How Facebook used a VPN to spy on what you do on social media
New court documents revealed the existence of a program that was designed to "intercept and decrypt" user analytics data from other apps.
Fast Facts
- Newly unsealed court documents reveal that in 2016, Facebook developed "kits" to "intercept traffic" for other apps, including Snapchat.
- The program was allegedly nicknamed "Project Ghostbusters."
- A Meta spokesperson called the claims "baseless" and "irrelevant" in a statement.
As of August last year, Meta (META) — through Facebook and Instagram alone — boasted a roughly 65% share of all social media site visits in the U.S., according to data from Statista. Meta's combined family of apps, which includes WhatsApp and Messenger in addition to Facebook and Instagram, boasted nearly four billion monthly active users as of December 2023.
Across its billions of users, the platform collects plenty of information, including data related to users' activity on-platform, as well as app, browser and device information.
Related: Popular social media platform to sell user data to the company behind ChatGPT
But in 2016, Facebook was looking for ways to collect even more information, specifically from apps that it didn't own.
That platform at the time launched a project nicknamed "Project Ghostbusters" that used a cyberattack method called "SSL man-in-the-middle" to intercept and decrypt Snapchat’s — and later YouTube’s and Amazon’s — SSL-protected analytics traffic to inform Facebook’s competitive decision making," according to court documents that were unsealed last week.
The documents allege that the program was launched "at the request" of Meta CEO Mark Zuckerberg. The unsealed documents were first noted by Digital Content Next CEO Jason Kint on X.
Whoa. Facebook had a secret "Project Ghostbusters" (get it?) which allegedly was to decrypt "man-in-the-middle" style Snapchat traffic to copy it. Yellow highlight indicates redactions just lifted in nine unsealed plaintiffs briefs in private antitrust lawsuit. Wild stuff. /1 pic.twitter.com/lTLM38So1M— Jason Kint (@jason_kint) March 26, 2024
The effort was reportedly accomplished through Onavo, a VPN app that Facebook acquired in 2013 before it was shut down in 2019.
How the info came to light
The legal documents — part of the class-action anti-trust lawsuit Klein vs. Meta, which was filed in 2020 — include several emails from Meta executives including Zuckerberg. They allege that the project, in addition to being anti-competitive, constituted a "criminal" violation of the Wiretap Act.
The project began when Zuckerberg sent an email to three executives titled "Snapchat analytics."
"Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them," Zuckerberg said in the email. "Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this."
Read the document here.
Javier Olivan, Meta's current Chief Operating Officer, responded to Zuckerberg's note with a suggestion to pay users to "install a really heavy piece of software" that could accomplish this goal.
Facebook went on to launch its Facebook Research project in 2016, where it paid users up to $20 monthly to install the tracking app. The app was shut down in 2019, following reports that revealed the scope of the project.
A separate document claims that Facebook executives "within hours" put together a task force to do as Zuckerberg requested, and later expanded the program to YouTube and Amazon analytics, as well. That task force, according to the documents, was made up of a team of executives and 41 attorneys.
The head of the Onavo team, according to the filing, sent a note to Zuckerberg in 2016 explaining that Facebook now has "the capability to measure detailed in-app activity," as result of "parsing Snapchat analytics collected from incentivized participants in Onavo's research program."
Read the document here.
Meta denies the claims
A Meta spokesperson dismissed the claims in a statement, saying: "There is nothing new here — this issue was reported on years ago. The plaintiffs’ claims are baseless and completely irrelevant to the case.”
The documents, according to Kint, however, contain previously redacted information, including the organization and size of the taskforce aimed at cracking Snap analytics — created at Zuckerberg's request — as well as the name of the project.
Included in this previously redacted information is an allegation that Meta's "highest-level executives thought the program was a legal, technical and security nightmare," with one saying: "I can't think of a good argument for why this is okay."
Kint said in a post on X that this information is "at odds" with Meta's statement.
Meta disputed the claims in a filing unsealed Tuesday in response to the documents, in which the company argued that it did not commit any crimes under the Wiretap Act, which prohibits the "nonconsensual" interception of information. M eta claimed that it had obtained user-consent to participate in the project.
The company also argued that Snap "does not know whether any of Meta’s research provided Meta with a competitive advantage."
Snap did not respond to a request for comment.
Contact Ian with tips and AI stories via email, [email protected], or Signal 732-804-1223.
What's Your Reaction?
