EDITOR'S NOTE: This article was written when this story was more timely (although Facebook and privacy violations always seems to be a timely topic). Since I've just published the site, I wanted to include this note to clarify this article.

A Little Background

You might have heard about a big privacy scare in the news in recent weeks that many iPhone users are furious about — and no, it has nothing to do with FaceTime. TechCrunch broke the story that Facebook was paying users (including minors) to install a VPN with root-level access to their phones with the intention of tracking all their usage, encrypted or otherwise. If that wasn't bad enough, Facebook instructed those users to install this app using Facebook's enterprise certificate to circumvent Apple's app store review (which had already booted the same app for privacy violations in August of 2018).

Apple promptly revoked Facebook's enterprise certificate (which turned out to be their only enterprise certificate), crippling this internal-yet-oh-so-external spyware app as well as many other internal Facebook applications. Facebook has acknowledged that they misused their enterprise certificate to distribute an app to consumers, but Facebook COO Sheryl Sandberg also claimed that users who downloaded the app "knew they were involved and consented" in the so-called "Facebook Research App". As a researcher myself, I was pretty skeptical that Facebook's practices would even come close to meeting the benchmark of "informed consent", and it didn't take long for my worries to be confirmed: Dave Lee with the BBC demonstrated just how easy it was to sign up for the app as a 14 year-old and receive a link to download it — no parental consent required.

Lets Talk About Consent

I think Facebook (and many other big tech companies) throws around the word "consent" a little too loosely — whether it be in their inscrutable Terms of Service or in examples as grotesque as this data-tracking app. In my field, "consent" means a full understanding of the risks and benefits, and a willing acceptance of those risks and benefits without any sort of coercion. In addition, minors are not typically allowed to give consent for most things in the field of research (though assent is required depending on the circumstance). The idea that a web-form with a few blurbs about "agreeing to the Terms of this program" is sufficiently "informed" for a self-proclaimed research app is ludicrous to me, especially given the significant (and likely misunderstood) amount of data users handed over. I'm sure most users of the Facebook Research App don't fully understand what a VPN is, let alone how much of their private data it allowed Facebook to see.

Informed consent is a big deal in my line of work (and in general) — our team's research is focused on pregnant women and their newborn infants, so the rules for consent are even more strict. For example, if I would like to do a study on placental tissue from deliveries at our hospital (tissue that is normally disposed of after delivery) there is a rigorous process I have to go through before I get started. I have to write up a lengthy Institutional Review Board application, explaining the reason for my research and the ways I am minimizing any unnecessary risk to patients. I have to write a consent form in lay-terms so that a patient could read it and have good understanding of the studies risks and benefits. I have to explain why I'm researching minors in the first place, or why I'm not using an alternative that avoids involving minors all together. Then, assuming that same Review Board actually approves my study, when I actually consent a patient I have to confirm that they understand the risks and benefits before enrolling them in the study. Oh, and I have to specify exactly how I plan to use their tissue, and not go beyond that without asking for their consent again.

Needless to say, the Facebook Research App would fall laughably short at all of these steps (and the myriad I didn't list in my simplistic example). Then again, Facebook's malicious appetite for user data is what motivates them, not any desire for basic ethics in the way they gather it. Perhaps Facebook's blatant disregard for the standard of "informed consent" belies a defining characteristic of their business model: they prefer their users uninformed.