Revealed: Facebook’s “Incredibly Aggressive” Alleged Theft of Snapchat App Data

Zuck ordered “Project Ghostbusters”—with criminal consequences, says class action lawsuit.

Facebook set up a fake VPN so it could steal app analytics from social media rivals: That’s the allegation just unsealed in a federal court. CEO Mark Zuckerberg is said to have personally ordered the secret “theft” in the face of competition from Snapchat, YouTube and Amazon.

Now will you stop using “free” VPNs? In today’s SB Blogwatch, we are the product.

Your humble blogwatcher curated these bloggy bits for your enter­tainment. Not to mention: SPF-but.

Meta MITM IAAP SSL Bump

What’s the craic? Kali Hays and Jack Newsham report—“Zuckerberg told Facebook execs to ‘figure out’ how to track encrypted usage on rival apps”:

“SSL bumping”
Zuckerberg, in a June 2016 email, told Javier Olivan, then Facebook’s head of growth, that he wanted a better answer to questions about Snapchat’s usage and growth. … The correspondence was revealed as part of ongoing litigation in a California federal court, in which Meta is accused of anticompetitive behavior. … Two months after the email was sent, Facebook launched Stories on Instagram, a photo feature effectively identical to Snapchat’s core feature.
…
“Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them,” Zuckerberg wrote of Snapchat. … So in 2016, the task force created new software that could “be installed on iOS and Android that intercepts traffic, … allowing us to read what would otherwise be encrypted traffic so we can measure … specific actions that people are performing. … This is a ‘man-in-the-middle approach,’” … a Facebook employee noted in an email to Zuckerberg.
…
Facebook did this … by effectively impersonating the servers of Snapchat, and later YouTube and Amazon, … through a process called … SSL bumping. [Pedro Canahuati,] former vice president of security and privacy, said: … ”I can’t think of a good argument for why this is okay.”

ELI5? Nick Farrell explains like we’re five—“Ghostbusters went rogue”:

“41 lawyers”
Tech titans at Meta have been caught with their hands in the digital cookie jar playing a sneaky game of peek-a-boo with Snapchat’s secrets in a hush-hush op. … Meta created a crafty VPN called Onavo that’s more like a double agent than a privacy pal. … YouTube and Amazon got the same treatment, with … users none the wiser.
…
Meta acquired Onavo … over 10 years ago, promising users private networking. … Through tens of millions of people who downloaded Onavo, it gave Facebook valuable intel about competitors, [the] court filings seem to confirm. … 41 lawyers worked on Project Ghostbusters.

Where’s Dick The Butcher when we need him? Meera Navlakha reveals the documents—“Documents reveal”:

“Facebook secretly paid teenagers”
The documents [were] unsealed on Tuesday … by a federal court in California … as part of an ongoing class action lawsuit between Meta and consumers. … The documents, submitted by lawyer Brian J. Dunne for U.S. District Judge James Donato in May 2023, are part of the lawsuit filed with the U.S. District Court for the Northern District of California in 2020, which alleges that Facebook engaged in anticompetitive behavior and used deceptive practices to acquire user data.
…
“Ghostbusters” — a reference to Snapchat’s cartoonish ghost logo — … was a part of the company’s In-App Action Panel (IAPP), a program run between 2016 and 2019 “at Zuckerberg’s direct request.” Project Ghostbusters is described by Dunne to have used “incredibly aggressive technological measures — including intercepting and decrypting SSL-protected traffic.” [Onavo was] shut down six years later after it was found that Facebook secretly paid teenagers to use the service in order to access their web activity.

Horse’s mouth? Brian J. Dunne—“Re: Klein v. Meta Platforms, Inc., No. 3:20-cv-08570-JD (N.D. Cal.)”:

Advertiser Plaintiffs … respectfully request that the Court enter an order compelling Mark Zuck­erberg’s deposition for an additional three hours. [He] has unique, personal knowledge about issues pertinent to Advertisers’ case.
…
On May 16, 2023, Advertisers deposed Mark Zuck­erberg … before Meta’s counsel cut off questioning. … Most of this time was devoted to an attempt, frustrated by Meta’s counsel, to elicit Zuckerberg’s testimony on [a] potentially criminal … program designed and executed at Meta between 2016 and 2019 at Zuckerberg’s direct request. … Meta’s IAAP program didn’t just harm competition, but criminally violated 18 U.S.C. § 2511(1)(a) and (d) by intentionally intercepting SSL-protected analytics traffic.
…
Snapchat’s in-app analytics [were] key to effectively stealing away the “secret sauce” behind Snapchat’s engagement and differentiating features. … This new IAAP project, termed “Ghostbusters” by an Onavo project manager, proposed incredibly aggressive technological measures … including “incentivized SSL bump,” … which involved the interception and decryption of secure analytics traffic from Snapchat, YouTube, and Amazon for competitive reasons.

Mark Zuckerberg previously denied knowing about the project, according to Dunne. Barrin92 sounds slightly sarcastic:

Yep, the CEO of one of the most top-down structured companies in the world, with sole decision making power, doesn’t know what his senior executives and lawyers are doing. … Imagine a military leader lost a battalion and went with, “Well I don’t know. They ran off in that direction.”

Wow. Just wow. @HaxRob thinks, “The claims are serious”:

If you needed yet another reason not to trust VPN providers or proxy services: Here Facebook partnered with a bunch of companies to have root certificates installed on people’s phones so they could intercept other app’s traffic.
…
Facebook acquired Onavo. … At a $120 million dollar price point it’s clear how much value they put on having the ability to intercept user’s mobile traffic … but then proceeds to gaslight the user. … Any VPN or proxy service that is free is almost guaranteed to be doing something shady.
…
Things have improved as this is not trivial to do on Android these days. … Decompiling an earlier version of the APK and it’s quite apparent the functionality is there. … Fortunately this technique of using intents to install certs no longer works.

But aren’t VPNs a good thing? Maybe for limited uses, thinks Midnight_Falcon:

Region shifting is one of few valid use cases—and it comes with some minor risk.

Unfortunately I’ve talked to many NordVPN subscribers—including unwitting CEOs that made it mandatory for their whole company to use at all times—who believe VPN equals security and you must have it, like McAfee antivirus in 1998. That’s how Meta snookered people into installing this spyware VPN, and how NordVPN keeps billing legions of subscribers monthly for near-useless services—unless they really do need region shifting!

Wait. Pause. Is there another side to the story? apimade has a more nuanced view:

Users took part in a study that gave Meta permission to analyse network traffic while using a VPN product. It required users to install a root CA.

Although this is incredibly shady, it’s nothing different to companies paying analytics companies which partner with VPN and adware companies to provide the same data. The only difference is Facebook owned the process end-to-end and didn’t mitigate the reputational risk associated with the collection.

At least this spyware was all-American. Fakeguy Madeupname sees the irony:

We need to ban TikTok because the Chinese are spying on us. Meanwhile, American social media companies:

Meanwhile, with a silly simile, here’s Rosco P. Coltrane:

Buying a VPN service from Zuckerberg is like getting financial advice from Sam Bankman Fried: How did those people even think this was legit?

And Finally:

I … can’t … even

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. Past per­formance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: USDA