Facebook could face fresh scrutiny in Europe following a TechCrunch report on its use of a VPN app to monitor people’s smartphone activity — including teenagers as young as 13.

The Irish Data Protection Commission (DPC) told us it’s asked Facebook to provide more information on what data is collected via the market research program, codenamed ‘Project Atlas’, so that it can determine whether there are grounds for further investigation.

“The Irish DPC only became aware of this story through this morning’s media reporting. Before we can make any assessment as to whether or not there are any data protection concerns, we will need to understand better to what extent, how and on what basis the personal data in question is being processed and used. We have asked Facebook to provide us with this information,” said the DPC’s head of communications, Graham Doyle.

Under European union law there are special requirements for processing minors’ personal data. And, as we reported earlier, Facebook’s research program is open to people around the world — although the company has yet to confirm whether it has any teenage participants in Europe. (We’ve asked and will update this report with any response.)

If it turns out that European teens have been participating in the research effort Facebook could face another barrage of complaints under the bloc’s General Data Protection Regulation (GDPR) — and the prospect of substantial fines if any local agencies determine it failed to live up to consent and ‘privacy by design’ requirements baked into the bloc’s privacy regime. (Facebook’s international HQ is located in Ireland, which makes the Irish DPC the lead agency for any investigation of the project.)

Less aware of the risks

Setting out conditions applicable to consent for processing the personal data of children aged 13 or older, one section of text from the GDPR reads: “Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.”

“Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand,” runs another.

The VPN app that Facebook has been using as a data-harvesting vehicle (since we reported on the story it’s closed down the iOS version of the app) requires participants give root access to their device — potentially affording the company a very high resolution view of their digital activity indeed.

According to an investigation we commissioned data continuously collected via the VPN app could include private messages in social media apps; chats from in instant messaging apps – including photos/videos sent to others; emails; web searches; web browsing activity; and ongoing location information.

Although Facebook has also not confirmed exactly what data types it pulls via the program.

Participants are offered payments of up to $20 (in e-gift tokens) to incentivize them to sign up to have their data harvested on an ongoing basis, with the program open to people aged 13-35.

Facebook says parental consent is required for minors aged 13-17. But it’s not clear how robust the company’s age verification process is — after BBC journalist Dave Lee reported being able to sign himself up to participate in Project Atlas, earlier today, as a “14-year-old boy… with two kids”.

“It required no proof of parental consent at all. I’ve just been sent a link to download the iOS app, ” he added via Twitter.

I thought I'd see how robust the parental control for Facebook's programme is. In less than five minutes I was able to sign up as a 14-year-old boy… with two kids. It required no proof of parental consent at all. I've just been sent a link to download the iOS app. pic.twitter.com/z6www8SgQJ — Dave Lee (@DaveLeeBBC) January 30, 2019

So while Facebook previously told us less than 5% of the (unknown number of) participants in the research program are teens it’s not clear whether it can make that sort of assertion — or indeed put any verifiable figure on children’s participation in the program — if its age verification process fails at the first hurdle.

We’ve reached out to Facebook with questions and to the app testing companies it’s been working with to administer the program — namely Applause/uTest and BetaBound — to ask how they verify the age of participants and how parental consents are collected. At the time of writing none had replied.

In an earlier statement, provided in response to our first report on Project Atlas, Facebook defended the initiative, saying:

Like many companies, we invite people to participate in research that helps us identify things we can be doing better. Since this research is aimed at helping Facebook understand how people use their mobile devices, we’ve provided extensive information about the type of data we collect and how they can participate. We don’t share this information with others and people can stop participating at any time.

Questions over verification

Returning to the GDPR, Article 8 — which concerns conditions application to children’s consent for processing personal data — states data controllers must make “reasonable efforts” to verify consent when processing children’s personal data:

The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

And in further guidance on conditions for processing children’s data, the UK’s data protection agency says “data protection by design and by default” must be the baseline.

“Transparency is also key,” it continues. “You can raise children’s (and their parents’) awareness of data protection risks, consequences, safeguards and rights by: Telling them what you are doing with their personal data; Being open about the risks and safeguards involved; and letting them know what to do if they are unhappy. This will also help them make informed decisions about what personal data they wish to share.”

Facebook has said parental consent forms were “signed” and also claims it provided “extensive information” about the data being collected. But plenty of questions remain over exactly how robustly it verified participants’ ages; how parental consents were obtained; as well as the quality and accessibility of the information provided to parents and teens.

One UK-based EU data protection expert we asked for a view, Pat Walshe, suggested the approach to consent described in the article would not pass muster under GDPR.

As well as offering up to $20 a month in incentivize teens to sign away their privacy, Facebook’s program also included a referral scheme — which meant users could increase their ‘earnings’ by recommending a friend — aping the ‘growth hacking’ tactics deployed by app developers everywhere hoping to spark a viral run for their latest release.

But a viral run on kids’ privacy wouldn’t be at all cool.

In instances where minors signed up to be watched by Facebook the program appears to have rewarded them for pestering their peers to do the same.

Yet an age verification system that can’t distinguish an adult male from a 14-year-old boy seems unlikely to be able to correctly identify a child younger than 13 who’s — say — pretending to be an adult in order to get some sweet e-gift rewards…

Another update relating to consent. FB statement said teens had provided parental consent before using the program. I asked FB what exactly that meant – signed form, scanned? – they said the vendors handled it. For at least one of the vendors, consent was basically a checkbox. — Dave Lee (@DaveLeeBBC) January 30, 2019

Last fall the children’s commissioner for England published a report raising concerns about how extensively minors’ data is being collected and shared across the board, in both the private and public sectors, writing that: “Children and parents need to be much more aware of what they share and consider the consequences.”

The UK’s ICO is currently working on an Age Appropriate Design Code of Practice — which a spokeswoman told us is due out later this year, following responses to a call for evidence last summer.