Hacker News new | past | comments | ask | show | jobs | submit login
Facebook Accused of Using Your Phone to Wiretap Snapchat (gizmodo.com)
119 points by RadixDLT 10 months ago | hide | past | favorite | 27 comments



And Meta denied that Zuckerburg was involved in Project Ghostbuster, yet here are the emails proving otherwise...

When are we going to start holding CEOs (and shareholders!) accountable for this behaviour. The guy is worth $173bn and can seemingly abuse whatever laws he wants behind the corporate veil to further increase his fortune.


>And Meta denied that Zuckerburg was involved in Project Ghostbuster, yet here are the emails proving otherwise...

It seems cartoonish given the scope alone: "A team of senior executives and roughly 41 lawyers worked on Project Ghostbusters,"

Yep the CEO of one of the most top-down structured companies in the world with sole decision making power doesn't know what his senior executives and lawyers are doing. Either way even if he didn't know I also don't understand why responsibility and leadership seemingly don't go hand in hand in the corporate world. Imagine a military leader lost a battalion and went with "Well I don't know they ran off in that direction..."


You are talking about Zuck’s voting shares. It’s true he has power at that level and is the ultimate say in the company. But the actual company is by a large margin the most bottoms up company, even more than 99% of startups - speaking from experience. That doesn’t excuse Onavo, or excuse Zuck’s responsibility, but want to give context on company culture.


It’s a big club…


...and you ain't in it!


This is editorialised. Users took part in a study which gave Meta permission to analyse network traffic while using a VPN product. It required users to install a root CA.

Although this is incredibly shady, it’s nothing different to companies paying analytics companies which partner with VPN and adware companies to provide the same data. The only difference is Facebook owned the process end-to-end and didn’t mitigate the reputational risk associated with the collection.

Which is surprising.

Nobody in the Risk department considered this. Perhaps because it was too secretive, and didn’t ultimately go through enough hoops to get that level of review.


> Although this is incredibly shady

Understatement, to put it kindly.

Likely taking advantage of EULA-burnout, most users likely just agreed and installed on good faith.

Yes, caveat emptor and all that, but unethical (if still legal).


It seems surprising to me that no one has questioned the claims here. Popular apps do cert pinning and there are multiple hoops you have to jump through to install a root cert, so are the claims even valid?


According to the quote they want "reliable analytics", whatever that means. If this means time of use/frequency of use data, all of that can be derived without needing the encryption keys. Just being able to observe network traffic would be enough. If you do additional traffic analysis, you can probably infer what the user is doing as well (eg. sending snaps vs scrolling)


Popular apps do cert pinning today. Back in 2016 (when the claims date back to), maybe Snapchat didn't.

You can read the full complaint here. It is full of juicy details, including Mark Zuckerberg directly suggesting 'figuring out a way' to access Snapchat's encrypted traffic, and how Meta installed a root certificate onto user devices to snoop.

https://storage.courtlistener.com/recap/gov.uscourts.cand.36...

Direct quote from Meta employee based on the complaint: "we install a root CA on the device and MITM all SSL traffic"


>This code, which included a client-side “kit” that installed a “root” certificate on Snapchat users’ (and later, YouTube and Amazon users’) mobile devices

I'm surprised it took 7 years and a lawsuit for this to be confirmed. I remember there were reports of "facebook-affiliated VPN app that might be spying on users" a few years ago, but I don't think the fact that they were MITMing user traffic was confirmed. Sure enough, I went back and skimmed the news stories[1] from back then and there were no mentions of root certificates or MITM. Given how many scary prompts you have to go through to install a root certificate, I'm surprised nobody got suspicious and posted screenshots to the public.

[1] https://gizmodo.com/do-not-i-repeat-do-not-download-onavo-fa..., https://www.extremetech.com/internet/263867-facebooks-new-on..., https://techcrunch.com/2018/02/12/facebook-starts-pushing-it...


I have a personal experience with using Facebook Messenger, around three years ago, my girlfriend and I heard very clearly that someone is listening to our Messenger call, he even talked for a while before stopping as if he made a mistake for not muting, this happened the next day but this time it is a woman. Both of them sound like they are American, we are in Asia and we do not talk in English during our call. That is the main reason why we used Signal app, because of those two incidents. We never trusted end to end encryption advertisement from Facebook again after that.


I went to Burning Man, as soon as the cellular service stopped a Facebook App turned on the microphone on my phone. I only know because the iPhone went very warm and when I turned on the screen to check what was wrong iOS was showing the yellow indicator.



[dupe]


not a dupe, different website


It's a dupe if it's the same story and that's where the discussion is happening.


its not the same story, different author


> Facebook ultimately shut down Onavo in 2019 after Apple booted the VPN from its app store.

Unfortunately, the EU attacking Apple’s ability is do things like this in the future will harm consumers.

A world of anybody being able to have their own App Store is one where a massive company like Facebook bullies their users into using their App Store, and trading their privacy for access to the largest social network on the planet.


What a strange take.

You’d rather have a large company strictly force all users into their App Store instead of having any choice because you believe that another large company will “bully” users unless they use a different store?

Has something like this happened on android?

Still seems like choice is better here.


> Has something like this happened on android?

Yes. This happened both on on iOS and android.

From TFA:

   Thus, Project Ghostbusters was born. It’s Meta’s in-house wiretapping tool to spy on data analytics from Snapchat starting in 2016, later used on YouTube and Amazon. This involved creating “kits” that can be installed on iOS and Android devices, to intercept traffic for certain apps, according to the filings.


Last time I saw a post from Gizmodo making a privacy accusation about Facebook, it was an article claiming that the Facebook app injected a keylogger into the embedded web browser. Its linked source? Another Gizmodo article claiming something entirely different: That the TikTok app injected a keylogger into the embedded web browser (the citation in the latter article being a link to a third-party security research post). The former article was cited by a Mastodon account alleging to represent the Protonmail brand.

I'm not sure what to believe. I am personally going to have to do more research before coming to conclusions on this, as my ability to trust Gizmodo (especially on the subject of social media) has been compromised by that incident.


> Meta also noted that there was “nothing new here,” continuing that this issue was reported on years ago.

Meta may wish it was no longer newsworthy, but being reported on and being prosecuted for an issue are very different things.


Of anyone is wondering how? They did this through vpn companies


"Research Cannot Be the Justification for Compromising People’s Privacy" https://about.fb.com/news/2021/08/research-cannot-be-the-jus...

"The researchers [at NYU's Ad Observatory] gathered data by creating a browser extension that was programmed to evade our detection systems and scrape data such as usernames, ads, links to user profiles and “Why am I seeing this ad?” information, some of which is not publicly-viewable on Facebook. The extension also collected data about Facebook users who did not install it or consent to the collection. The researchers had previously archived this information in a now offline, publicly-available database. "


This is misleading


which part?

> Thus, Project Ghostbusters was born. It’s Meta’s in-house wiretapping tool to spy on data analytics from Snapchat starting in 2016, later used on YouTube and Amazon. This involved creating “kits” that can be installed on iOS and Android devices, to intercept traffic for certain apps, according to the filings. This was described as a “man-in-the-middle” approach to get data on Facebook’s rivals, but users of Onavo were the “men in the middle.”




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: