For the past three years, Facebook has paid consumers as young as 13 to download a “Facebook Research” application that gives the company wide-ranging access to their mobile devices, according to a TechCrunch investigation published Tuesday. In order to allow people with iPhones to participate, Facebook sidestepped the strict privacy rules imposed by Apple in its App Store by taking advantage of a business applications program designed for internal company use. Apple soon announced it was revoking Facebook’s access to its Developer Enterprise Program, which also allowed the company to share custom iOS apps with its own employees. Apple’s decision is reportedly wreaking havoc at the social network, rendering workers unable to access the apps they use for their jobs.

As Facebook deals with the fallout from yet another privacy scandal, it’s worth unpacking how its Research app worked—especially because it serves as a good reminder for other apps you might already be using, particularly virtual private networks. It wasn’t just Facebook: Google also disabled a similar app on iOS devices on Wednesday. Both apps are still available on Android.

Facebook reportedly paid users between the ages of 13 and 35 $20 a month to download the app through beta-testing companies like Applause, BetaBound, and uTest. Participants found out about the opportunity via Snapchat and Instagram advertisements, according to TechCrunch. Minors were required to get consent from their parents. Once approved, participants downloaded the app via their browser—not through the Google Play Store or the Apple App Store.

Apple typically doesn’t allow app developers to go around the App Store, but its enterprise program is one exception. It’s what allows companies to create custom apps not meant to be downloaded publicly, like an iPad app for signing guests into a corporate office. But Facebook used this program for a consumer research app, which Apple says violates its rules. “Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple,” a spokesperson said in a statement. “Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.” Facebook didn’t respond to a request for comment.

Facebook needed to bypass Apple’s usual policies because its Research app is particularly invasive. First, it requires users to install what is known as a “root certificate.” This lets Facebook look at much of your browsing history and other network data, even if it’s encrypted. The certificate is like a shape-shifting passport—with it, Facebook can pretend to be almost anyone it wants. If you visit the website for a clothing retailer, for instance, Facebook can use the root certificate to pretend to be the store and see the pants you were looking to buy. “You allow Facebook to pretend to be anyone they want to be on the internet—your device will trust the certificates they generate,” says David Choffnes, a professor and mobile networking researcher at Northeastern University.

Facebook couldn't use its root certificate for every website or application, since some companies, like banks, protect hackers from using them for man-in-the-middle attacks using a technique called “certificate pinning.” The bank or other company essentially decides that it won’t accept any certificate but its own—it knows not to take phonies like Facebook’s. “This attack doesn’t work on everything, but there’s still a large fraction of apps that are vulnerable because it’s not a standard threat model,” says Choffnes.

"You allow Facebook to pretend to be anyone they want to be on the internet—your device will trust the certificates they generate." David Choffnes, Northeastern University

Facebook’s app also established an on-demand private network connection, meaning it routed all of the participants' traffic through its own servers before passing it along to its final destination. This is essentially what all VPNs do—they disguise traffic by rerouting it, allowing you to hide things like your location, perhaps to use Gmail in China or access streaming shows not available where you live. But VPNs typically can’t see your encrypted traffic, since they don’t have the right certificate. They can still look at your unencrypted traffic, which can be an issue, but the vast majority of internet traffic today happens over encrypted HTTPS connections. But with its root certificate installed, Facebook could decrypt the browsing history or other network traffic of the people who downloaded Research, possibly even their encrypted messages.