Facebook's Onavo VPN used to wiretap competitor data, court filings reveal

Date:
Thu, 28 Mar 2024 09:51:49 +0000

Description:
Snapchat was the main target of "Project Ghostbusters", which used the controversial spyware-like VPN to access encrypted data. YouTube and Amazon came next.

FULL STORY ======================================================================

Facebook used its Onavo VPN system to illegally track its users when
accessing Snapchat and other competitors' apps, new unsealed court filings
can reveal.

So-called Project Ghostbustersechoing the iconic rival's logoappears to have been just the beginning of the wider In App Action Panel (IAAP) program which aimed to spy on competitors' traffic to gain commercial advantage. It's thought to have run between June 2016 and approximately May 2019, with
YouTube and Amazon being the next targets.

Meta, Facebook's parent company, employed its controversial VPN service as a way to intercept and decrypt the traffic between the people accessing its service and competitors' servers. The company shut down Onavo in 2019, following a TechCrunch investigation revealing the spyware-like VPN software was employed in a research project to collect sensitive user data from paid volunteers aged between 13 and 25. Facebook new tracking revelations

"Facebooks IAAP program conduct was not merely anticompetitive, but
criminal," read the filings revealed on March 26, 2024, by a federal court in California during the class action lawsuit between consumers and Meta.

Everything kicked off in June 2016 when Mark Zuckerberg, founder and CEO at Meta, actively requested its team to "figure out a new way to get reliable analytics" into Snapchat's encrypted data as the platform was starting to get more traction in the market.

The Onavo team took things into their own hands, coming up with a solution about a month later. They would use a method known as "SSL man-in-the-middle" to decrypt Snapchat's protected traffic to inform Meta's business decision-making. Man-in-the-middle is a popular cyberattack tactic for which perpetrators position themselves between a user (in this case, Facebook
users) and a given application.

It looks like the solution was so successful that it was later implemented on a larger scale also against other Facebook rivals, namely YouTube and Amazon starting in 2017 and 2018 respectively. This story is mind boggling, @lorenzofb have done a fantastic job navigating the complexity of how it unfolded.I drew a diagram here below for how the so called Project Ghostbusters" was executed form what I understand. https://t.co/s80raBw5NZ pic.twitter.com/YFJ66tpdHS March 26, 2024 See more

According to the court documents, Facebooks lawyers were "near-constantly involved in the design, deployment, and expansion" of the companys IAAP program.

However, as TechCrunch reported , not everyone working at Facebook was eager to cross this red line. For instance, the then-head of security engineering Pedro Canahuati expressed his concerns over the practice. "I cant think of a good argument for why this is okay. No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesnt know how this stuff works," he wrote in an email.

Plaintiffs Sarah Grabert and Maximilian Klein filed the ongoing lawsuit against Facebook in 2020, accusing the company of lying about its data collection practices and deceptively extracting data from users to unfairly compete against new rivals in the market.



======================================================================
Link to news story: https://www.techradar.com/computing/cyber-security/facebooks-onavo-vpn-used-to -wiretap-competitor-data-court-filings-reveal


--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)