Details Emerge Of Facebook’s Long History Of Spying On Encrypted User Communications Across Different Apps And Service

Last week you'll recall that after a closed-door intelligence briefing, some members of Congress leaked word to Axios that they were shocked" by various TikTok behaviors.

Upon closer inspection, most of the stuff TikTok had been up to wasn't at all different from the behaviors of a wide variety of foreign and domestic telecoms, app makers, tech companies, and data brokers, all happily exploiting the fact that the U.S. is too corrupt to pass a modern internet privacy law.

One of the things Congress was surprisingly shocked" about was the fact that TikTok sometimes monitored the behavior of users while they used other apps. But here too, a long line of companies do this including data brokers, fixed line and wireless telecoms, and app makers. Your every last behavior online is tracked and monetized, often with little oversight and even less transparency.

Case in point: in 2018 we wrote about how Facebook got busted offering a privacy protecting VPN" dubbed Onavo that was basically just spyware designed to track user behavior on other platforms. The app got kicked off of app stores after it was revealed that Facebook was paying teenagers to install the app so they could spy on them and gain insight into competitors.

This week a federal court in California released new information on that effort unveiled during discovery as part of a lawsuit between consumers and Meta, Facebook's parent company.

The documents outline a project started in 2016 dubbed Project Ghostbusters," which involved intercepting and decrypting" encrypted app traffic from users of Snapchat, and eventually users of YouTube and Amazon. The project, built at the direct request of CEO Mark Zuckerberg, basically involved creating a massive man in the middle attack" (MITM) to spy on users at scale:

After Zuckerberg's email, the Onavo team took on the project and a month later proposed a solution: so-called kits that can be installed on iOS and Android that intercept traffic for specific subdomains, allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage,' read an email from July 2016. This is a man-in-the-middle' approach."

Given the traffic between Snapchat users and servers was encrypted, it required that Facebook effectively develop spyware capable of accessing this data before it was encrypted and transmitted over the internet. Enter Onavo, a VPN company Facebook had acquired in 2013, then decided to lobotomize and turn into glorified spyware without making that clear to users.

From the documents, what is very clear is that Facebook executives at the time (like infrastructure engineering boss Jay Parikh and then head of security engineering Pedro Canahuati) knew that the project was a very bad idea:

I can't think of a good argument for why this is okay. No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn't know how this stuff works."

Fast forward to 2020, when Facebook users Sarah Grabert and Maximilian Kleinfiled a class action lawsuit against Facebook for spying on users and lying about it. And here we are; maybe Facebook will see accountability, maybe not. It's a dice roll in a country that doesn't take consumer privacy seriously.

Of course in years since, data surveillance and monetization has expanded into a massive and barely regulated international coagulation of telecoms, app makers, data brokers, hardware vendors, and tech companies that hoover up an absolute ocean of personal data about your every movement, click, and brain fart, fail to secure it, then sell access to any nitwit with two nickels to rub together.

All under the pretense that this is ok because the data is anonymized" (a meaningless term). And despite a rotating parade of quite dangerous scandals, the congressional response has been to do jack fucking shit. Unless, of course, we're talking about a popular Chinese app that Facebook lobbyists want kicked out of the country because it's been a competitive pain in their ass.

At some point, whether it's a scandal involving mass fatalities or the embarrassing leak of the sensitive data or the rich and powerful (or hey, maybe both simultaneously!), there will be a scandal that makes all previous privacy scandals look like a summer picnic. At which point maybe Congress will be jostled from its corrupt slumber. Maybe.