atlnittd rms etnatt WASHINGTON DC 20510 February 7 2019 Mr Tim Cook Chief Executive Of cer Apple Inc 1 In nite Loop Cupertino CA 95014 Dear Mr Cook We write concerned about reports that Facebook is collecting highly sensitive data on teenagers including their web browsing phone use communications and locations all to pro le their behavior without adequate disclosure consent or oversight These reports t with longstanding concerns that Facebook has used its products to deeply intrude into personal privacy Additionally the scope of the research and the use of the Onavo Protect app raises questions about Facebook s use of personal data to engage in potentially anti competitive behavior As Apple is responsible for the App Store and the operating systems we request information on your policies regarding the monitoring of teens and Apple s response to the Facebook research program On January 29 2019 TechCrunch reported that acebook has run a paid research program named Project Atlas to pro le consumers by monitoring their phone use According to registration pages and advertisements run by Facebook s research partners the program was available to individuals between the ages of 13 and 35 requiring parental consent for those younger than 18 Despite this constraint the program appears to have speci cally targeted teens inadequately disclosed the scope of the data collection and not properly veri ed parental consent One advertisement for the program on Snapchat and Instagram found by TechCrunch shows a teen with hundred dollar bills falling from the sky calling for participants for a paid social media research study According to a journalist who attempted to register as a teen the linked registration page failed to impose meaningful checks on parental consent 1 This recruitment and lax oversight of teen privacy ies in the face of a widespread understanding that young people require strong protections for their privacy and safety Facebook s monitoring under Project Atlas is particularly concerning because the data collection performed by the research app was deeply invasive Once installed the app added a VPN connection that would automatically route all of a participant s traf c through Facebook servers The app also installed an SSL root certi cate on the participant s phone which would allow Facebook to intercept or modify data sent to websites As a result Facebook would have limitless access to monitor normally secure web traf c even allowing Facebook to watch an individual log into their bank account or exchange pictures with their family None of the disclosures provided at registration offer a meaningful explanation about how that sensitive Kelion Leo Facebook Adviser Criticises 'lax' Child Checks BBC News anuaiy 31 2019 data is used how long it is kept or who has access to it Facebook could have access to messages or images that teens and adults had sent believing they were private without any awareness or ability to control the use of this private information Lastly Project Atlas is particularly concerning in light of Facebook s established history of using private information for potentially anti competitive purposes In order to monitor participants Facebook used a version of its Onavo Protect app a web security application that it acquired in 2013 Onavo Protect has its own history of privacy and competition concerns According to Buzzfeed and the Wall Street Journal Facebook has used web browsing data collected from Onavo Protect users to monitor rival products and identify emerging competitors to buy or copy Privacy advocates have challenged that further analysis of this sensitive browsing data is not disclosed to users 2 In August 2018 Apple banned Onavo Protect from the App Store for breaching its policies about transparency and limits on the data that apps are allowed to collect Faced with that ban Facebook appears to have circumvented Apple s attempts to protect consumers With Project Atlas Facebook distributed the application to teens through an enterprise program offered by Apple meant only for acebook s own employees Apple has acknowledged that Facebook s use of the enterprise certi cate program for installing apps on consumers phones constituted a breach of its terms of service Platforms must be vigilant in light of threats to teen privacy posed by programs like Project Atlas acebook is not alone in engaging in commercial monitoring of teens TechCrunch has subsequently reported that Google maintained its own measurement program called Screenwise Meter which raises similar concerns as Project Atlas The Screenwise Meter app also bypassed the App Store using an enterprise certificate and installed a VPN service in order to monitor phones Likewise according to reports Screenwise Meter was originally open to users as young as 13 years old and continued to be available to the teenagers if they were registered as a part of a family group on Google Play While Google has since removed the app questions remain about why it had gone outside Apple s review process to run the monitoring program 3 Platforms must maintain and consistently enforce clear policies on the monitoring of teens and what constitutes meaningful parental consent no matter who is providing an app Given the sensitivity and seriousness of any intrusions into the privacy of teens we respectfully request a written response to the following questions by March 1 2019 1 Does the collection of browsing histories communications content or app usage from a user s device violate the App Store terms of service Please explain Why did Apple consider it important to update its terms of service in June 2018 to ban the collection of 2 Comments of the Electronic Privacy Information Center Center for Digital Democracy Consumer Federation of America and U S Public Interest Research Group to the Federal Trade Commission regarding Competition and Consumer Protection in the 2 st Century Hearings August 20 2018 3 Whittaker Zack Josh Constine and Ingrid Lunden Google Will Stop Peddling a Data Collector through Apple's Back Door TechCrunch January 30 2019 1 30 googles-also peddling a-data- data about other apps 2 If Apple nds that an application has bypassed its app review process and is operating in a manner intrusive to user privacy what remedies does it maintain to protect users such as disabling or removing problematic apps Will Apple pursue such any remedies with respect to the Project Atlas app 3 When was the Project Atlas app made available to iPhone users and on how many devices was the app installed 4 Does Apple plan to allow the Project Atlas app on its devices in the future 5 How does Apple plan to address the Screenwise Monitor app s bypass of its app review process 6 Has Apple conducted an assessment to determine whether Google and acebook have bypassed the App Store approval processing using enterprise certi cates for any other non-internal apps 7 In light of recent invasions of children s and teens privacy including those described above would Apple support federal legislation to create new privacy safeguards for children and teens online Thank you for your attention to these important issues We look forward to your response Sincerely Richard Blumenthal Edward J Markeyu a United es 11 United States Senate oMawley United States Senate