suite, Warp will be free and come with few if any caveats.

Well, except one — it’s not available yet. They wanted to make the announcement on April 1 because it’s exactly a year since they announced 1.1.1.1 (get it? 4/1?), but they missed the date. (“I wanted to just turn this on for everyone, but our tech operations team was like, ‘No. You’re not allowed to do that. The network would fall over.’ “) So what you can do now is get the 1.1.1.1 app and request a spot in line. Since they just announced it, the wait probably won’t be that long… oh.

Okay.

Powered by WPeMatico

Opera’s VPN returns to its Android browser

Opera had a couple of tumultuous years behind it, but it looks like the Norwegian browser maker (now in the hands of a Chinese consortium) is finding its stride again and refocusing its efforts on its flagship mobile and desktop browsers. Before the sale, Opera offered a useful stand-alone and built-in VPN service. Somehow, the built-in VPN stopped working after the acquisition. My understanding is that this had something to do with the company being split into multiple parts, with the VPN service ending up on the wrong side of that divide. Today, it’s officially bringing this service back as part of its Android app.

The promise of the new Opera VPN in Opera for Android 51 is that it will give you more control over your privacy and improve your online security, especially on unsecured public WiFi networks. Opera says it uses 256-bit encryption and doesn’t keep a log or retain any activity data.

Since Opera now has Chinese owners, though, not everybody is going to feel comfortable using this service, though. When I asked the Opera team about this earlier this year at MWC in Barcelona, the company stressed that it is still based in Norway and operates under that country’s privacy laws. The message being that it may be owned by a Chinese consortium but that it’s still very much a Norwegian company.

If you do feel comfortable using the VPN, though, then getting started is pretty easy (I’ve been testing in the beta version of Opera for Android for a while). Simply head to the setting menu, flip the switch, and you are good to go.

“Young people are being very concerned about their online privacy as they increasingly live their lives online, said Wallman. “We want to make VPN adoption easy and user-friendly, especially for those who want to feel more secure on the Web but are not aware on how to do it. This is a free solution for them that works.”

What’s important to note here is that the point of the VPN is to protect your privacy, not to give you a way to route around geo-restrictions (though you can do that, too). That means you can’t choose a specific country as an endpoint, only ‘America,’ ‘Asia,’ and ‘Europe.’

Powered by WPeMatico

Facebook will shut down its spyware VPN app Onavo

Facebook will end its unpaid market research programs and proactively take its Onavo VPN app off the Google Play store in the wake of backlash following TechCrunch’s investigation about Onavo code being used in a Facebook Research app the sucked up data about teens. The Onavo Protect app will eventually shut down, and will immediately cease pulling in data from users for market research, though it will continue operating as a Virtual Private Network in the short-term to allow users to find a replacement.

Facebook has also ceased to recruit new users for the Facebook Research app that still runs on Android but was forced off of iOS by Apple after we reported that it violated Apple’s Enterprise Certificate program for employee-only apps. Existing Facebook Research app studies will continue to run, though.

With the suspicions about tech giants and looming regulation leading to more intense scrutiny of privacy practices, Facebook has decided that giving users a utility like a VPN in exchange for quietly examining their app usage and mobile browsing data isn’t a wise strategy. Instead, it will focus on paid programs where users explicitly understand what privacy they’re giving up for direct financial compensation.

Onavo billed itself as a way to “limit apps from using background data” and “use a secure VPN network for your personal info” but also noted it would collect the “Time you spend using apps, mobile and Wi-Fi data you use per app, the websites you visit, and your country, device and network type.” A Facebook spokesperson confirmed the change and provided this statement: “Market research helps companies build better products for people. We are shifting our focus to reward-based market research which means we’re going to end the Onavo program.”

Facebook acquired Onavo in 2013 for a reported $200 million to use its VPN app to gather data about what people were doing on their phones. That data revealed WhatsApp was sending over twice as many messages per day as Messenger, BuzzFeed’s Ryan Mac and Charlie Warzel reported, convincing Facebook to pay a steep sum of $19 billion to buy WhatsApp. Facebook went on to frame Onavo as a way for users to reduce their data usage, block dangerous websites, keep their traffic safe from snooping — while Facebook itself was analyzing that traffic. The insights helped it discover new trends in mobile usage, keep an eye on competitors and figure out what features or apps to copy. Cloning became core to Facebook’s product strategy over the past years, with Instagram’s version of Snapchat Stories growing larger than the original.

But last year, privacy concerns led Apple to push Facebook to remove the Onavo VPN app from the App Store, though it continued running on Google Play. But Facebook quietly repurposed Onavo code for use in its Facebook Research app that TechCrunch found was paying users in the U.S. and India ages 13 to 35 up to $20 in gift cards per month to give it VPN and root network access to spy on all their mobile data.

Facebook ran the program in secret, obscured by intermediary beta testing services like Betabound and Applause. It only informed users it recruited with ads on Instagram, Snapchat and elsewhere that they were joining a Facebook Research program after they’d begun signup and signed non-disclosure agreements. A Facebook spokesperson claimed in a statement that “there was nothing ‘secret’ about this”, yet it had threatened legal action if users publicly discussed the Research program.

But the biggest problem for Facebook ended up being that its Research app abused Apple’s Enterprise Certificate program meant for employee-only apps to distribute the app outside the company. That led Apple to ban the Research app from iOS and invalidate Facebook’s certificate. This shut down Facebook’s internal iOS collaboration tools, pre-launch test versions of its popular apps and even its lunch menu and shuttle schedule to break for 30 hours, causing chaos at the company’s offices.

To preempt any more scandals around Onavo and the Facebook Research app and avoid Google stepping in to forcibly block the apps, Facebook is now taking Onavo off the Play Store and stopping recruitment of Research testers. That’s a surprising voluntary move that perhaps shows Facebook is finally getting in tune with the public perception of its shady actions. The company has repeatedly misread how users would react to its product launches and privacy invasions, leading to near constant gaffes and an unending news cycle chronicling its blunders.

Without Onavo, Facebook loses a powerful method of market research, and its future initiatives here will come at a higher price. Facebook has run tons of focus groups, surveys and other user feedback programs over the past decade to learn where it could improve or what innovations it could co-opt. And with more apps recently turning on encryption, Onavo likely started learning less about their usage. But given how cloning plus acquisitions like WhatsApp and Instagram have been vital to Facebook’s success, it’s likely worth paying out more gift cards and more tightly monitoring its research practices. Otherwise Facebook could miss the next big thing that might disrupt it.

Hopefully Facebook will be less clandestine with its future market research programs. It should be upfront about its involvement, make certain that users understand what data they’re giving up, stop researching teens or at the very least verify the consent of their parents and avoid slurping up sensitive information or data about a user’s unwitting friends. For a company that depends on people to trust it with their content, it has a long way to go win back our confidence.

Powered by WPeMatico

Senator Warner calls on Zuckerberg to support market research consent rules

In response to TechCrunch’s investigation of Facebook paying teens and adults to install a VPN that lets it analyze all their phone’s traffic, Senator Mark Warner (D-VA) has sent a letter to Mark Zuckerberg. It admonishes Facebook for not spelling out exactly which data the Facebook Research app was collecting or giving users adequate information necessary to determine if they should accept payment in exchange for selling their privacy. Following our report, Apple banned Facebook’s Research app from iOS and shut down its internal employee-only workplace apps too as punishment, causing mayhem in Facebook’s office.

Warner wrote to Zuckerberg, “In both the case of Onavo and the Facebook Research project, I have concerns that users were not appropriately informed about the extent of Facebook’s data-gathering and the commercial purposes of this data collection. Facebook’s apparent lack of full transparency with users – particularly in the context of ‘research’ efforts – has been a source of frustration for me.”

Warner is working on writing new laws to govern data collection initiatives like Facebook Research. He asks Zuckerberg, “Will you commit to supporting legislation requiring individualized, informed consent in all instances of behavioral and market research conducted by large platforms on users?”

Senator Blumenthal’s fierce statement

Meanwhile, Senator Richard Blumenthal (D-CT) provided TechCrunch with a fiery statement regarding our investigation. He calls Facebook anti-competitive, which could fuel calls to regulate or break up Facebook, says the FTC must address the issue and that he’s planning to work with congress to safeguard teens’ privacy:

“Wiretapping teens is not research, and it should never be permissible. This is yet another astonishing example of Facebook’s complete disregard for data privacy and eagerness to engage in anti-competitive behavior. Instead of learning its lesson when it was caught spying on consumers using the supposedly ‘private’ Onavo VPN app, Facebook rebranded the intrusive app and circumvented Apple’s attempts to protect iPhone users. Facebook continues to demonstrate its eagerness to look over everyone’s shoulder and watch everything they do in order to make money. 

Mark Zuckerberg’s empty promises are not enough. The FTC needs to step up to the plate, and the Onavo app should be part of its investigation. I will also be writing to Apple and Google on Facebook’s egregious behavior, and working in Congress to make sure that teens are protected from Big Tech’s privacy intrusions.”

Senator Markey says stop surveiling teens

And finally, Senator Edward J. Markey (D-MA) requests that Facebook stop recruiting teens for its Research program, and notes he’ll push his “Do Not Track Kids” act in Congress:

“It is inherently manipulative to offer teens money in exchange for their personal information when younger users don’t have a clear understanding how much data they’re handing over and how sensitive it is. I strongly urge Facebook to immediately cease its recruitment of teens for its Research Program and explicitly prohibit minors from participating. Congress also needs to pass legislation that updates children’s online privacy rules for the 21st century. I will be reintroducing my ‘Do Not Track Kids Act’ to update the Children’s Online Privacy Protection Act by instituting key privacy safeguards for teens. 

But my concerns also extend to adult users. I am alarmed by reports that Facebook is not providing participants with complete information about the extent of the information that the company can access through this program. Consumers deserve simple and clear explanations of what data is being collected and how it being used.”

The senators’ statements do go a bit overboard. Though Facebook Research was aggressively competitive and potentially misleading, Blumenthal calling it “anti-competitive” is a stretch. And Warner’s questioning on whether “any user reasonably understood that they were giving Facebook root device access through the enterprise certificate” or that it uses the data to track competitors oversteps the bounds. Surely some savvy technologists did, but the question is whether all the teens and everyone else understood.

Facebook isn’t the only one paying users to analyze all their phone data. TechCrunch found that Google had a similar program called Screenwise Meter. Though it was more upfront about it, Google also appears to have violated Apple’s employee-only Enterprise Certificate rules. We may be seeing the start to an industry-wide crack down on market research surveillance apps that dangle gift cards in front of users to get them to give up a massive amount of privacy.

Warner’s full letter to Zuckerberg can be found below:

Dear Mr. Zuckerberg: 

I write to express concerns about allegations of Facebook’s latest efforts to monitor user activity. On January 29th, TechCrunch revealed that under the auspices of partnerships with beta testing firms, Facebook had begun paying users aged 13 to 35 to install an enterprise certificate, allowing Facebook to intercept all internet traffic to and from user devices. According to subsequent reporting by TechCrunch, Facebook relied on intermediaries that often “did not disclose Facebook’s involvement until users had begun the signup process.” Moreover, the advertisements used to recruit participants and the “Project Disclosure” make no mention of Facebook or the commercial purposes to which this data was allegedly put.

This arrangement comes in the wake of revelations that Facebook had previously engaged in similar efforts through a virtual private network (VPN) app, Onavo, that it owned and operated. According to a series of articles by the Wall Street Journal, Facebook used Onavo to scout emerging competitors by monitoring user activity – acquiring competitors in order to neutralize them as competitive threats, and in cases when that did not work, monitor usage patterns to inform Facebook’s own efforts to copy the features and innovations driving adoption of competitors’ apps. In 2017, my staff contacted Facebook with questions about how Facebook was promoting Onavo through its Facebook app – in particular, framing the app as a VPN that would “protect” users while omitting any reference to the main purpose of the app: allowing Facebook to gather market data on competitors.

Revelations in 2017 and 2018 prompted Apple to remove Onavo from its App Store in 2018 after concluding that the app violated its terms of service prohibitions on monitoring activity of other apps on a user’s device, as well as a requirement to make clear what user data will be collected and how it will be used. In both the case of Onavo and the Facebook Research project, I have concerns that users were not appropriately informed about the extent of Facebook’s data-gathering and the commercial purposes of this data collection.

Facebook’s apparent lack of full transparency with users – particularly in the context of ‘research’ efforts – has been a source of frustration for me. As you recall, I wrote the Federal Trade Commission in 2014 in the wake of revelations that Facebook had undertaken a behavioral experiment on hundreds of thousands of users, without obtaining their informed consent. In submitted questions to your Chief Operating Officer, Sheryl Sandberg, I once again raised these concerns, asking if Facebook provided for “individualized, informed consent” in all research projects with human subjects – and whether users had the ability to opt out of such research. In response, we learned that Facebook does not rely on individualized, informed consent (noting that users consent under the terms of the general Data Policy) and that users have no opportunity to opt out of being enrolled in research studies of their activity. In large part for this reason, I am working on legislation to require individualized, informed consent in all instances of behavioral and market research conducted by large platforms on users. 

Fair, robust competition serves as an impetus for innovation, product differentiation, and wider consumer choice. For these reasons, I request that you respond to the following questions: 

1. Do you think any user reasonably understood that they were giving Facebook root device access through the enterprise certificate? What specific steps did you take to ensure that users were properly informed of this access? 

2. Do you think any user reasonably understood that Facebook was using this data for commercial purposes, including to track competitors?

3. Will you release all participants from the confidentiality agreements Facebook made them sign?

4. As you know, I have begun working on legislation that would require large platforms such as Facebook to provide users, on a continual basis, with an estimate of the overall value of their data to the service provider. In this instance, Facebook seems to have developed valuations for at least some uses of the data that was collected (such as market research). This further emphasizes the need for users to understand fully what data is collected by Facebook, the full range of ways in which it is used, and how much it is worth to the company. Will you commit to supporting this legislation and exploring methods for valuing user data holistically?

5. Will you commit to supporting legislation requiring individualized, informed consent in all instances of behavioral and market research conducted by large platforms on users?

I look forward to receiving your responses within the next two weeks. If you should have any questions or concerns, please contact my office at 202-224-2023.

Powered by WPeMatico