The week started off badly for Apple: On Monday evening, news began circulating about a bug in the company’s FaceTime application. The flaw allowed iPhone users to use FaceTime to listen in on people with devices running iOS 12.1 in certain circumstances when that person didn’t pick up the call. Basically, anyone who did not answer an incoming FaceTime call was inviting the caller to eavesdrop on them. The Verge also discovered that if the recipient ignored the call, it would send audio and video from the front-facing camera.
We found that the FaceTime bug doesn't just give the caller access to the recipient's microphone (except if Do Not Disturb is on)... if they press volume up or down, it exposes their iPhone's front-facing camera, too https://t.co/t4WA3HfuZG— nic nguyen (@itsnicolenguyen) January 29, 2019
The bug not only affected iPhones and iPads, but Mac computers as well. Users were sent running to their settings to turn FaceTime off entirely. Apple was forced to shut down its FaceTime server.
Fortunately for the company, an arguably bigger disaster was mounting for one of its rivals. On Tuesday afternoon, TechCrunch reported that Facebook was using a virtual private network (VPN) to spy on users, and was paying them for that data: “Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android ‘Facebook Research’ app.” Facebook circumvented the App Store by using a VPN to install a root certificate directly into users’ phones in order to cull their data. This sort of method is often used by apps that are testing new mobile software (usually only internally), and Facebook knowingly used the VPN to avoid Apple’s rules.
The past two years have been marked by Facebook’s continued hoarding and collecting of user data, as well as its inability to understand the increasing resentment consumers have for this behavior and, as a result, the platform in general. This most recent failure may be its grossest yet. Not only was the social network paying users as young as 13 for their information, but it did so knowing full well the practice went against App Store rules. It didn’t manage to entirely, though: Apple’s rules for root certificate installs is that they must be used only for internal business purposes by employees, which is clearly not what Facebook was using the VPN for. On Wednesday morning, Apple pulled Facebook’s license for its enterprise certificate, meaning that while Facebook is still available to all regular users, the VPN that allowed the survey to exist is gone—as are all the apps used internally by Facebook employees.
Facebook is reportedly furious with Apple, not that the iDevice manufacturer would care. Apple CEO Tim Cook has been incredibly critical of the social network in recent months; Facebook CEO Mark Zuckerberg even reportedly made employees switch to Android after Cook criticized the social network after the Cambridge Analytica scandal. So you can imagine that this week was shaping up to be a dark one at Apple, as all of its sniping at Facebook (and other competitors) was surely going to be hurled back in the technology giant’s self-congratulatory face. And then, a welcome lifeline was thrown at Apple from the least expected place: Facebook.
The back-and-forth between these two companies has reached a tipping point. Everything points to Apple and Facebook—and for that matter, Twitter and Google and Amazon—fighting among themselves to prove that they are the company that treats consumers better. But that fight is an illusion. It appears as if these companies are waging privacy wars against one another and that some of them will win and some will lose. But these are deeply systemic problems that regulators seem unable to address, or even grasp. Offenses so far have largely gone unpunished, at least not to the point that major tech companies have changed their ways. Instead we’re left to watch the mistakes pile up, and these businesses finger-point.
While the social network took much of the heat off Apple, it’s hard to overstate the seriousness of the FaceTime security lapse, and how slowly Apple reacted to it. It was discovered on January 20 by a 14-year-old whose mother reported the issue. Even then, Apple did nothing until the news was reported by 9to5Mac on January 28. The lack of urgency—and the fact that such a major glitch even slipped through in the first place—is not a good look for the company, which as of late has staked its reputation on privacy. At this year’s Consumer Electronics Show, Apple said as much with an enormous billboard overlooking the Strip that read, “What happens on your iPhone, stays on your iPhone,” and included the URL “apple.com/privacy.” For years, Apple has notoriously been absent from CES, and the message was a pointed one at privacy failures in the technology industry.
Certainly Apple appreciated the timing of Facebook’s most recent disaster, and perhaps is relishing another opportunity to reprimand the social network. Facebook seems to be on a mission to destroy its reputation and any remaining goodwill it has, and there’s almost a sense of glee from those who’ve been decrying what is either its incompetence or unwillingness to change course. But it’s begun to feel like consumers are just trading one privacy injustice for another, because other than giving up on it all, there is no way out. On Monday, it was Apple; on Tuesday it was Facebook—what technology giant will wrong users tomorrow? (And, for what it’s worth, on Wednesday Facebook stock surged following an impressive earnings call.) In the real privacy wars, big tech is fighting its own users. And even when it’s losing, it’s winning.