tanitrd 0%tatr3 gamete

WASHINGTON, DC 20510

February 7, 2019

Mr. Hiroshi Lockheimer

Senior Vice President, Platforms Ecosystems
Google LLC

1600 Amphitheatre Parkway

Mountain View, CA 94043

Dear Mr. Lockheimer:

We write concerned about reports that Facebook is collecting highly-sensitive data on
teenagers, including their web browsing, phone use, communications, and locations all to
pro?le their behavior without adequate disclosure, consent, or oversight. These reports ?t with
longstanding concerns that acebook has used its products to deeply intrude into personal
privacy. Additionally, the scope of the research and the use of the Onavo Protect app raises
questions about Facebook?s use of personal data to engage in potentially anti-competitive
behavior. As Google is responsible for the Play Store and the Android operating system, we
request information on your policies regarding the monitoring of teens and Google?s response to
the acebook research program.

On January 29, 2019, TechCrunch reported that Facebook has run a paid research
program named Project Atlas to pro?le consumers by monitoring their phone use. According to
registration pages and advertisements run by Facebook?s research partners, the program was
available to individuals between the ages of 13 and 35, requiring parental consent for those
younger than 18. Despite this constraint, the program appears to have speci?cally targeted teens,
inadequately disclosed the scope of the data collection, and not properly veri?ed parental
consent. One advertisement for the program on Snapchat and Instagram found by TechCrunch
shows a teen with hundred dollar bills falling from the sky, calling for ?participants for a paid
social media research study.? According to a journalist who attempted to register as a teen, the
linked registration page failed to impose meaningful checks on parental consent.l This
recruitment and lax oversight of teen privacy ?ies in the face of a widespread understanding that
young people require strong protections for their privacy and safety.

Facebook?s monitoring under Project Atlas is palticularly concerning because the data
collection performed by the research app was deeply invasive. Once installed, the app added a
VPN connection that would automatically route all of a participant?s traf?c through Facebook
servers. The app also installed an SSL root certi?cate on the participant?s phone, which would
allow Facebook to intercept or modify data sent to websites. As a result, acebook
would have limitless access to monitor normally secure web traf?c, even allowing Facebook to
watch an individual log into their bank account or exchange pictures with their family. None of
the disclosures provided at registration offer a meaningful explanation about how that sensitive

 

Kelion, Leo. ?Facebook Adviser Criticises 'lax' Child Checks." BBC News. January 3 l, 2019.


data is used, how long it is kept, or who has access to it. Facebook could have access to messages
or images that teens and adults had sent believing they were private without any awareness or
ability to control the use of this private information.

Lastly, Project Atlas is particularly concerning in light of Facebook?s established history
of using private information for potentially anti?competitive purposes. In order to monitor
participants, Facebook used a version of its Onavo Protect app, a web security application that it
acquired in 2013. Onavo Protect has its own history of privacy and competition concerns.
According to Buzzfeed and the Wall Street Journal, acebook has used web browsing data
collected from Onavo Protect users to monitor rival products and identify emerging competitors
to buy or copy. Privacy advocates have challenged that the further analysis of this sensitive
browsing data is not disclosed to users.2 In August 2018, Apple banned Onavo Protect from the
App Store for breaching its policies about transparency and limits on the data that apps are
allowed to collect.

Faced with that ban, Facebook appears to have circumvented Apple?s attempts to protect
consumers. With Project Atlas, Facebook distributed the application to teens through an
enterprise program offered by Apple meant only for acebook?s own employees. Apple has
acknowledged that Facebook?s use of the enterprise certi?cate program for installing apps on
consumers? phones constituted a breach of its terms of service.

The opaque collection of sensitive user data appears to also breach Google?s terms of
service and developer agreements. In a January 27, 2019 response to a letter from Senators
Blumenthal and Markey on location collection by apps, Google?s Vice President for Global
Public Policy Government Affairs, Karan Bhatia, stated ?When Android developers request
access to personal or sensitive user data, including the device location permission on Android
phones, Google Play?s developer policies require developers to limit their collection and use of
this data to purposes directly related to providing and improving the features of the app.? Google
also outlined a series of steps that it can take to address privacy intrusive applications. Onavo
Protect and Project Atlas clearly collect sensitive user data that is reused by Facebook in a
manner not disclosed to consumers and may warrant further attention by Google.

Platforms must be vigilant in light of threats to teen privacy posed by programs like
Project Atlas. Facebook is not alone in engaging in commercial monitoring of teens. 
has subsequently reported that Google maintained its own measurement program called
?Screenwise Meter,? which raises similar concerns as Project Atlas. The Screenwise Meter app
also bypassed the App Store using an enterprise certi?cate and installed a VPN service in order
to monitor phones. Likewise, according to reports, Screenwise Meter was originally open to
users as young as 13 years old, and continued to be available to the teenagers if they were
registered as a part of a family group on Google Play. While Google has since removed the app,
questions remain about why it had gone outside Apple?s review process to run the monitoring

 

2 Comments of the Electronic Privacy Information Center, Center for Digital Democracy, Consumer Federation of
America, and U.S. Public Interest Research Group to the Federal Trade Commission regarding Competition and
Consumer Protection in the let Century Hearings. August 20, 2018. 
CompetitionHearings?August20l 8.pdf

program.3 Platforms must maintain and consistently enforce clear policies on the monitoring of
teens and what constitutes meaningful parental consent, no matter who is providing an app,
including themselves.

Given the sensitivity and seriousness of any intrusions into the privacy of teens, we
respectfully request a written response to the following questions by March 1, 2019:

1. Does the collection of browsing histories, communications content, or app usage ?'om a
user?s device violate the Play Store terms of service? Please explain.

2. If Google ?nds that an application has bypassed its app review process and is operating
in a manner intrusive to user privacy, what remedies does it maintain to protect users,
such as disabling or removing problematic apps? Will Google pursue such remedies with
respect to the Project Atlas app?

3. When was the Project Atlas app made available to Android users and on how many
devices was the app installed?

4. Does Google plan to allow the Project Atlas app on its devices in the future?

5. Why did Google bypass App Store approval for Screenwise Meter app using enterprise
certi?cates? Has Google bypassed the App Store approval processing using enterprise
certi?cates for any other non-internal app? If so, please list and describe those apps.

6. What measures did Google have in place to ensure that teenage participants in
Screenwise Meter had authentic parental consent?

7. Given that Apple removed Onavo Protect from the App Store for violating its terms of
service regarding privacy, why has Google continued to allow the Onavo Protect app to
be available on the Play Store?

8. In light of recent invasions of children?s and teens? privacy, including those described
above, would Google support federal legislation to create new privacy safeguards for
children and teens online?

 

3 Whittaker, Zack, Josh Constine, and Ingrid Lunden. "Google Will Stop Peddling a Data Collector through Apple's
Back Door." TechCrunch. January 30, 2019. 


Thank you for your attention to these impo?ant issues. We look forward to your
response.

 

 

 

Sincerely,
Richaid Blumenthal Edward J. Markey a
United States Senate United States Senate
Jos ley

Uni States Senat/