It’s not like you really needed another reason to quit Facebook, but news originating out of a federal court paint Facebook as a company willing to use any means necessary for advantage. Including means no security professional would authorize.
A federal court in California unsealed documents detailing an in-house spy program called Project Ghostbusters to figure out why the Snapchat app was growing so rapidly in 2016. (Ghostbusters is a reference to Snapchat’s ghost logo.)
The project focused on Facebook trying to analyze network traffic on user devices where Snapchat was installed. The idea was: if Facebook could analyze Snapchat’s network traffic, they could understand why so many people were flocking to the app. Facebook was also trying to pull this stunt on Amazon and YouTube users as well.
Facebook created an In-App Action Panel (IAPP) team whose sole focus was to intercept and decrypt network traffic generated by these applications.
Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this.
– Mark Zuckerberg
Facebook’s Exploit
Because Snapchat’s network traffic was encrypted, Facebook engineers had a hard time analyzing it. So, they secretly paid teenagers to install a VPN service on their devices. The service, called Onavo, was acquired by Facebook. Users installed Onavo on their devices, and this gave Facebook access to the machine. This allowed Facebook engineers to sniff network traffic from Snapchat before it left their device and forward a copy to Facebook’s servers.
So, users were unaware that Facebook was exploiting them. This type of attack is called a man-in-the-middle attack. It happens when a user is using an application that communicates with the servers it is supposed to, but the user doesn’t know a third party is in the middle forwarding traffic between the application and its servers.
Above: The Man-in-the-Middle Attack
Facebook’s engineers had scruples against executing this attack.
I can’t think of a good argument for why this is okay. No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn’t know how this stuff works.
– Pedro Canahauti, Head of Security Engineering
Facebook shutdown the Onavo service after it came out they were paying teenagers to snoop on their machines.
For everyone thinking Facebook and Instagram is always listening, they are. If anything they are always trying to listen. Whether it’s super secret tracking cookies, microphones, or VPN software, Facebook is an exploit.
It’s time to stop using it.