Meta Used Its Onavo VPN to Snoop on Users’ Encrypted Snapchat Traffic
Lorenzo Franceschi-Bicchierai, reporting for TechCrunch:
“Whenever someone asks a question about Snapchat, the answer is
usually that because their traffic is encrypted we have no
analytics about them,” Meta chief executive Mark Zuckerberg wrote
in an email dated June 9, 2016, which was published as part of the
lawsuit. “Given how quickly they’re growing, it seems important to
figure out a new way to get reliable analytics about them. Perhaps
we need to do panels or write custom software. You should figure
out how to do this.”
Facebook’s engineers solution was to use Onavo, a VPN-like service
that Facebook acquired in 2013. In 2019, Facebook shut down Onavo
after a TechCrunch investigation revealed that Facebook had been
secretly paying teenagers to use Onavo so the company could access
all of their web activity.
After Zuckerberg’s email, the Onavo team took on the project and a
month later proposed a solution: so-called kits that can be
installed on iOS and Android that intercept traffic for specific
subdomains, “allowing us to read what would otherwise be encrypted
traffic so we can measure in-app usage,” read an email from July
2016. “This is a ‘man-in-the-middle’ approach.” […]
Later, according to the court documents, Facebook expanded the
program to Amazon and YouTube. Inside Facebook, there wasn’t a
consensus on whether Project Ghostbusters was a good idea. Some
employees, including Jay Parikh, Facebook’s then-head of
infrastructure engineering, and Pedro Canahuati, the then-head of
security engineering, expressed their concern. “I can’t think of a
good argument for why this is okay. No security person is ever
comfortable with this, no matter what consent we get from the
general public. The general public just doesn’t know how this
stuff works,” Canahuati wrote in an email, included in the court
documents.
There’s the Facebook we know and love.
In 2018 Apple removed Onavo from the App Store, but the fact that Facebook was using Onavo in this way was known a year earlier.
★
Lorenzo Franceschi-Bicchierai, reporting for TechCrunch:
“Whenever someone asks a question about Snapchat, the answer is
usually that because their traffic is encrypted we have no
analytics about them,” Meta chief executive Mark Zuckerberg wrote
in an email dated June 9, 2016, which was published as part of the
lawsuit. “Given how quickly they’re growing, it seems important to
figure out a new way to get reliable analytics about them. Perhaps
we need to do panels or write custom software. You should figure
out how to do this.”
Facebook’s engineers solution was to use Onavo, a VPN-like service
that Facebook acquired in 2013. In 2019, Facebook shut down Onavo
after a TechCrunch investigation revealed that Facebook had been
secretly paying teenagers to use Onavo so the company could access
all of their web activity.
After Zuckerberg’s email, the Onavo team took on the project and a
month later proposed a solution: so-called kits that can be
installed on iOS and Android that intercept traffic for specific
subdomains, “allowing us to read what would otherwise be encrypted
traffic so we can measure in-app usage,” read an email from July
2016. “This is a ‘man-in-the-middle’ approach.” […]
Later, according to the court documents, Facebook expanded the
program to Amazon and YouTube. Inside Facebook, there wasn’t a
consensus on whether Project Ghostbusters was a good idea. Some
employees, including Jay Parikh, Facebook’s then-head of
infrastructure engineering, and Pedro Canahuati, the then-head of
security engineering, expressed their concern. “I can’t think of a
good argument for why this is okay. No security person is ever
comfortable with this, no matter what consent we get from the
general public. The general public just doesn’t know how this
stuff works,” Canahuati wrote in an email, included in the court
documents.
There’s the Facebook we know and love.
In 2018 Apple removed Onavo from the App Store, but the fact that Facebook was using Onavo in this way was known a year earlier.