I recently came across a similar market research effort in Switzerland [1] after I noticed the VPN symbol in the status bar on a relative's iPhone when showing them something. I asked about why they (not very tech-savy otherwise) were using a VPN and was told they were participating in a market research project in exchange for some shopping gift cards. As is the case with FB, the research company installs a VPN and their own root certificate.
Of course the implications are outlined in the fine print / data protection agreement when signing up, but I doubt most of the participants are aware of just how far the data collection they enable with this goes...
Reading their FAQ they nicely pack what's going on in flowery language e.g. "Is the Swiss Media Software a Virus or Spyware?"
The Swiss Media Software is not a Virus and also not Spyware; it is not malicious and does not do harm to your computer, phone or tablet. The Swiss Media Software only observes the behaviour of Internet users that they have approved (this last sentence could be a bad translation by me).
That said the companies behind it; Net-Metrix and Intervista, are basically harmless - they produce consumer studies and are something like the "Nielsen" of Switzerland. The bigger risk here IMO is they themselves get hacked - knowing a little about Net-Metrix for example, I doubt they have the resources to properly protect their infrastructure.
I feel like the translation overstates the fine-grainedness of the consent a bit, it's more along the lines of "Swiss Media Panel is a consent-based [i.e. the user has consented to having the application running on their device] application that tracks the behavior of internet users"
Security and also how far they actually go in separating the tracked data from your demographic & potentially personally identifiable data is definitely a concern, next to the obvious issue of how informed one can consider the consent they get from their users...
Seems to me like the law needs to be clearer about how to inform users in cases like these. Surely, it's deceptive to tell someone they're getting paid for installing a "market reasearch" app which actually records all online activity. Charging companies, who knowingly deceive users like this, with fraud sounds reasonable to me.
I agree that the law should probably be changed, but for slightly different reasons.
They are clearly informed that the app will track information regarding their online activities, device usage behavior and applications they use.
I think the main issue is that users without a tech background are just not aware of the full implications of allowing a third party to collect this kind of data, even decrypting their HTTPS traffic and tracking everything they do online.
The statement by Strafach in the original article sums it up quite nicely:
“The fairly technical sounding ‘install our Root Certificate’ step is appalling,” Strafach tells us. “This hands Facebook continuous access to the most sensitive data about you, and most users are going to be unable to reasonably consent to this regardless of any agreement they sign, because there is no good way to articulate just how much power is handed to Facebook when you do this.”
You can’t be clearly informed and not aware at the same time.
Which makes this fraud, right?
In the same way automotive manufacturers are held accountable even if their was no intention to cause harm, the software industry needs to be held accountable.
We need to have professional organisations, and government regulators, working to ensure some kind of general industry best practice, where software developers can initially start getting tapped on the shoulder, then given a series of rapidly increasing penalties until the industry gets the point that it can’t keep making out it’s the wild wild west.
And this is why I don’t believe software development is a proper serious profession. The proper professions, here in Australia at least, are granted the authority to witness statutory declarations. I can go to a qualified vet, doctor, engineer, chiropractor(!), police officer, school teacher, postal worker, the list goes on[1], because these professions have a chain of trust.
And yet we trust(?) software developers and their employees with our most sensitive data!
I guess I don't understand what is so deceptive about this? At least not anymore than what Google does for example?
Do we really think computer illiterate people know that Google can infer a huge about of sensitive information about their end-users without them ever ticking "i accept" or signing up for an account?
At least with this they have to take explicit actions like accepting the terms and installing the tracker before they're tracked. They even get compensated for it.
In terms of a newspaper..
In Google's case they might just get the headlines of what you're doing, in this case the company/Facebook gets every single word, space, and punctuation.
Of course the implications are outlined in the fine print / data protection agreement when signing up, but I doubt most of the participants are aware of just how far the data collection they enable with this goes...
[1] https://swissmediapanel.ch/ (Link in German)