A technical investigation into information uncovered in a class action lawsuit that Facebook had intercepted encrypted traffic from user's devices running the Onavo Protect app in order to gain competitive insights.
Because there's probably some clause buried in the ToS that gives them the right to do this, so it would not count as "exceeds authorized access" under the CFAA.
edit: it's not even buried. there's a screen that specifically says "facebook uses aggregated onavo data for market and business analytics"
Make no mistake either, as that was an intentional decision to chase growth in the interests of becoming TBTF. We need to clamp down and make it clear, big mofos do not get to call unilateral shots and that it is not acceptable for terms to be dictated only in one direction. Yes, this complicates the hell out of business logic, but ya know what, the ones who have TBTF'd have drank of the waters of economies of scale to get the sweet draught, it's about damn time they got the bitters too.
I might be sympathetic to this if this was some essential service with strong network effects such that there's no alternative (eg. facebook or whatsapp), but that's not the case here. This is a separate "security" app, of which there's probably dozens of competitors that you can choose from if you don't like the ToS/privacy policy of this one, so the "one sided take it or leave it levels of exploitative entering into contracts at scale" aspect you're decrying really rings hollow.
You mean like a loud ass bell rings? Point out to me a single piece of software utilizing a EULA that supports individual redlining and renegotiation on a user by user basis, with a feedback loop tight enough to be reasonable. I'll wait. The point is there might be the illusion of user choice there, but when the overarching legal framework operates in unity in a take it or leave it fashion, with no escape hatch, every business model behaves the same. No one builds the business willing to charge for contractual dumb pipe, because everyone is just dumping anyone else who won't take the default terms. The entire architecture of our networked world has turned into building machines through which everyone gives up every right and civil protection through a goddamn click, nevermind the fact Third Party Doctrine in this age has completely dismantled the 4th Amendment by extension.
If you want apps priced at $0.99 or even $99.99, standard form, take it or leave it contracts is the only game in town, for pure economic reasons. No company is going to bother getting legal involved to negotiate a bespoke contract for anything with less than 5 figures TCV.
The video near the middle of the page shows fairly clearly what they did, with accurate and understandable descriptions of shady behaviour. I think a capable prosecutor might regard it as difficult to prove that behaviour illegal. Shady, sure, but in dubio pro so why even prosecute.
So that leaves a civil lawsuit. There's no need to persuade a prosecutor for a civil lawsuit, and the balance of evidence counts, there's no in dubio pro.
This "corporate veil" and protection is really the same basis as the legal fiction called "qualified immunity"... in the case of police officers, they can even quite literally murder you with impunity in far too many cases that is acceptable. Isn't it odd how a "citizen" who is supposed to actually be in control of the government through self-determination, has approaching zero power, bu the putrid agents of the despotic power of illegitimate government have literal immunity to commit murder.
This kind of activity is not just a corporate whoopsie, it's active, deliberate, criminal activity, and organized criminal activity at that; making in this case (but there are many other examples) Meta an organized criminal outfit.
Are you personally immune from prosecution if a "corporation" tells you to murder someone? Why would you then not be personally criminally liable for perpetrating other crimes because the "corporation" told you to do it; regardless of whether that is committing cybercrimes, committing financial fraud, or even just something as simple as breach of the peace if a manager is accosting an employee?
I think the corporate death penalty is underused. Being in leadership when a corporation is dissolved for committing crimes is probably bad for one's future employment prospects.
https://law.stackexchange.com/questions/60509/what-is-the-th...
No, Zuckerberg said to "get reliable analytics" and that maybe they need to "do panels or write custom software". The subsequent emails of "hey I made an app that does MITM on snapchat" did not involve Zuckerberg.
2. they're apparently smart enough to not put it down on email, but apparently Ferrante (a Director of Data Science, according to a hardvard site) was too dumb and wrote a email that said "yep, we made an app that does MITM attacks on snapchat"?
But this is the court of public opinion, and people are going to read your post about 5 seconds before they read mine, so that won't work. I think online debate is a lot better at getting to the truth than courts of law, actually. So while Zuckerberg may be ruled innocent, we can put him in the same category as OJ Simpson and Donald Trump and carefully caveat our assertions that he's guilty with "in my opinion" to avoid a slander case.
Of course, what you said is false. He didn't just shoot off an email with "get reliable analytics!", as you put it, like some kind of whimsical silly CEO on a kid's cartoon. He said: "their (instagram's) data is encrypted and we have no analytics about them" (seemingly implying that if their data wasn't encrypted, they would have data about it, because they would just spy on it). He then immediately proceeds to say they need to "get reliable analytics about them". He THEN immediately proceeds to clarify by saying that they might need to "write custom software" and that "you should figure out how to do this" (seems like a subtle hint that they should "figure out" his subtext here).
And then, what do you think happened? His underlings went rogue and developed iOS hacks that would allow them to decrypt traffic, and he didn't approve it or know about it? If this were court, that would probably be a good argument to achieve a not guilty verdict.
So while you're probably right that this doesn't qualify as a "smoking gun" in court, it should convince everyone who's capable of reading it.
In Sweden we have something called an absolute duty to prosecute, which means that for most crimes, if there's evidence and enough to get a conviction, the prosecutor has an actual absolutely duty to prosecute.
So if this had happened here, I could report this to the police as 'unapproved intelligence activity against a person' and the prosecutor would have to, provided that there's enough evidence, prosecute the person for this.
Prosecutors here do have a love of dismissing things due to lack of evidence though.
Is CloudFlare hiding that they are a terminating proxy and pretending to be a VPN for the purposes of spying on users?
The big deal isn't the technical aspect, it's what it was used for and how it was used.
They mostly make their money by selling you better services on their CDN such as image scaling etc.
Only a very specific configuration of "Confidential Computing" (based on AMD SEV or Intel TDX) where boot attestation is checked remotely before private keys are sent from an on-premise store (or a fully trusted hosted HSM) to the remote VM could prevent a cloud provider from intercepting private key material, and only then as far as boot attestation and SEV/TDX is trusted.
If it comes to light they've been doing something actionable with your data, you have a target for revenge. (As in a lawsuit, not violence)
Ephemeral keys (not stored for possible future leakage) quickly became the default, and assumptions about global data gathering changed. Then, all of a sudden, “free” service appears that makes all of TLS improvements, bug and small, practical and theoretical, useless. What a coincidence!
For some reason, you assume that people who have been stealing everything they can (because doing crime for the Big Guy is not a crime) consider this specific company untouchable. This is impossible. Every country in the world wants to have its spying capacity at maximum (following the shameless example), and to flex muscles at American services doing the same. The reason we only read about clashes over movie piracy and other petty stuff is because more serious matters have been discussed and dealt with.
Facebook offers “free” hosting and other services for individuals (social networks are poor walled versions of the Web). Cloudflare offers “free” CDN and other services for website owners. Actual business model is the same, lies are still lies.
I mostly can't think of a legitimate reason to install your own root certificate for a VPN, so I'm inclined to buy that this is Facebook being Facebook. I would also run as fast as I can if I installed an app and it started prompting me to install a certificate, but 99% of people have absolutely zero idea how TLS and PKI work, so maybe this is taking advantage of their ignorance.
This is from two months ago, when it was found that their Android app listens on a localhost port in order to send identifiers from webpages to their app via WebRTC so that they can still track users.
Covert web-to-app tracking via localhost on Android - https://news.ycombinator.com/item?id=44169115
Meta pauses mobile port tracking tech on Android after researchers cry foul - https://news.ycombinator.com/item?id=44175940
> This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.
xrayarx•15h ago
tomhow•12h ago