Maybe only Tim Cook can fix Facebook’s privacy problem

On Wednesday, Cook and his lieutenants took aim at Facebook for violating Apple’s rules with a research app that allowed Facebook to snoop on users’ online activity. Facebook promoted the app through an Apple program that gives trusted developers the ability to install apps for testing without going through the App Store’s normal approval process. Apple responded by cutting off Facebook’s access to apps and updates that it was working on internally, causing chaos among the company’s software engineers.

The move is the clearest sign yet that the cold war between Facebook and Apple over data use and privacy is heating up.

Cook, who has called privacy a “fundamental human right” and taken Facebook and Google to task for the misuse of user data in the past, could effectively become a technology regulator of last resort — using the power of Apple’s iOS operating system as a cudgel to force software companies to respect user privacy and play by the rules, or risk losing access to millions of iPhone users.

The latest battle came Wednesday, after TechCrunch reported on a Facebook program, known as Project Atlas, that paid users $20 in exchange for installing an app for Apple devices called Facebook Research. The program, offered to teenagers as well as adults, gave Facebook the ability to track app use, the websites users visited, the Amazon purchases they made and other intimate data.

The problem is that Facebook loaded the app onto users’ devices using a kind of fast-track installation that bypasses Apple’s normal App Store download process. This ability, known as side-loading, is available only to companies that are enrolled in Apple’s enterprise developer program, and that agree to side-load apps only for internal testing, not for public use.

Apple was not happy, and cut off Facebook’s enterprise developer access for all of its apps, not just the offending research app.

“We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization,” an Apple spokesman said. “Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple.”

Facebook, which reported strong earnings Wednesday despite the missteps, is negotiating with Apple to restore its developer access. A Facebook spokesman declined to comment.

(On Wednesday, TechCrunch reported that Google had a similar research app, called Screenwise Meter. In a statement, Google said it was disabling the app, which it said “should not have operated under Apple’s developer enterprise program.”)

There’s no doubt that Apple took a firm stand here. But if Cook truly wants to protect Apple users from privacy-violating apps, he could remove all of Facebook’s products — including Instagram and WhatsApp — from the App Store until the company can prove, in a real and measurable way, that it cares about its users’ privacy.

Shutting off Facebook’s access to Apple devices would be a radical step, tantamount to declaring war on a major competitor. But Apple has banned developers for smaller infractions in the past. And in the absence of government regulation, there may be no other option for bringing the company to heel on privacy.

Would temporarily cutting off Facebook’s Apple apps be an effective deterrent? Absolutely. In less than a day, Apple’s move to revoke Facebook’s developer certificate has reportedly become a “critical problem” for the company’s developers. Hundreds of millions of people use Facebook through their iPhones, and without access to Apple’s App Store, Facebook would see an immediate and devastating hit to its bottom line. The ban would quickly become an existential threat, and improving privacy on its apps would become an all-hands-on-deck project for the company’s leadership.

Would it be fair? Yes. Facebook’s privacy violations over the years have been appalling, and its executives have blatantly evaded the rules that Google and Apple, the makers of the two largest mobile operating systems, have put in place to protect their users from being exploited by data-hungry app developers. In emails released late last year, Facebook executives were shown plotting to snoop on Android users’ call and text logs without triggering a permission pop-up. And Facebook’s Onavo VPN app was pulled from Apple’s App Store last year for excessive data collection.

Would cracking down on Facebook backfire on Apple? Possibly. Facebook’s apps are some of the most popular offerings on Apple devices, and without access to their Instagram and Facebook feeds, some iPhone users might get frustrated and switch to Android. But this abandonment would happen slowly, not all at once. (IPhone users could still access Facebook’s products through their mobile web browsers.) And more likely, given how heavily Facebook relies on Apple’s platform, Facebook would almost certainly blink first, and make the necessary changes to get back into Apple’s good graces.

Is such a big crackdown necessary? It probably is, if Apple is truly serious about protecting privacy. Time and time again, Facebook has shown that it cannot be trusted to protect users’ privacy unless it is forced to do so. And while regulators have fined Facebook for privacy violations, those punishments rarely amount to anything truly meaningful — at most, the company pays a few million dollars, promises to do better next time, and goes right back to work.

Would punishing Facebook be an abuse of Apple’s power? Arguably, yes. It’s problematic that by virtue of their strangleholds on the Apple and Android operating systems, Apple and Google have control over huge swaths of the tech industry. And Apple’s own record on privacy is hardly spotless — just this week, the company was forced to shut down the FaceTime feature because of a bug that let users snoop on one another’s phones.

But aggressive behavior among tech companies, for much less noble motives, is business as usual — Facebook, for example, routinely cuts off data access to rival apps like Twitter, Vine, and Prisma. And until government regulators impose rules on the tech giants, the most effective regulation on tech industry excesses may need to happen between companies.

It’s bizarre and somewhat troubling that Apple could unilaterally punish a competitor for its privacy sins. (Imagine if McDonald’s could shut down Burger King franchises for health code violations, with little explanation and no recourse for appeal.) But it’s hard to argue with Apple’s decision here. It made rules governing what developers for Apple products were allowed to do, Facebook broke them, and it’s now paying a price.

Apple’s defense of user privacy, while certainly self-interested, is a boon to its users and a lever for change within the tech industry. And if Cook wants to take a strong stand against app developers that routinely violate users’ trust, he could start with the biggest privacy violator of all. Facebook won’t change on its own, but a chastening from Apple might be what the company needs to get its act together.