> The communications at issue relate to Facebook’s so-called In-App Action Panel (“IAAP”) program, which existed between June 2016 and approximately May 2019. The IAAP program, launched at the request of Mark Zuckerberg, used a cyberattack method called “SSL man-in-the-middle” to intercept and decrypt Snapchat’s — and later YouTube’s and Amazon’s — SSL-protected analytics traffic to inform Facebook’s competitive decisionmaking. As described below, Facebook’s IAAP program conduct was not merely anticompetitive, but criminal.
> ..This code, which included a client-side “kit” that installed a “root” certificate on Snapchat users’ (and later, YouTube and Amazon users’) mobile devices, see PX 414 at 6, PX 26 (PALM-011683732) (“we install a root CA on the device and MITM all SSL traffic”), also included custom server-side code based on “squid” (an open-source web proxy) through which Facebook’s servers created fake digital certificates to impersonate trusted Snapchat, YouTube, and Amazon analytics servers to redirect and decrypt secure traffic from those apps for Facebook’s strategic analysis.
Not to defend this practice, but some missing context here (AFAIK, I wasn't involved): this isn't the FB app, but apparently "Onavo Protect" followed by "Facebook Research" apps, the latter of which reportedly explicitly paid people to install it for the express purpose of collecting this kind of data.
Yeah, it's tough to figure out who was harmed here. "Can we install an SSL MITM attack on your device?" "Sure, for money!" "Here's some money."
I mean, this is literally every big company IT department.
The best argument I could see that would lead to this succeeding is if someone at Facebook accepted the Snapchat ToS and it said "you can't use MITM to intercept our traffic". Otherwise, fair game, done billions of times a day. (Pin your certs friends.)
It seems like the logic for the lawsuit is that Snapchat and other advertisers had something in their ToS with words to the effect of "thou shalt not let our competitors packet capture our traffic" and Facebook induced the customers to breach that agreement. The Wiretap Act stuff seems like nonsense though. If the consumer installed software with their informed consent to record their phone use, that's not illegal wiretapping.
At least not federal wiretapping. It would be wiretapping in the subset of states that require all parties to the communication to consent to monitoring/recording, which includes California, where Facebook/Meta is headquartered.
With user consent and communication, it's not as evil as others are trying to make it sound.
The arguable legal gray area is: If a user gives unlimited permission to do so, is decrypting another company's network traffic on device legal? I fall on the side of the fence that it's okay with consent because not even that other company has unlimited and exclusive ownership of a user's data or network packets preflight on their own device.
Btw at Meta/Facebook, even the data about employee devices has privacy filters on collected analytics because location, IP address, MAC address, serial number could be used maliciously by a rogue employee targeting other individual employees if there weren't protections (like Twitter was). Instead, almost all data at Meta is uniformly stored with hard privacy ACLs that, by default, prevent casual exploration. In other words, if I worked at Facebook and knew your Facebook accounts' graph FBID, I would be presented with minimal-to-no information about it and a "make a request for access for business use" dialog that is rarely granted by an appropriate manager or senior trusted person except for actual business needs. Even browsing my own Facebook account by FBID in the graph, I couldn't see all of the details, just a bunch of uninteresting housekeeping and general details. In general, they took at-rest storage of personal information seriously.
(It makes me wonder, if iam forced to communicate to a remote api, does this communication belong to this company? Hmm. And when someone talks with me, my human interface, developed and refined over years, can i charge for it? :)
Users voluntarily install an app that spies on them because they want money. How is this news? Maybe it's news to the people who never installed the app and maybe the methods that were used were interesting but if it was voluntary even if the users didn't understand the technical means but did understand what data was being spied on and collected I don't see the harm.
These are also the same methods that companies use to spy on their employees. There is a vast number of firewalls that do this automatically. Companies absolutely have the ability to deploy trusted certs on every device that is within their control. This includes when people link their personal device to their company's email portal and it requests all those permissions to control your phone.
I have no love for Facebook but it seems they were being more upfront about what was going on then your average corporation does with their employees.
Google runs their own app check study that you can be a part of. When part of this program you will install an app on your phone that takes screenshots of what you're looking at on your phone and send it to Google. You are paid for this. Google even sends you a pixel phone to do this on and request that you use it as your normal phone. And while it does attempt to not take screenshots of some apps that are considered private it absolutely will grab those screenshots on accident at times.
Reading all of a user’s data and using it for competitive research is not a reasonable term for any ToS, and users can’t meaningfully consent to something that invasive.
15 years in, Zuckerberg is still a gross liability when asked to give sworn testimony under questioning by a competent professional. It is a disaster for Facebook waiting to happen.
That someone may have paid to use an app, or otherwise voluntarily used an app, or that other companies may engage in similar practices does not provide an exception to the federal crime of wiretappping; it does not absolve Facebook of culpability. If the target of the wiretap consented to be surveilled, then one would think the plaintiffs attorneys would be aware of this fact. This document alleges there is no exception that Facebook can rely on.
When Google has been accused of wiretapping, and this has happened multiple times, it has always settled the claims rather than defend itself against them. It is being sued yet again for wiretaping at this very moment.
"239. Indeed, the amount of surveillance was jaw-dropping. Facebooks Onavo Protect app reported on users activities whether their screens were on or off; whether they used WiFi or cellular data; and even when the VPN was turned off. There was simply no rational relationship between the data collected and the purported purpose of the application. Put simply, a VPN that collected data even when the VPN was off was an obvious subterfuge for blatant spying on user behavior.
240. Undeterred, Facebook repackaged its Onavo spyware as a Facebook Research VPN app. Facebook sidestepped the App Store by rewarding teenagers and adults when they downloaded the Research app and gave it rootsuperuseraccess to network traffic on their mobile devices. Facebook has been leveraging its Onavo code in similar ways since at least 2016, administering the program under the codename Project Atlasa name suited to its goal of surveilling app usage on mobile devices in real time.
241. When the news broke in January 2019 that Facebooks Research apps were repackaged Onavo apps designed to spy on users, Facebook immediately withdrew the programs from the Apple App store."
This validates my decision never to use Facebook or other social media apps on my phone or desktop. I know that they already know me because I was unable to talk some in my family out of joining and using their "services".
When I was young and almost a teenager we had a different set of social diseases that we worried about. Those were the days, my friend.
A few years ago several Services across the Internet stopped working, among them with Spotify. I was a Spotify user and had a premium subscription.
It was revealed that these crashes were due to these apps loading in a JavaScript file from Facebook.
Everyone thought I was crazy when I canceled Spotify later that week and stopped using every single affected app moving forward, because I don't trust Facebook.
Yes. It is very difficult to avoid getting snared by FB and other social networks. I try to block traffic on my network but have no real idea of how effectively it works for me.
What I find really surprising is that Amazon has not sought criminal prosecution of Meta.
Even if in all cases a user selected to allow Facebook/Meta to see what they were communicating, which from reading all of the attached documents I don't believe was the case, I don't see how Amazon gave consent.
If some individual had done what Facebook/Meta did, I can't see a situation where Amazon wouldn't have asked for criminal prosecution.
Mastercard and Visa? It would be surprising to see how they would just shrug this off; maybe this hasn't hit their radar yet.
Gotta love the actionable utilization of business synergy here:
> asking for “out of the box thinking” on a task that “is really important.”
> we are going to figure out a plan for a lockdown effort during June to bring a step change to our Snapchat visibility. This is an opportunity for our team to shine.”
And yet those advocating MITM proxies for filtering traffic to block ads and fix other common user-hostility often receive plenty of scorn from the "security community"...
> ..This code, which included a client-side “kit” that installed a “root” certificate on Snapchat users’ (and later, YouTube and Amazon users’) mobile devices, see PX 414 at 6, PX 26 (PALM-011683732) (“we install a root CA on the device and MITM all SSL traffic”), also included custom server-side code based on “squid” (an open-source web proxy) through which Facebook’s servers created fake digital certificates to impersonate trusted Snapchat, YouTube, and Amazon analytics servers to redirect and decrypt secure traffic from those apps for Facebook’s strategic analysis.
Here's a link to the PDF document: https://s3.documentcloud.org/documents/24514262/discovery-br...