Facebook snooped on users' Snapchat traffic in secret project, documents reveal

Meta tried to gain a competitive advantage over its competitors, including Snapchat and later Amazon and YouTube, by analyzing the network traffic of how its users were interacting with Meta’s competitors. Given these apps’ use of encryption, Facebook needed to develop special technology to get around it.

Facebook’s engineers solution was to use Onavo, a VPN-like service that Facebook acquired in 2013. In 2019, Facebook shut down Onavo after a TechCrunch investigation revealed that Facebook had been secretly paying teenagers to use Onavo so the company could access all of their web activity.

After Zuckerberg’s email, the Onavo team took on the project and a month later proposed a solution: so-called kits that can be installed on iOS and Android that intercept traffic for specific subdomains, “allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage,” read an email from July 2016. “This is a ‘man-in-the-middle’ approach.”

A man-in-the-middle attack — nowadays also called adversary-in-the-middle — is an attack where hackers intercept internet traffic flowing from one device to another over a network. When the network traffic is unencrypted, this type of attack allows the hackers to read the data inside, such as usernames, passwords, and other in-app activity.

Pantherina,

Learning: VPN services are tracking instruments, not some magic tool.

And its not even new…

OsrsNeedsF2P,

Google VPN, anyone?

sturmblast,

Roll your own vpn.

BurningnnTree,

I must be way out of the loop, cuz I had no idea this was possible. So does this mean the Facebook app on my phone has permission to view all of my network traffic? Why do Android and iOS allow this? Shouldn’t that be a special permission that can only be granted explicitly?

diffusive,

Nope, because Facebook app is not a VPN service so it cannot intercept traffic.

What it is unclear from the article is how they circumvented the certificate check on the app side. Probably (given this was many years ago, maybe these apps weren’t setupping certificate pinning/HPKP)

phx,

In theory, yes. In practice of they found some sort of exploit that allowed this I’d 100% not be surprised if Meta took advantage of it. Facebook app is malware

xantoxis,

The world would be a better place if Mark Zuckerberg accidentally got sucked into a jetski engine somehow

Nonononoki,

Wait, how does a VPN break TLS encryption?

waitmarks,

it doesn’t, what this is suggesting is the vpn was routing traffic through it so they could analyze snapchat traffic. not the contents of it but essentially meta analysis of the traffic. how often it was sending data, how much data, where it was going etc.

sturmblast,

this is the answer

pup_atlas,

The VPN adds its own root certs to the device, and just terminates TLS at the gateway, then establishes a second TLS tunnel to the device.

Natanael,

It can’t do that silently, the user has to approve installation of root certs. This only works silently with apps which have broken (insecure) cert validation

pup_atlas,

Can’t do it silently, but it’s not uncommon for root certs to come along with a VPN. I wouldn’t be surprised to see that it’s built into the VPN profile API on Andriod and Apple devices.

TORFdot0,

Certainly they weren’t planning on actually planning on finding a way to get people to install a VPN to decrypt their traffic just to use Facebook, right?

That’s why they paid teenagers to use the VPN so they could get some “guerrilla market research”.

Even in 2013 apps didn’t have the permission access to install a device level VPN without some unspecified exploit. 0 chance Facebook would literally hack people’s phones, right?

Right?

state_electrician,

What a fucking piece of shit.

LEDZeppelin,

Delete this shit from your phones asap

Zuck Fuckerberg

PoolloverNathan,

Yeah, they’re making it a system app now. Can’t be installed without adb, and most people don’t know how.

thorbot,

Can’t delete something that was never there in the first place

TheDarksteel94,

I was thinking of buying a Meta Quest 3, because of a lack of similar devices. I wasn’t really seriously considering it, but I sure as hell am not at all now.

OsrsNeedsF2P,

I’ve got one. All I’ll say is don’t buy a VR headset anytime soon.

Adanisi,
@Adanisi@lemmy.zip avatar

Let that parasite rot in prison.

And can somebody split Meta already? Please and thank you.

thorbot,

Yeah, he wont

OsrsNeedsF2P,

Why split Meta? The poor mom and pop shop only makes 350 million in revenue… Every day…

rottingleaf,

Shocked, I tell you

HootinNHollerin,

Lock that turd up already

Sgn,

This is why tiktok shouldn’t be banned it will only benefit zucck

atrielienz,

Nah. Ban these companies or don’t, we need user privacy protection laws.

MataVatnik,
@MataVatnik@lemmy.world avatar

And people want to let these parasites integrate into the fediverse

ramble81,

Please tell me what governing body exists for the fediverse that would let us deny them access?

QuandaleDingle,

Do you know how the Fediverse works? Instance maintainers who are less than thrilled with Meta can choose to defederate from Threads.

ramble81,

Exactly my point. It’d be on an instance by instance basis, there is no “singular group” that can block them from the entire fediverse.

knightly,
@knightly@pawb.social avatar

The whole point of federation is that you aren’t locked in the sinking ship. If everyone is defederating from your instance you can move to a better one.

ramble81,

Yes, but to realistically keep Threads from federating and utilizing people’s posts, every single instance owner would have to defederate. 1) that’s not likely, and 2) that’s a unilateral decision by the instance owner. I’m looking at things from a realistic standpoint, not an idealistic one.

knightly,
@knightly@pawb.social avatar

The only places Threads can federate with are instances that are so poorly managed that they don’t even block Threads.

CosmicCleric,
@CosmicCleric@lemmy.world avatar

The only places Threads can federate with are instances that are so poorly managed that they don’t even block Threads.

Or are paid not to block.

ramble81,

Which is probably a lot more than would be expected.

knightly,
@knightly@pawb.social avatar

So long as my instance continues to block instances that don’t block threads, I’m happy.

I don’t need a public-facing microblogging service, I like having my own little dark corner on the internet. pluralistic.net/2024/…/evacuate-the-platforms/

ramble81,

Good for you, but that won’t help majority of the people who don’t know or can’t run their own instance. Also the moment you make a post out to one of those instances that hasn’t defeated, Threads will just hoover your post right up. You’ll isolate yourself, sure, but not your posts or interactions. Welcome to ActivityPub.

brbposting,

I do suppose it’s better to only be implicitly training language models and making public posts which anyone is free to screenshot or repurpose compared to explicitly propagating all posts to Meta.

knightly,
@knightly@pawb.social avatar

Good for you, but that won’t help majority of the people who don’t know or can’t run their own instance.

Why would I want to see posts from people on social networks who care so little about social networking that they’ve joined a corporate app?

Also the moment you make a post out to one of those instances that hasn’t defeated, Threads will just hoover your post right up.

It’s not ideal, for sure, but at least I won’t have to see any posts from threads.

ramble81,

Except my entire point hasn’t been about you, but you made it all about you. My original statement that there is no single source that can prevent threads from joining and interacting with the fediverse and that’s going to affect most people. I’m glad you have the know how to run things yourself but my statement was never about just “you”.

knightly,
@knightly@pawb.social avatar

And?

I’m not most people, I’m me.

I’m not about to let other people’s ignorance about the social media landscape keep me from enjoying my niche.

ramble81,

So then why do you keep replying? That’s where I’m lost. You derailed it to be about you and then you kept on it.

knightly,
@knightly@pawb.social avatar

You were the deraileur when you decided that my comment about my own personal tastes was insufficiently generalizable. XD

ramble81,

You’re just gonna keep responding until you have the last comment, aren’t you?

Aatube,

Mildly interesting: A derailleur is not the same as a derailer.

admin,
@admin@lemmy.my-box.dev avatar

I wouldn’t call lemmy.world poorly managed.

ieatpillowtags,

How is this a relevant question? Nobody said anything about some governing body. There have been discussions on many instances about whether to federate with them or not, and it’s accurate to say that some people think we should.

Pips,

For example, I’m personally of the opinion that instances should be allowed to federate until they prove themselves to be bad actors, but in Meta’s case there’s a lot of existing evidence that shows they shouldn’t be allowed to federate in the first instance.

MataVatnik,
@MataVatnik@lemmy.world avatar

Meta is the textbook definition of a bad actor. Plenty of precedent there.

JoBo,

Who do you imagine is (or should be) making these rules for the Fediverse?

Pips,

Every instance gets to decide on its own, there’s no set of rules governing the whole thing. That’s why I stated this is my opinion, not some hard and fast rule.

JoBo,

You stated it very much as a set of rules that should exist. Twice.

towerful,

For example, I’m personally of the opinion …

Are you replying to the correct person?

JoBo,

Yes. Did you forget how to quote your whole post?

A_Random_Idiot, (edited )

its also accurate to say some people are fucking idiots and think we should federate.

on the wax winged hope in hell that the bad actor suddenly, miraculously, becomes a good actor…for reasons no one can explain.

MataVatnik,
@MataVatnik@lemmy.world avatar

Im more specifically thinking about the big ones when this debate was going on about a couple of months ago.

nuzzlerat,

honest question: why does it matter? all data in any fediverse project is public anyways

MataVatnik,
@MataVatnik@lemmy.world avatar

For me it’s not really about the data, it’s unforseen malicious maneuvers outside data. Sabotaging instances, manipulating feeds for their gain, or try to still centralize the fediverse undermining the whole concept. My point is, we don’t know what bad thing they could/would do, they are creative. But we sure as fuck know it’s an evil organization and they can’t be trusted.

nuzzlerat,

that’s fair. I fully believe they could pull some fuckery that would make everything worse

redfox,

I’m sure corporations like this would give you free Internet if they could collect and sell all your data. I’m also sure people would still do it, regardless of how much they are being monetized as a product.

Since companies like Facebook own legislators, our only real choice is to stop using it. Unpopular opinion, but If you really want fuck Zuck, delete your account, and get all your friends and family to as well. Maybe there’s some alternatives for the people who truly use the service to connect with friends/family?

HootinNHollerin,

shitbook does that in the Philippines

neutron,

I’m sure corporations like this would give you free Internet if they could collect and sell all your data.

Already a thing. I see them advertised everywhere for prepaid plans and people go ‘omg Facebook/Whatsapp/Instagram/TikTok for free!!1!’.

webghost0101,

I dunno, seem like the goal is to get you to buy a subscription to collect your data hostage in their cloud.

And somehow for enough gullible customers its actually working.

rtxn,

corporations like this would give you free Internet if they could collect and sell all your data

Facebook Zero is more or less what you described.

Senseless,

The free Internet if you give use your data is already a thing. I saw an ad in germany where you get unlimited free internet access (can’t remember if it was a data plan for phones or cable / fibre service) if you use their “payment partner” for your usual payments like rent, loans and salary. So they basically can see your daily payments and will use and sell this data im exchange for “free” Internet access.

The company and its investors and corporation lead to a weird network of people and a corp in dubai. It’s all quite shady really.

redfox,

Wow, that is weird. I honestly just made that up in my head when I wrote it.

The saying is true, if it’s free, you’re the product.

I don’t actually know why I care about that level of privacy. Some of us are quite fine with companies or their government having any information about them. Some are very opposed.

Maybe I dislike the idea that information could be used against me somehow or they’re making even more money than I’m already paying in some hypothetical case. Not sure.

Senseless,

I work in IT so you might think I might be more into the topic and thus more careful with my data. There are a lot of colleagues of mine that don’t care one bit. Some even jokingly call me paranoid.

Sure, I use GrapheneOS, a de-googled Android OS, made the switch from Gmail to Tuta (formerly tutanota), a privacy ans security focused mail provider and use my own domain for mailing.

Then there are some other measurements in place like AdGuard and Pihole to block ads and trackers. I think that’s the bare minimum, especially if you’re working in IT. It doesn’t cost much, the setup is straight forward and the benefits are huge. I haven’t had any ads in my network for years.

I’m currently switching from windows to Linux as daily driver. There are some issues with getting some games to run, but as soon as they do I’m switching for good.

There are some easy thing one can do, even without any expertise in IT. There are even things you can do that aren’t finicky (like linux troubleshooting). People are just way to comfortable.

Maybe they should watch the documentary about Edward Snowden, Citizenfour. That might change their mind.

redfox,

I watched that. Didn’t surprise me one bit.

The overreaching government apparatus doesn’t inherently bother me, but we’re really placing a lot of power and trust in those people, and that does concern me.

rtxn,

Every 60 seconds in Africa, a minute passes.

HeadfullofSoup,

And this fact is more surprising than Meta spying on people

  • All
  • Subscribed
  • Moderated
  • Favorites
  • technology@lemmy.world
  • GTA5RPClips
  • DreamBathrooms
  • thenastyranch
  • magazineikmin
  • Durango
  • cubers
  • Youngstown
  • mdbf
  • slotface
  • rosin
  • ngwrru68w68
  • kavyap
  • tacticalgear
  • ethstaker
  • JUstTest
  • InstantRegret
  • Leos
  • normalnudes
  • everett
  • khanakhh
  • osvaldo12
  • cisconetworking
  • modclub
  • anitta
  • tester
  • megavids
  • provamag3
  • lostlight
  • All magazines
    •