The way most of the writeups make it sound is that it’s some sort of hack, but this doesn’t seem to be the case. (I’d love to get more detail on exactly what the participants were told they were getting paid for, but I’d be surprised if they did not know their actions were being monitored.)
The accusation that it’s wiretapping if one party in the communication channel is actively breaking the encryption (even with a tool provided by a third party) seems tenuous to me, but IANAL. If this is wiretapping, is it also wiretapping for me to use a local SSL proxy to decrypt and analyze traffic to a service’s API?
I hope they were upfront about what they were collecting. The article didn’t show what the consent screen was before installing the proxy.
> Note this is a new case, different from the one that TechCrunch also covered in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines.
> Note this is different to what TechCrunch had revealed in 2019 in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines. With the new MITM information revealed: what is currently unclear is if all app users had their traffic "intercepted" or just a subset of users.
All the best/most effective hacks involve convincing someone to download something they shouldn't that lets you sidestep security.
This article is about Onavo Protect[1], “Free VPN + Data Manager”, which was not paying anyone. There was a separate program where Facebook paid teenagers money to install their Facebook Research VPN through their enterprise distribution channel, bypassing the App Store and its rules, so that paid version was even more invasive.[2]
So no, this Onavo bullshit isn’t defensible at all.
[1] https://apkpure.com/onavo-protect-from-facebook/com.onavo.sp...
[2] https://techcrunch.com/2019/01/29/facebook-project-atlas/?re...
> Note this is different to what TechCrunch had revealed in 2019 in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines. With the new MITM information revealed: what is currently unclear is if all app users had their traffic "intercepted" or just a subset of users.
So this seems to be new information about the Onavo Android app, but it’s not clear to me if the “install cert” button described was exactly the implementation of the previously reported research cert, or a new vector where people other than market research participants were MiTM’d. The analysis is just a bunch of circumstantial observations that _it is possible_ FB was doing more skeezy stuff than was previously known. But nothing here is incompatible with the previously reported stuff being all that happened, AFAICT.
The TechCrunch article clearly states that Onavo was the method they used to get the FB Research cert onto devices. (Presumably they distributed a different build of Onavo with their enterprise distribution channel), it quotes:
> “We now have the capability to measure detailed in-app activity” from “parsing snapchat [sic] analytics collected from incentivized participants in Onavo’s research program,” read another email.
This sounds to me that there was one Onavo research program, but who knows, we have multiple project codenames.
The app was available on both the Google Play and Apple App stores for anyone to download.
> The way most of the writeups make it sound is that it’s some sort of hack, but this doesn’t seem to be the case.
It could be that you are confused with a previous case. From the blog post:
> The wiretapping claim is new and perhaps not to be confused with the prior controversy and litigation: In 2023, two subsidiaries of Facebook was ordered to pay a total of $20M by the Australian Federal Court for "engaging in conduct liable to mislead in breach of the Australian Consumer Law", according to the ACCC ... Facebook had shutdown Onavo in 2019 after an investigation revealed they had been paying teenagers to use the app to track them. Also that year, Apple went as far as to revoke Facebook's developer program certificates, sending a clear message.
> If this is wiretapping, is it also wiretapping for me to use a local SSL proxy to decrypt and analyze traffic to a service’s API
If by "local" on your own network/machine with your own traffic then obviously no.
https://web.archive.org/web/20141214193908/https://twitter.c...
The real problem here is the complete absence of any kind of ethics. It sounds like the kind of place where if you consider ethics to be a blocker you'd be laughed out of the room, or fired. Corporate culture is to chase profit above anything else. It's especially bad in software, though, as so many people don't even seem to think about the ethical implications of their actions ever.
Or converted, by making them take actions so that "if we go down you're going down with us."
Organized crime works that way too, come to think of it. They may call it "loyalty", but it really means "give us a way to coerce you into compliance."
And this doesn't even touch upon Instagram.
I guess that they pay too much and employ too much of our industry, greatly reducing criticism because we all have a friend who has worked at Meta or we may even have applied ourselves at some point. Whereas we don't know anyone who has been at e.g. Anduril at the likes.
I think that’s what contributes to things like Myanmar and other countries hate speech proliferation. When you don’t care about how your product is used, and can focus on just the technical aspect, you lose any sense of responsibility.
Conversely, we’ve hired many ex meta people, and they’ve always almost all unanimously said how much they NOW like having pride in the products they create, after jumping ship.
Imho it’s an issue of top down culture from Zuckerberg, and previously Thiel.
The one that I wonder about a lot is this: there are two (non-deprecated) types of webview you can use in iOS: WKWebview and SFSafariViewController. They’re intended for very different uses.
When you tap on a link in the Facebook app they should use SFSafariViewController. It’s private (app code has no visibility into it), it shares cookies with Safari, it’s literally intended for “load some external web content within the context of this app”
Instead, FB still uses WKWebView. With that you can inject arbitrary JS into any page you want. Track navigations, resources loaded, the works. Given the revelations we’ve seen in this article and many others I shudder to imagine what FB is doing with those capabilities. They’re probably tracking user behavior on external sites down to every tap on every pixel. It seems insane to think they might be tracking every username and password entered in their in-app webviews but they have the technical capability to. And do we really trust that they wouldn’t?
Having said that, since WKWebView is just a view that can be customized visually, nothing can stop someone to create a WKWebView-wrapping view controller that looks exactly like the "safe" Safari one anyway.
- https://krausefx.com/blog/ios-privacy-instagram-and-facebook... - https://krausefx.com/blog/announcing-inappbrowsercom-see-wha...
10 million installs on Android, according to AndroidRank[1]. What we don't know (yet) is what % of those installs had the FB competitor traffic MITM'd.
[1] https://www.androidrank.org/application/onavo_protect_from_f...
- they’ve had a long history of trying to undermine privacy to extend profits. From stuff like in the article, to tracking pixels, alleged ghost accounts, and fighting anything that hampers tracking. Of the companies you listed, only Google has any crossover, but doesn’t come anywhere near as close.
- they’re irresponsible with the effects of their algorithm to amplify hate speech. None of your other companies have anything like that.
- they are dishonest in their marketing. Almost all their Quest ads and feature reveals use concept visualization to deceive users for example on what is possible. Mark often speaks in double speak when addressing issues. Double speak isn’t unique to them but they definitely take dishonest advertising to the limit versus the other companies on your list.
I know Meta are having a popularity renaissance with their open weight (not open source) models in this AI cycle, as is Mark with his his recent PR blitz to reinvent his image.
However I think they’re culturally the only one of your companies listed who lack a moral core to their work. I think culture is top down, and both Zuckerberg and Thiel have instilled a culture of “success at all costs” for the way Meta operates.
The other companies on your list are definitely capitalist too, but have some sense of responsibility with their output.
Twitter is arguably worse - especially after Musk's takeover.
This is still contributing to their monopoly. WhatsApp's monopoly is growing and they've even blatantly started to copy the competition: Telegram.
Disagreeing publicly does nothing if I'm the one empowering my opposition in the first place.
Of course it does. It does spread the word. That’s important.
You can be an activist and have a real life. You can despise Meta but have acquaintances on WhatsApp you can’t or don’t want to move. You can be an anticapitalist and still agree to join a group of friends inviting you to McDonalds. You can be an ecologist and have a car because you live somewhere without car free infrastructures.
You have the right to be critical of your own life while still acknowledging you can’t control everything.
Having WhatsApp may be wrong for you but it may be less wrong than leaving your friends groups.
The company is called Meta nowadays, so that also explains why you don’t see much news about Facebook.
This is not a wiretapping case. The claims are all for violations of the Sherman Act. Plaintiffs' attorneys _incidentally_ found evidence during discovery that Facebook may have breached the Wiretap Act. There are no wiretapping claims. It is an antitrust case.
Does the DMCA not have enough teeth for something on this scale? Maybe an issue of standing or provable-damages? Did the plaintiffs forget about it? Curious and confused.
https://qz.com/1145669/googles-true-origin-partly-lies-in-ci...
Cars now come with Google services / Android baked into the damn infotainment system, with no possible way to pull it out. What could possibly go wrong with an advertising company seeing everywhere you go, and everyone who rides in your car?
For example on a Ford, you can literally pull the fuse for the GSM modem. On a GM, you can pull the antenna from OnStar, and put a resister there in replacement... thus rendering it unable to communicate to home base.
This doesn't solve everything, but it at least stops the immediate phone home.
Apple, Google, Facebook, Twitter, Alexa, they are a gold mine for agencies, but even news sites, movie studios, and YouTubers. This is why they've been after Tik Tok for so long, they know how useful that app / network is.
There has to be a court precedent that criminalized sniffing network traffic on the customer’s side.
Should be one of those many cases involving wiretapping for banking info.
It is about intent versus capability set that CFAA does poorly with differentiation in court.
I can imagine e.g. security risks involving sensor data exfiltration where accelerometers and gyroscopes etc are monitored to infer audio information. By covertly relaying and processing the collected data externally it would be possible to reconstruct sensitive information without direct access to the device's microphone.
It's not unlikely that they pull off something like that.
Meta and other pernicious companies and government bodies are probably employing many more, even worse and much simpler eavesdropping techniques in the wild.
prompt to install a VPN config
Fuck yourself, Facebook.
Meta has Washington in their pocket so this will never leave civil court. The penalty will be less than the money made, meaning somebody gets a bonus for being creative.
The fact Apple and Microsoft services both work in China shows they are a little more trustworthy.
Yes. It's a good opportunity for an ambitious state attorney general to prosecute Facebook, of course.
pithy "because they have all the monies" replies not wanted.
It’s not really spelled out clearly in the article, but this was a specific program where people had to choose to opt-in in exchange for compensation.
This wasn’t simply Facebook hijacking random people’s traffic because they accepted the ToS or used the Facebook app
Not defending the program, but it’s not what a lot of comments are assuming.
As seen by the "Protect America Act" of 2007[0], the government will retroactively cover their own ass and your companies' ass if deemed important enough to the intelligence apparatus. There isn't a chance in hell that Meta would be brought criminal charges for wiretapping.
0: https://en.wikipedia.org/wiki/Protect_America_Act_of_2007
As coincidence would have it, this is the perfect alibi provided by a snake oil "cybersecurity" app by one of the world's largest companies.
Every tech company that has promulgated the lie that a VPN operated by a third party provides added security is indirectly responsible for this. Funneling all your traffic through a shady intermediary does no such thing, and in fact often does the opposite.
This relates to a much bigger problem of courts upholding contracts even when nobody actually believes they represent an informed and voluntary agreement.
We aren't quite at the Looney-Tunes step of enforcing extra clauses that were hidden in invisibly small print, but things are drifting in that direction.
See also: https://www.law.cornell.edu/wex/adhesion_contract_(contract_...
To answer your specific question, this isn't okay. Both the government and large corporations have been given way too much power and we really have no hope of making any meaningful change until the people reclaim this power and put those in charge out on their ass.
The real issue is the NUX, which doesn't look like it made the data collection clear to users.
The situation in this article is completely different.
edit: the problem, obviously, is that this app tricked the non-technical people into installing/trusting the root CA for malicious purposes. Clearly this was malware.
As is pointed out in the article, I would presume that Google saw the threat from allowing an app to install and trust a root CA as well, and removed the ability for a "one click" install of a root CA:
"KeyChain.createInstallIntent() stopped working in Android 7 (Nougat). A user would have to manually install the certificate. It would no longer be possible to have Facebook's CA cert installed directly in the app."
HSTS causes your browser to pin the first cert that it sees (from sites opting in to this scheme), so nobody (even the legitimate operator) can swap it out before it expires.
https://en.m.wikipedia.org/wiki/HTTP_Strict_Transport_Securi...
And specifically to the scenario in OP, app clients these days do not use the OS cert store, they will ship a single well-known server cert and only accept that one. This doesn’t help with your Firefox usecase though.
Edit: Not excusing Facebook here, but feel like this whole thing is in a weird grey area. It is like getting paid to have a Nielsen box monitoring your TV and then complaining when you find out it also knew what you watched on your DVD player.
