Facebook has been facing scandal after scandal, causing privacy and security concerns among lawmakers, experts, and users. For one, it was caught up in sneaky data gathering activities and was exposed last year. Now, it's at it again.

In a recent report, the social media company is involved in yet another issue on harvesting user data.

Project Atlas

TechCrunch, in a report, said that Facebook has been gathering user data via a VPN installed in a user's phone. This activity has been reportedly going on since 2016 — called Project Atlas — with the company offering a monthly fee to users between ages 13 and 35.

In exchange for up to $20 a month, Android or iOS users are asked to install a VPN app called Facebook Research. The app basically monitors a user's web and device activity, sends it to Facebook, and does this through a custom root certificate, which is required upon installation. In some instances, the company even asked users to send a screenshot of their Amazon order history page.

TechCrunch asked Will Strafach, security expert at Guardian Mobile Firewall, to further clarify how much data the app can access. Apparently, it gets more than just a user's web and phone activity.

"If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps — including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed," Strafach explained.

Also, according to reports, to cloak its data gathering activity, Facebook used uTest, Applause, and BetaBound. This means that instead of downloading the Facebook Research app directly via the App Store, users downloaded it through the aforementioned beta testing services.

Policy Violation

The Facebook Research app could be violating Apple's policies on certificates granting root access to iPhones, and this won't be the first time if Facebook indeed violated this rule.

In June 2018, Apple ordered Facebook to remove its Onavo Protect app after it violated App Store guidelines. Eventually, in August last year, Facebook pulled out the said app. Onavo VPN app was acquired by Facebook in 2013.