Comment by theptip
1 year ago
So just to be clear on what is being alleged, because the write-ups are omitting this detail: from what I can tell FB paid SC users to participate in “market research” and install the proxy.
The way most of the writeups make it sound is that it’s some sort of hack, but this doesn’t seem to be the case. (I’d love to get more detail on exactly what the participants were told they were getting paid for, but I’d be surprised if they did not know their actions were being monitored.)
The accusation that it’s wiretapping if one party in the communication channel is actively breaking the encryption (even with a tool provided by a third party) seems tenuous to me, but IANAL. If this is wiretapping, is it also wiretapping for me to use a local SSL proxy to decrypt and analyze traffic to a service’s API?
Neilson does something similar with TV where they install capture boxes in people’s houses to determine what they’re watching for their panels: https://www.nytimes.com/athletic/3194414/2022/03/22/the-ulti...
I hope they were upfront about what they were collecting. The article didn’t show what the consent screen was before installing the proxy.
From the article:
> Note this is a new case, different from the one that TechCrunch also covered in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines.
This has since been edited in OP, and the full quote I think supports my claim more:
> Note this is different to what TechCrunch had revealed in 2019 in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines. With the new MITM information revealed: what is currently unclear is if all app users had their traffic "intercepted" or just a subset of users.
> The way most of the writeups make it sound is that it’s some sort of hack, but this doesn’t seem to be the case.
All the best/most effective hacks involve convincing someone to download something they shouldn't that lets you sidestep security.
It was fully clear and fully remunerated. It was no way a hack and thats disingenuous wording so you can hate on FB. If you install a vpn then you are affirmatively giving control of your traffic tot he vpn. FB isnt under any obligation to explain how networks work. In the same way we don't explain dns or routing. Is your boss obligated to tell you ACH transactions are in the clear and anyone can watch settlement? No. You're not being hacked when your bank sends payments via ach.
I'm not arguing that the users got hacked, I'm arguing that the competitors got hacked.
No, the writeup isn’t omitting anything, you’re mixing things up, which this article explicitly called out.
This article is about Onavo Protect[1], “Free VPN + Data Manager”, which was not paying anyone. There was a separate program where Facebook paid teenagers money to install their Facebook Research VPN through their enterprise distribution channel, bypassing the App Store and its rules, so that paid version was even more invasive.[2]
So no, this Onavo bullshit isn’t defensible at all.
[1] https://apkpure.com/onavo-protect-from-facebook/com.onavo.sp...
[2] https://techcrunch.com/2019/01/29/facebook-project-atlas/?re...
This is a bit tangled. I think this is new information but it’s all about Onavo. From OP:
> Note this is different to what TechCrunch had revealed in 2019 in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines. With the new MITM information revealed: what is currently unclear is if all app users had their traffic "intercepted" or just a subset of users.
So this seems to be new information about the Onavo Android app, but it’s not clear to me if the “install cert” button described was exactly the implementation of the previously reported research cert, or a new vector where people other than market research participants were MiTM’d. The analysis is just a bunch of circumstantial observations that _it is possible_ FB was doing more skeezy stuff than was previously known. But nothing here is incompatible with the previously reported stuff being all that happened, AFAICT.
The TechCrunch article clearly states that Onavo was the method they used to get the FB Research cert onto devices. (Presumably they distributed a different build of Onavo with their enterprise distribution channel), it quotes:
> “We now have the capability to measure detailed in-app activity” from “parsing snapchat [sic] analytics collected from incentivized participants in Onavo’s research program,” read another email.
This sounds to me that there was one Onavo research program, but who knows, we have multiple project codenames.
“Facebook Research” was the Onavo codebase, under a different name, signed by Facebook’s Enterprise certificate.
> The analysis is just a bunch of circumstantial observations that _it is possible_ FB was doing more skeezy stuff than was previously known.
No, it was already well-known way back in 2018, which is why that piece of shit app was withdrawn from App Store in the first place. Facebook’s enterprise account later got suspended in 2019 for distributing the paid piece of shit through enterprise MDM.
3 replies →
Why do people work on such projects? I mean specifically the engineers. You're still paid the same engineer salary, except now you expose yourself to criminal prosecution. The corpo is at least getting some extra returns for the risk, you as an engineer are not. So dumb.
Maybe you're on H1B and if you get let go you have to go back to Sri Lanka, whose government collapsed 2 years ago and left the country in political disarray. Some people have better choices than others.
Like I wouldn't work on this project, but I have US citizenship. In college I slept over at some of my Indian friends' apartments and often they had like 8-12 guys sleeping in one bedroom, it was just a bunch of mattresses all laid together with no specific sleeping arrangement. Generally they made a giant pot of stew/daal/whatever once a week and ate the same thing for every meal all week, some even long after graduating with PhD's and getting low-tier visa-mill jobs. This was not a T10 school, our international students rarely came from wealthy families. One of my Saudi classmates came from a poor family in a remote village near the Iraq border and brushed his teeth with a twig from the Salvadora persica tree.
I couldn't really blame them if they didn't have another good option readily available.
13 replies →
I was talking about this with friends the other night. If you've been in the industry long enough, you've probably been party to creating something horrible. It takes a while for the reality of horribleness to crack the glamour of creation and monetary reward, but once it does, everyone I personally know has quit and lived with the regret.
I know people who have worked for adtech, gambling and HFT industries who now try to convince younger devs to avoid them. I personally worked briefly for a private prison corp, and I feel dirty and remorseful that I had anything to do with that industry.
6 replies →
Trying to bring an open mind, I could see a number of plausible scenarios where an engineer could do this, with various degrees of legitimacy.
It's certainly a complicated subject, but I think in general companies are really good, especially big ones, at getting people to work on things they might not be comfortable with otherwise. This thread has been talking the extremes like immigration status, but there are all kinds of subtle pressures as well. Some people might not believe they have the political capital to outright refuse a project (especially a pet project of the CEO) vs choose to accept and try to nudge the project onto more solid footing. And I suspect many engineers are terrified of being labelled as not a team player, which aids in the creation of group think, but makes it very difficult to foster a healthy culture of discussion that would bring forward the serious concerns of this work. And there is almost always some room of uncertainty as the last convincer... is it unethical to work on the project if the consumer is fully informed and offers consent to the invasion of privacy?
If there is an extreme where it's justifiable, for any reasonable engineer to accept the project, then it get's really muddy on where exactly the line is, and when it should be drawn.
I also suspect many of us envision ourselves having much more fortitude than we really do as well, imagining the heroic efforts we'd put in to changing a companies mind from a bad idea... where the more likely outcome for most of us is to fall silently into the background.
When I was in the music biz I pushed back hard against DRM. I lost, but being on the inside I could swing the needle to the least restrictive DRM as possible (e.g. it let you burn a CD for instance). Most of the other devs I worked with would have simply taken the ultra-restrictive spec, coded it and gone home happy each night. (I did code some shitty ActiveX object for Sony to put on one of their unrippable CDs though... it let you download a DRM-hobbled version of the song)
I can count on one hand though the number of devs I've worked with that saw coding as anything more than a 9-5 grind and would have spoken up if asked to do something shady.
It takes the correct morally bankrupt person to be willing to take the job.
4 replies →
You really think the engineers working on this will be personally liable for this? That would honestly surprise me, the worst i can imagine is punishment for the company as an entity.
2 replies →
> from what I can tell FB paid SC users to participate in “market research” and install the proxy.
The app was available on both the Google Play and Apple App stores for anyone to download.
> The way most of the writeups make it sound is that it’s some sort of hack, but this doesn’t seem to be the case.
It could be that you are confused with a previous case. From the blog post:
> The wiretapping claim is new and perhaps not to be confused with the prior controversy and litigation: In 2023, two subsidiaries of Facebook was ordered to pay a total of $20M by the Australian Federal Court for "engaging in conduct liable to mislead in breach of the Australian Consumer Law", according to the ACCC ... Facebook had shutdown Onavo in 2019 after an investigation revealed they had been paying teenagers to use the app to track them. Also that year, Apple went as far as to revoke Facebook's developer program certificates, sending a clear message.
> If this is wiretapping, is it also wiretapping for me to use a local SSL proxy to decrypt and analyze traffic to a service’s API
If by "local" on your own network/machine with your own traffic then obviously no.
SC == Snapchat