Details Emerge Of Facebook’s Long History Of Spying On Encrypted User Communications Across Different Apps And Service
from the privacy-violations-are-only-bad-when-somebody-else-does-it dept
Last week you’ll recall that after a closed-door intelligence briefing, some members of Congress leaked word to Axios that they were “shocked” by various TikTok behaviors.
Upon closer inspection, most of the stuff TikTok had been up to wasn’t at all different from the behaviors of a wide variety of foreign and domestic telecoms, app makers, tech companies, and data brokers, all happily exploiting the fact that the U.S. is too corrupt to pass a modern internet privacy law.
One of the things Congress was surprisingly “shocked” about was the fact that TikTok sometimes monitored the behavior of users while they used other apps. But here too, a long line of companies do this including data brokers, fixed line and wireless telecoms, and app makers. Your every last behavior online is tracked and monetized, often with little oversight and even less transparency.
Case in point: in 2018 we wrote about how Facebook got busted offering a “privacy protecting VPN” dubbed Onavo that was basically just spyware designed to track user behavior on other platforms. The app got kicked off of app stores after it was revealed that Facebook was paying teenagers to install the app so they could spy on them and gain insight into competitors.
This week a federal court in California released new information on that effort unveiled during discovery as part of a lawsuit between consumers and Meta, Facebook’s parent company.
The documents outline a project started in 2016 dubbed “Project Ghostbusters,” which involved “intercepting and decrypting” encrypted app traffic from users of Snapchat, and eventually users of YouTube and Amazon. The project, built at the direct request of CEO Mark Zuckerberg, basically involved creating a massive “man in the middle attack” (MITM) to spy on users at scale:
“After Zuckerberg’s email, the Onavo team took on the project and a month later proposed a solution: so-called kits that can be installed on iOS and Android that intercept traffic for specific subdomains, ‘allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage,’ read an email from July 2016. “This is a ‘man-in-the-middle’ approach.”
Given the traffic between Snapchat users and servers was encrypted, it required that Facebook effectively develop spyware capable of accessing this data before it was encrypted and transmitted over the internet. Enter Onavo, a VPN company Facebook had acquired in 2013, then decided to lobotomize and turn into glorified spyware without making that clear to users.
From the documents, what is very clear is that Facebook executives at the time (like infrastructure engineering boss Jay Parikh and then head of security engineering Pedro Canahuati) knew that the project was a very bad idea:
“I can’t think of a good argument for why this is okay. No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn’t know how this stuff works.”
Fast forward to 2020, when Facebook users Sarah Grabert and Maximilian Klein filed a class action lawsuit against Facebook for spying on users and lying about it. And here we are; maybe Facebook will see accountability, maybe not. It’s a dice roll in a country that doesn’t take consumer privacy seriously.
Of course in years since, data surveillance and monetization has expanded into a massive and barely regulated international coagulation of telecoms, app makers, data brokers, hardware vendors, and tech companies that hoover up an absolute ocean of personal data about your every movement, click, and brain fart, fail to secure it, then sell access to any nitwit with two nickels to rub together.
All under the pretense that this is ok because the data is “anonymized” (a meaningless term). And despite a rotating parade of quite dangerous scandals, the congressional response has been to do jack fucking shit. Unless, of course, we’re talking about a popular Chinese app that Facebook lobbyists want kicked out of the country because it’s been a competitive pain in their ass.
At some point, whether it’s a scandal involving mass fatalities or the embarrassing leak of the sensitive data or the rich and powerful (or hey, maybe both simultaneously!), there will be a scandal that makes all previous privacy scandals look like a summer picnic. At which point maybe Congress will be jostled from its corrupt slumber. Maybe.
Filed Under: data brokers, onavo, privacy, privacy law, project ghostbusters, security, spyware, surveillance, telecom, tiktok ban
Companies: facebook, meta, tiktok
Comments on “Details Emerge Of Facebook’s Long History Of Spying On Encrypted User Communications Across Different Apps And Service”
Arrest Zuckerberg for hacking. Give him the weev treatment.
What's this?
Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »
If credit monitoring services can get away with a slap on the wrist for doxxing almost every American, I won’t hold my breath on accountability or rational privacy regulations making their way into congress.
Re:
You know that won’t happen.
Arrest Zuckerberg for hacking. Give him the weev treatment.
Re:
I seem to recall Cambridge Analytical getting access to Fascbook’s database back in 2016. No doubt the info obtained from this crime has long ago been delivered to our adversaries.
Re: Re:
Why would they need it. Equifax “protected” the PCI of 140 million people by putting it all in a public facing database with default credentials.
Their penalty? Profits from the credit monitoring company they bought, then gave 2 years of free service for a lifelong problem.
Re: Re:
Cambridge Analytica was an adversary.
Re: Re:
Cambridge Analytica died at the age of five years and four months old. Rest in torment.
Serves you right for using Facebook.
Re:
< The point
< Your head
Re:
“Serves you right for using Facebook.”
I could be wrong but …
I thought a point of the article is that such nefarious behavior is occurring on numerous platforms/websites other than just facebook and tiktok.
Serves me right for using the internet? .. I suppose.
Now let me try to exist without use of the internet, see how far I can get – nah, not doin that. How does one obtain a job without use of the internet? Looking for a place to rent? Haha, just try it.
Re: Re:
A point Techdirt tries to make, one of Techdirt’s themes, is that consumer privacy isn’t simply a service level problem, that its an internet wide problem, and blaming any single service is ignoring the forest for the trees.
The point of the article is to discuss contemporary revelations about a specific program that was one of many.
That said, your point stands. By connecting to the internet, OP has likely had dozens of companies siphon his data. The ISP he uses, or the VPN he uses, or both, his phone service provider, his phone manufacturer, His bank, whatever provider willing to be paid by dead drop he sourced his computer components from.
OP will likely claim they have incredibly complex security processes, and they think no one can get their data. This wouldn’t be the first time a commenter blamed facebook users for privacy failures, and when pressed on what we should have done, such commenters always fall back on labyrinthine security process that relies on existing completely off grid homestead miles away from anything, and never engaging in society except to spend hours every day in a coffee shop rotating hundreds of online sockpuppets to avoid notice.
Re:
With you on this one. Who needed MORE reasons to stop using FB?
Re:
Ah yes, good old victim blaming…
And yet Facebook is a good old ‘Murican company, so I’m sure the same politicians currently hyperventilating about how dangerous those commie chinese people running TikTok are will be notably silent when it comes to Facebook getting caught red-handed spying on it’s users is a much more serious way.
This comment has been flagged by the community. Click here to show it.
kill mark zuckerberg
Time to kill mark zuckerberg. Antifa has placed a million dollar bounty on his life
Re:
And I’m sure you’ve got a citation for that claim that isn’t ‘the voices in my head’ or ‘my ass’, right?
People are going to go to jail, right?
Right?
The swamp creatures believe that they are the only ones entitled to privacy, which is why the DHS Chief Privacy Officer is also the Chief FOIA Officer, which most information requests are either rejected or ignored, except for swamp creatures that want to prosecute Julian Assange and Edward Snowden. Edward Snowden has done more for America than the entire swamp which is politicians, the deep state, and the surveillance state. Julian Assange.has also done more for America than the entire swamp. The swamp has a Nixon Plumbers Unit Mentality.
Re:
The swamp is an oraganuzed crime ring and terrorist network. They are totally delusional and are fooling nobody but thenselves. They just want to remain that way, keep all of the loot that they hav illegally obtained, and never be prosecuted or held accountable for their high crimes, treason, organized crime, and medical fraud. Now their families will end up being the victims of the evil beast that they created. They are extremely stupid useless, evil, lazy, greedy, perverted, sadistic degenerates that are biologically and genetically incapable of being civilized human beings. They only look like people, but they act like monsters like Ted Bundy and Jeffrey Dahmer.
The swamp creatures have uncivilized savage triibe lifestyles like head hunters and cannibala that parasitically feed off of everyone because they are too lazy, greedy, useless, and stupid to be able to survive without being evil predators. They are supposed to be public servants, but the public is forced to serve them, and all that we get in return for it is terrorized, ripped off, gas-lit, lied to, medical fraud commtted against us, and murdered.
Being a swamp creature will not protect anyone from being a victim of the swamp either.Whistle blowing does not provoke swamp creature attacks, contrary to popular opinion, anything of greater value than a pair of sneakers or hub caps can trigger attacks by swamp creatures. The only ones that anyone ever hears about are the whistle blowers, but it pays off, look at how long Ted Gunderson survived their attacks for.
Re: Re:
Swamp creatures despise eachother so much that they want to keep their jobs, but never have to be in the same office as their co-workers, because of the swamp creature attacks. That is just their nature to be that way.
Re: Re: Re:
As everyone has surmised, the swamp creatures are not even remotely working. They will not even answer or return phone calls. They are just bilking people,copping out, giving people the run around, and collecting money while America decsends deeper and deeper into insolvency. Everyone took the attitude, let someone else do it, which is what happened in the muder of Kitty Genovese that prompted the creation of 911 emergency services. Even calling 911 is pointless. They fine people for calking them over national secuirty emergencies and have murdered the people that called them for help on several occasions. Everyone in the swamp is juat trying to loot as much as they can and get away with it. That is their only objective. The evidence proves it.
Look at how long Daniel Ellsberg lived for, and they detsted him and wanted to imprison him. They terrorized him. He outliced most of them though. No guts, no glory.
I would urge anyone apprehensive about taking on the swamp single handedly to be encouraged by Daniel Ellsberg.
And people wonder!?
This is exactly why so many Apple users are so extremely against merging message system and operability.