Skip links

Meta accused of snarfing people’s Snapchat data via traffic decryption

To spy on rival Snapchat and get data on how the app was being used, Meta – when it was operating as Facebook – allegedly initiated a program called Project Ghostbusters, which intercepted data traffic from mobile apps. And it used that data to harm its competitors’ ad business.

The name of the program was “an apparent reference to Snapchat’s corporate logo, a white ghost on a yellow background,” according to a recently unsealed court document [PDF].

Project Ghostbusters was run by Onavo, acquired by Facebook in 2013 and described by the US Federal Trade Commission as a “user surveillance company.” Onavo offered a notional VPN service that was shut down in 2019 for – ironically – its lack of privacy.

The Snapchat data-interception scheme is described in that newly unsealed court document as a “man-in-the-middle” approach, in which Facebook essentially paid people to snoop on their mobile phones.

Facebook ran low-key studies with groups of willing participants – from teenagers to adults – who were rewarded for installing an Onavo-made research app that monitored their smartphone usage [PDF] to give the tech giant a better idea of how folks used their devices. That app, it’s alleged, installed a root Certificate Authority allowing Facebook to intercept and analyze panel participants’ internet usage.

Not only did it enable Facebook to issue itself digital certificates to intercept people’s encrypted SSL/TLS connections, it also quietly redirected Snapchat analytics traffic (and subsequently Amazon and YouTube analytics) to Onavo’s servers. Once there, the data could be decrypted and analyzed for commercial gain, then re-encrypted and passed back to Snapchat without the pic-sharing app maker’s knowledge, according to the complaint.

If this sounds familiar, it’s because that’s why the Onavo VPN was ultimately shut down: the team behind it built Facebook’s own research apps that snaffled panel participants’ internet usage data. And when this all came to light in 2019 and sparked outrage, the tech giant was forced to pull the plug on the operation.

It’s all part of a four-year-old lawsuit [PDF] brought against Meta in California by Facebook advertisers who allege, among other things, that Meta/Facebook’s anticompetitive behavior – including data interception and arrangements with other companies – increased prices for ads and harmed competition.

That suit was filed six days before the US Federal Trade Commission sued Facebook [PDF] on December 9, 2020 alleging years of anticompetitive conduct to monopolize the social media advertising market. Both lawsuits remain ongoing, with the advertiser case likely to reach trial by 2025 if there’s no prior settlement.

Facebook developed ‘kits’ that can be installed on iOS and Android that intercept traffic for specific sub-domains

In a June 9, 2016 email, surfaced by the advertisers’ legal challenge, Facebook CEO Mark Zuckerberg directed Alex Schultz, presently chief marketing officer and VP of analytics, and COO Javier Olivan, to figure out how to get reliable analytics from Snapchat – which had become a serious competitive threat in the eyes of some executives.

In a letter [PDF] to Judge James Donato, dated May 31, 2023, the plaintiffs’ co-lead counsel Brian J Dunne explained: “In July 2016, the Onavo team’s proposed solution was presented to senior management, including now-COO Javier Olivan: Facebook developed ‘kits’ that can be installed on iOS and Android that intercept traffic for specific sub-domains, allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage.”

The passage Dunne quoted about the “kits” is from an email that Danny Ferrante – then director of core data science and growth research at Facebook – wrote to Olivan. The email went on to describe how Facebook planned to distribute these kits under other brands in a way that wouldn’t reveal the involvement of The Social Network™️.

“Our plan is to work with a third party – like GFK, SSI, YouGov, uTest, etc – who will recruit panelists and distribute kits under their own branding,” the email read. “We already have proposals from several of these providers. The panelists won’t see Onavo in the NUX [new user experience] or in the phone settings. They could see Onavo using specialized tools (eg Wireshark).”

It’s claimed this data collection scheme was one element in a larger initiative – described as Facebook’s In-App Action Panel (IAAP) program – which allegedly ran from June 2016 through May 2019. As a note cited in Dunne’s letter observed, the Android research app, for example, “currently includes SSL decryption giving us the capability to read all traffic on device.”

“The company’s highest-level engineering executives thought the IAAP Program was a legal, technical, and security nightmare,” wrote Dunne in a June 15, 2023 letter [PDF]. He cited remarks to this effect attributed to Pedro Canahuati, then-head of security engineering: “I can’t think of a good argument for why this is okay. No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn’t know how this stuff works.”

Nonetheless, according to Dunne’s May letter, during this period Facebook “expanded its IAAP program to also intercept, decrypt, and analyze encrypted analytics from YouTube and Amazon.”

No security person is ever comfortable with this, no matter what consent we get from the general public

Dunne argued that on the evidence Meta/Facebook’s actions should be considered criminal wiretapping. “Meta’s IAAP program didn’t just harm competition, but criminally violated 18 U.S.C. § 2511(1)(a) and (d) by intentionally intercepting SSL-protected analytics traffic addressed to secure Snapchat, YouTube, and Amazon servers,” he explained in a footnote.

In a separate letter [PDF], Dunne alleged that Meta’s IAAP competitive intelligence program – which may also have captured Twitter data – raised prices for advertisers.

“The intelligence Meta gleaned from this project was described both internally and externally as devastating to Snapchat’s ads business,” he wrote, “allowing Meta to hike North American ad prices companywide 60 percent between 2016 and 2018.”

Meta’s use of machine learning and AI is also “central” to the advertisers’ case, according to another unsealed letter [PDF] from attorney Yavar Bathaee of Bathaee Dunne LLP.

“Advertisers will prove at trial, among other things, that Meta (a) changed the data sources for its neural network models as part of agreements with eBay and with Netflix, including in ways that were technically and economically irrational but for the anticompetitive effect of the agreements; (b) gathered and integrated signals/features/user data from across its business, including from WhatsApp and Instagram, into F3 [an internal AI data repository], all while contemporaneously misleading the FTC to avoid divestiture; and (c) used sensitive data deceptively taken from users’ mobile devices to validate Meta’s offsite identity-matching AI/ML systems.”

The claim here is that Meta was not only tracking online activities but using its AI systems to identify people.

Meta did not respond to a request for comment. ®