Saying we’re going to do “ traffic monitoring” doesn’t carry the weight of “we are going to listen to your private conversations”.
edit: I think this is something I wouldn't call informed consent: "Of particular concern was that users as young as 13 were allowed to participate in the program. Connecticut Senator Richard Blumenthal criticized Facebook Research, stating "wiretapping teens is not research, and it should never be permissible. This is yet another astonishing example of Facebook’s complete disregard for data privacy and eagerness to engage in anti-competitive behavior.""[1]
But what will happen when they get caught stealing each other's surveillance booty?
They hired Snapchat users (via a testing services provider ) to let meta observe their usage of Snapchat.
Something akin to paying someone to let a meta researcher sit by your side and observe while you use the app.
This happens all the time (hiring the testing services to recruit users to use your own app and analyze the patterns with screen recordings and such).
The news here is paying for someone to “test” a competitors’ app.
I hope that the testers knew they had Snapchat analyzed and not that they were told they were testing only Onavo.
> Something akin to paying someone to let a meta researcher sit by your side and observe while you use the app.
Onavo Extend and Onavo Protect positioned themselves as providing consumer-oriented benefits (bandwidth reduction and security, respectively).
> The news here is paying for someone to “test” a competitors’ app.
Facebook acquired Onavo in 2013, so this was 100% a first-party effort to turn their first-party products into spyware.
I'd not last a single day at such a company who would ask me to do such things. I had worked for a national political party in IT and left the job once I found about it corrupt practices and scams.
If we, as engineers collectively upheld ethics as part of work culture, Meta wouldn't have attempted it.
Just saying, it's really hard when your job or even your future green card is on the line. When the grunt engineers are 1 mistake away from being sent away from the US and lose all their potential futures in the US, they are much more likely to bury their heads carry out what they are told from the managers.
We need to go for the higher ups more.
Sorry but what?
For example, all the usual arguments against backdoors are going to be used by intelligence agencies to justify "providing assistance", which isn't even merely a euphemistic excuse given how incredibly valuable it would be for normal organised crime to spy on some of the encrypted data… but also is at least a bit of a euphemism, as I have to assume the controversies about terrorist groups using Cloudfare are only pemitted to happen because someone in US intelligence knows how to squeeze secrets from those groups.
In theory, messing with SSL is one of Cloudfare's features, not a secret; in practice I suspect most end users treat all this as magic — I've directly witnessed magical thinking with the padlock icon in browsers.
*most willing customers of CloudFlare.
Users consent to Facebook seeing their traffic and it's suddenly a problem?
(Source: https://www.vice.com/en/article/v7gd9b/facebook-helped-fbi-h...)
I hate FB, but all big platforms these days will cooperate with federal agencies in cases like the one described. Doesn't make them "state actors".
https://mashable.com/article/facebook-used-onavo-vpn-data-to...
Also noteworthy is that Google were also doing something similar at the time, both were side-stepping Apple's privacy protections in iOS by using enterprise certificates that allowed the side-loading of apps without Apple's overview. In response Apple more thoroughly restricted how these certificates can be used.
Interestingly I've noticed in the DMA threads people suggesting that a company exploiting side-loading to dodge Apple's privacy protections was nothing more than fear mongering. As if this is a red line developers won't cross.
To me, it's wild to think that people on HN don't know about this relatively recent history and are so naive to think that these protections were just pulled out of the air to frustrate developers, and not a reaction to an on-going arms war against consumer's right to privacy.
(1) https://www.extremetech.com/internet/284770-apple-kills-face...
IMO we have modern journalism to thank for this sort of thing. People are so misinformed with rage bait articles that they push against policies in their own interest.
But if anyone dare suggest enforcing some minimum level of journalistic ethics they'll get attacked because somehow journalists have painted themselves as some sort of unassailable paragon of righteousness.
https://s3.documentcloud.org/documents/24520332/merged-fb.pd...
Here is Meta's response:
https://ia802908.us.archive.org/29/items/gov.uscourts.cand.3...
Meta denies that they violated the Wiretap Act but offers no evidence of consent. (They try, but it is a laughable attempt.) Meta is also arguing the documents are not relevant. Meta claims the VPN app intercepting communications with other companies that sell online ad services, e.g., Snap, was not anti-competitive. It was just "market research".
Why is Meta so afraid to produce documents about "market research".
Meta does _not_ deny that they intercepted communications. From the attention this is getting on HN, MalwareBytes, etc. it seems clear no one using the VPN app would have expected Meta was conducting this interception. It is difficult to imagine how anyone could have consented to interception they would never have expected.
Additional details:
https://ia802908.us.archive.org/29/items/gov.uscourts.cand.3...
Apparently Facebook was using a "really old" version of squid.
"... the Wiretap Act provides that an interception is not unlawful if a party to the communication “has given prior consent to such interception.” 18 U.S.C. § 2511(2)(d). Advertisers conspicuously fail to mention—and apparently do not contest—that Meta obtained participants’ prior consent to participate in the Facebook Research App, and with good reason: Participants affirmatively consented to “Facebook … collecting data about [their] Internet browsing activity and app usage” to enable Facebook to “understand how [they] browse the Internet, how [they] use the features in the apps [they’ve] installed, and how people interact with the content [they] send and receive."
So users consented?
No.
They have ...'d out an important part of 2511(2)(d).
(and they probably meant (c))
First, it starts out with: "It shall not be unlawful under this chapter for a person not acting under color of law "
This basically means a state/federal official or someone acting in their capacity as one (the color of law part basically means it applies even when they act beyond their legal authority by accident)
Which they aren't. So this doesn't apply at all. (d) has an additional requirement they ...'d out at the end, but (c) does not.
So it's both a wrong cite and a dumb one.
Second, you'll note "competitive research" or anything similar is not one of the allowage usages of collecting data that facebook got.
Third, the return argument will also be "the how matters", and users did not consent to this how, and would not have.
If I give consent to participate in collection of my internet data, it doesn't give you authorization to like, have someone live in my house and follow me around 24/7 so they can see what i do on the internet.
How is Onavo worse ?
because the document says here that it was going to be given to trial participants as part of yougov(and others) survey. Which implies that they would have been informed/paid.
If its the former, then obviously thats unauthorised wiretapping. If its the latter so long as informed consent is given, that a shittonne better that the advertising tech we have now.
for TLS traffic you need to also install onavo.
But the app does scan your contact list every couple minutes and send diffs to their servers. Even if you have never opened the app. And on previous android versions all your recently open apps list too.
But again, if you install whatsapp you must give them the contact list permission anyway otherwise the app is intentionally broken and annoying.
I'd be interested to know if it shipped as part of the Facebook SDK, as well.
https://en.wikipedia.org/wiki/Onavo is slightly more readable than the legal document submitted as the link.
Then your YouTube, Snapchat analytics would get man in the middled
I didn't work with the data collection, so my info is a bit limited. Facebook was our customer even though they had already bought Onavo.
I can answer some questions if you have any.
The company did go bankrupt and the technology was sold.
And if youre stripping it without mentioning it in your ToS then you should be charged under the CFAA.
That’s what Facebook enticed users to do here. Without that root cert they wouldn’t have been able to see as much as they did.
Some recent related discussion: https://news.ycombinator.com/item?id=39860486
Lots more discussion on the various aspects of this:
First, this is not wiretapping, come on. There's targeted man-in-the-middle (MITM) attacks, and then there's this. This is plainly "we are using advanced powers to analyze your traffic".
This is not even Superfish[2] type of stuff, where Lenovo had preinstalled root certs onto laptops to display ads. This is "if you opt in we will analyze your data".
Every program you install on your laptop can basically do WHATEVER it wants. This is how viruses work. When you install a program, you agree to give it ALL power. This is true on computers generally, and this is true on phones when you side-load programs. The key is that when we install something we understand the type of program we're installing, and we trust that the program doesn't do more than what it _claims to be doing_.
So the question here is not "how does Onavo manage to analyze traffic that's encrypted", it's "does Onavo abuses the trust and the contract it has with its users?"
[1]: https://variety.com/2017/digital/news/google-gmail-ads-email...
[2]: https://www.virusbulletin.com/blog/2015/02/lenovo-laptops-pr...
I don't know about Windows or Linux though.
Yeah, crap move but my concern isn't those other scoundrels, it's me / us.
Facebook’s SSL bump technology was deployed against Snapchat starting in 2016, then against YouTube in 2017-2018, and eventually against Amazon in 2018.
The goal of Facebook’s SSL bump technology was the company’s acquisition, decryption, transfer, and use in competitive decision making of private, encrypted in-app analytics from the Snapchat, YouTube, and Amazon apps, which were supposed to be transmitted over a secure connection between those respective apps and secure servers (sc-analytics.appspot.com for Snapchat, s.youtube.com and youtubei.googleapis.com for YouTube, and *.amazon.com for Amazon).
This code, which included a client-side “kit” that installed a “root” certificate on Snapchat users’ (and later, YouTube and Amazon users’) mobile devices, see PX 414 at 6, PX 26 (PALM-011683732)(“we install a root CA on the device and MITM all SSL traffic”), also included custom server-side code based on “squid” (an open-source web proxy) through which Facebook’s servers created fake digital certificates to impersonate trusted Snapchat, YouTube, and Amazon analytics servers to redirect and decrypt secure traffic from those apps for Facebook’s strategic analysis, see PX 26 at 3-4 (Sep. 12, 2018: “Today we are using the Onavo vpn-proxy stack to deploy squid with ssl bump the stack runs in edge on our own hosts (onavopp and onavolb) with a really old version of squid (3.1).”); see generally http://wiki.squid-cache.org/Features/SslBump
Malware Bytes Article: https://www.malwarebytes.com/blog/news/2024/03/facebook-spie...
Sure enough all the API requests for data were coming through, but whenever a request for image happened - nothing would hit the servers.
What the heck I thought to myself?
I said to the client 'that can't be, that's almost impossible....the only way that's possible is if the SSL traffic is decrypted, inspected, and images blocked from being requested, which, is a MITM attack".
He redirected me to his IT provider. I phoned them up, and explained the situation.
"Ahh so they're _____"
Me: "So what does that have to do with the price of fish?"
Them : "Content filtering..., you need to talk to ____"
Sure as the day is long, the content filter was a VPN all members of ____ had to have on their mobile devices (I don't know how widespread this is, whether it was just this business, or the entire ____ )
I applied to have our system approved, it was, and just like magic the next day photos started coming through.
I'm guessing basically it detected any .jpg/.mp4 etc URL's in https requests and flagged it up and blocked them from being requested. You can be sure on those devices the VPN would have been somehow locked in with device management, and there's no way on gods green earth they were getting at Facebook/insta etc.
So, it's not just meta. That really hammered home how seamless it can be to end users that they really can't trust what's actually happening on their devices.
Why do you trust it ? Do you think that others (Google, Microsoft, Apple) are not doing/would not do such a thing ? SSL is as secure as its certificates.
1. Nobody will care in 10 days. 2. They will get a slap on the wrist at best.
Reminds me of Google driving around in StreetView cars, hacking and capturing all wifi traffic they could get their hands on. Did anything happen? Of course not!
https://www.theguardian.com/technology/2010/may/15/google-ad... https://www.wired.com/2012/05/google-wifi-fcc-investigation/
The guardian says "open" networks, apart from the fact that in 2010 networks were not secured by default in many cases. I think WEP 1 was a thing and easily hacked, and I would not be surprised if they were actually Wardriving, on the largest scale ever.
This sounds most likely
Your comment seems to infer that you're unable to empathize with people who might think/understand differently than you. It also seems to negate that you avail of other services/non-self-controlled processes without worrying about the threat models, there.
Just hand-waiving with a "Why don't people just do 'x'?" is ironic - in the sense of "Why do you do your own medical care?" or "Why don't you grow your own food and slaughter your own animals?" or "Why don't you manufacture your own phone, it's operating system - oh, and the cellular tower closest to you?".
Threat models exist, _everywhere_, and it's impossible for someone to build all of the pieces, themselves, to prevent all threat models at every possible avenue/point.
In other words, at a non-arbitrary point, doing _everything_ yourself is untenable and that's precisely why services in society exist, today (that and ease of access, use, required foreknowledge, and - most notably - cost).
And it doesn't anonymize you that well. When you post a message that draws the attention of law enforcement, the IP will lead them to a VPN provider that hopefully doesn't keep any logs.
But if it leads them to a specific server, the hosting provider will disclose your account and payment data, since it is linked to your private server. Unless they accept fully pseudonymous accounts and let you pay for your VPS in cash, Monero or tumbled Bitcoins, finding you is much easier now.
Not to mention the other stuff the VPN providers give you as standard which you'd have to implement and maintain yourself.
Compared to the rest of the world, the number of people who even know what a VPS is is microscopically small.
And even those that do, the number of them with the time, desire, or skill, to do as you suggest, is even smaller.
I myself was into this sort of thing just 10 years ago. Now, as I start looking at hitting the big 6-0 in just a few years time, I’m already working on divesting myself of all this complexity,
