One of Facebook’s independent child safety advisers has criticised the firm over a scheme that gave it access to teenagers’ highly personal information, without taking more effort to verify their parents had given permission.
Facebook said participating teens had provided signed parental consent forms.
But tests by the BBC and others suggested youngsters could easily sign up without getting permission.
Stephen Balkam said Facebook’s “rather lax approach” was very worrying.
Facebook is still carrying out the “market research” on Android devices.
But it ended the effort on iPhones because it broke Apple’s rules.
Another update relating to consent. FB statement said teens had provided parental consent before using the program. I asked FB what exactly that meant – signed form, scanned? – they said the vendors handled it. For at least one of the vendors, consent was basically a checkbox.
— Dave Lee (@DaveLeeBBC) January 30, 2019
“Facebook Atlas is a questionable programme on a number of fronts,” said Mr Balkam, chief executive of the Family Online Safety Institute and a member of Facebook’s Safety Advisory Board.
“Most concerning is the rather lax approach to getting verifiable parental consent for the teens who participated.
“Given the tech backlash in general and the intense focus on Facebook’s privacy policies, this is most unfortunate.”
The existence of the scheme was revealed on Wednesday after an investigation by the TechCrunch news site.
It said the app involved had the potential to provide Facebook with “nearly limitless access” to a user’s device, including:
the contents of private messages in chat apps including photos and videos
web browsing activity
logs of what apps were installed, and when they were used
a location history of where the owner had physically been
Participants were told to keep the existence of the scheme and their involvement in it “confidential”, and in return would earn $20 (£15.30) of gift tokens a month.
In an interview with Bloomberg, chief operating officer Sheryl Sandberg said there was “nothing secret about it”, despite the fact it caught many company-watchers by surprise.
Mr Balkam said that Facebook had never consulted its Safety Advisory Board about the matter.
Only volunteers based in the US and India were targeted.
But the EU’s leading data protection watchdog has shown an interest.
“The Irish Data Protection Commission became aware of this story through yesterday’s media reporting,” said a statement for the regulator.
“Before we can make any assessment as to whether or not there are any data protection concerns, we will need to understand better to what extent, how and on what basis the personal data in question is being processed and used.
“We have asked Facebook to provide us with this information.”
Part of the issue is that the social network may have copied messages and images sent to the volunteers from their friends, who would not have known of the scheme’s existence.
The BBC has asked Facebook whether this was the case, but a spokeswoman was unable to provide further detail.
It has also emerged that Google ran a similar data collection scheme involving an iOS app called Screenwise Meter.
Like Facebook, it circumvented Apple’s rules by offering the app to consumers via “enterprise certificates”, which are supposed to be reserved for providing software to staff or other limited instances.
Google’s programme had been in existence since 2012 but has now been pulled.
“The Screenwise Meter iOS app should not have operated under Apple’s developer enterprise program – this was a mistake, and we apologise,” it said in a statement to TechCrunch.
“We’ve been upfront with users about the way we use their data in this app, we have no access to encrypted data in apps and on devices, and users can opt out of the programme at any time.”
Unlike Facebook’s scheme, Google only signed up under-18s if they were part of a family group involving adults from the same household.
However, TechCrunch said it was once open to users as young as 13 without this caveat.
It is not known whether Apple plans to take any retaliatory action against the search firm.
However, the iPhone-maker did revoke Facebook’s enterprise certificates on Wednesday.
That caused the social network’s iOS test apps to stop working as well as other iPhone software it offered exclusively to staff, including a workplace chat app and an app to summon transport.
Facebook is seeking to convince Apple to reverse the punishment.