Clicky

Facebook Used “Man-in-the-Middle” Approach To Snoop on Users’ Encrypted Traffic in Secret Project

Unsealed court documents reveal the full details.

If you’re tired of censorship and surveillance, subscribe to Reclaim The Net.

Unsealed court documents in California – part of a class action lawsuit filed by consumers against Meta and alleging anti-competitive behavior via deceptive data extraction – have revealed that back in 2016, Facebook came up with a secret project dubbed “Ghostbusters.”

We obtained a copy of the documents for you here.

What Facebook effectively did was use man-in-the-middle attack-style ways to intercept encrypted traffic, initially targeting competitor Snapchat (hence the project’s name, referring to the Snapchat logo), to later expand this to Amazon and YouTube.

An internal Facebook email sent by CEO Mark Zuckerberg included in the now unsealed documents explains why the company decided to take this type of action – apparently, to get access to “analytics” regarding Snapchat’s traffic, given that Facebook had none up until that point thanks to the app’s encryption.

The “analytics” referenced here was necessary for Facebook to improve its targeting signals.

“Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this,” Zuckerberg wrote to his underlings in the summer of 2016.

And so they set out to find a way to “intercept and decrypt,” that work being done by the giant’s In-App Action Panel (IAPP). Three years prior, Facebook bought Onavo, a company in the business of analyzing web traffic sent through its VPN, Onavo Protect, to gain access to statistics about how other apps are used.

We now know why that acquisition happened in the first place.

Three years after Ghostbusters was launched, in 2019, Facebook had to shut down Onavo after yet another unrelated scandal. And this was the same year when IAPP also apparently ceased operations.

As for the scandal developing now, members of the IAPP project came up with “so-called kits that can be installed on iOS and Android that intercept traffic for specific subdomains, ‘allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage,” TechCrunch writes, quoting from one of the emails.

However, some of Facebook’s top engineers (unsuccessfully) pushed back against the idea, calling it “a legal, technical, and security nightmare.”

But not everyone had to be spied on: if they agreed to give Facebook data, that is. At least that’s how the class action lawsuit describes the relationship between Facebook and Netflix.

If you’re tired of censorship and surveillance, subscribe to Reclaim The Net.

Read more

Share this post

Reclaim The Net Logo

Join the pushback against online censorship, cancel culture, and surveillance.

Already a member? Login.