One of Facebook's independent child safety advisers has criticised the firm over a scheme that gave it access to teenagers' highly personal information, without taking more effort to verify their parents had given permission.
But tests by the BBC and others suggested youngsters could easily sign up without getting permission.
Stephen Balkam said Facebook's "rather lax approach" was very worrying.
Facebook is still carrying out the "market research" on Android devices.
But it ended the effort on iPhones because it broke Apple's rules.
"Facebook Atlas is a questionable programme on a number of fronts," said Mr Balkam, chief executive of the Family Online Safety Institute and a member of Facebook's Safety Advisory Board.
"Most concerning is the rather lax approach to getting verifiable parental consent for the teens who participated.
"Given the tech backlash in general and the intense focus on Facebook's privacy policies, this is most unfortunate."
The BBC's North America technology reporter Dave Lee had been able to sign up to the app by registering himself as a 14-year-old boy and was never asked for proof of parental consent.
Facebook has blamed this on a third-party company it had employed to add volunteers.
"We reached out to the vendor in this instance, who explained that based on their initial investigation, an error was made in late 2018 that allowed participants under 18, who they normally would have blocked, to participate in the study," a spokeswoman told the BBC.
"This error has been corrected."
The existence of the scheme was revealed on Wednesday after an investigation by the TechCrunch news site.
It said the app involved had the potential to provide Facebook with "nearly limitless access" to a user's device, including:
- the contents of private messages in chat apps including photos and videos
- web browsing activity
- logs of what apps were installed, and when they were used
- a location history of where the owner had physically been
- data usage
Participants were told to keep the existence of the scheme and their involvement in it "confidential", and in return would earn $20 (£15.30) of gift tokens a month.
In an interview with Bloomberg, chief operating officer Sheryl Sandberg said there was "nothing secret about it", despite the fact it caught many company-watchers by surprise.
Mr Balkam said that Facebook had never consulted its Safety Advisory Board about the matter.
Only volunteers based in the US and India were targeted.
But the EU's leading data protection watchdog has shown an interest.
"The Irish Data Protection Commission became aware of this story through yesterday's media reporting," said a statement for the regulator.
"Before we can make any assessment as to whether or not there are any data protection concerns, we will need to understand better to what extent, how and on what basis the personal data in question is being processed and used.
"We have asked Facebook to provide us with this information."
Part of the issue is that the social network may have copied messages and images sent to the volunteers from their friends, who would not have known of the scheme's existence.
However, Facebook has indicated that this was not the case.
"The app was designed to collect data that helps us understand how people use apps, not the content of the messages they send or receive," a spokeswoman told the BBC.
It has also emerged that Google ran a similar data collection scheme involving an iOS app called Screenwise Meter.
Like Facebook, it circumvented Apple's rules by offering the app to consumers via "enterprise certificates", which are supposed to be reserved for providing software to staff or other limited instances.
Google's programme had been in existence since 2012 but has now been pulled.
"The Screenwise Meter iOS app should not have operated under Apple's developer enterprise program - this was a mistake, and we apologise," it said in a statement to TechCrunch.
"We've been upfront with users about the way we use their data in this app, we have no access to encrypted data in apps and on devices, and users can opt out of the programme at any time."
Unlike Facebook's scheme, Google only signed up under-18s if they were part of a family group involving adults from the same household.
However, TechCrunch said it was once open to users as young as 13 without this caveat.
It is not known whether Apple plans to take any retaliatory action against the search firm.
However, the iPhone-maker did revoke Facebook's enterprise certificates on Wednesday.
That caused the social network's iOS test apps to stop working as well as other iPhone software it offered exclusively to staff, including a workplace chat app and an app to summon transport.
"Our internal apps are no longer operable and we are working with Apple to resolve this issue," the spokeswoman for Facebook said.
- 30 January 2019