Comment by oefrha
1 year ago
No, the writeup isn’t omitting anything, you’re mixing things up, which this article explicitly called out.
This article is about Onavo Protect[1], “Free VPN + Data Manager”, which was not paying anyone. There was a separate program where Facebook paid teenagers money to install their Facebook Research VPN through their enterprise distribution channel, bypassing the App Store and its rules, so that paid version was even more invasive.[2]
So no, this Onavo bullshit isn’t defensible at all.
[1] https://apkpure.com/onavo-protect-from-facebook/com.onavo.sp...
[2] https://techcrunch.com/2019/01/29/facebook-project-atlas/?re...
This is a bit tangled. I think this is new information but it’s all about Onavo. From OP:
> Note this is different to what TechCrunch had revealed in 2019 in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines. With the new MITM information revealed: what is currently unclear is if all app users had their traffic "intercepted" or just a subset of users.
So this seems to be new information about the Onavo Android app, but it’s not clear to me if the “install cert” button described was exactly the implementation of the previously reported research cert, or a new vector where people other than market research participants were MiTM’d. The analysis is just a bunch of circumstantial observations that _it is possible_ FB was doing more skeezy stuff than was previously known. But nothing here is incompatible with the previously reported stuff being all that happened, AFAICT.
The TechCrunch article clearly states that Onavo was the method they used to get the FB Research cert onto devices. (Presumably they distributed a different build of Onavo with their enterprise distribution channel), it quotes:
> “We now have the capability to measure detailed in-app activity” from “parsing snapchat [sic] analytics collected from incentivized participants in Onavo’s research program,” read another email.
This sounds to me that there was one Onavo research program, but who knows, we have multiple project codenames.
“Facebook Research” was the Onavo codebase, under a different name, signed by Facebook’s Enterprise certificate.
> The analysis is just a bunch of circumstantial observations that _it is possible_ FB was doing more skeezy stuff than was previously known.
No, it was already well-known way back in 2018, which is why that piece of shit app was withdrawn from App Store in the first place. Facebook’s enterprise account later got suspended in 2019 for distributing the paid piece of shit through enterprise MDM.
The claim in the OP is that they might have been MiTM’ing arbitrary users, I believe the previously reported claims were that they only MiTM’d paid research participants. (Please share some links if you have evidence to the contrary, I’d love to get to the bottom of this.)
2 replies →
Why do people work on such projects? I mean specifically the engineers. You're still paid the same engineer salary, except now you expose yourself to criminal prosecution. The corpo is at least getting some extra returns for the risk, you as an engineer are not. So dumb.
Maybe you're on H1B and if you get let go you have to go back to Sri Lanka, whose government collapsed 2 years ago and left the country in political disarray. Some people have better choices than others.
Like I wouldn't work on this project, but I have US citizenship. In college I slept over at some of my Indian friends' apartments and often they had like 8-12 guys sleeping in one bedroom, it was just a bunch of mattresses all laid together with no specific sleeping arrangement. Generally they made a giant pot of stew/daal/whatever once a week and ate the same thing for every meal all week, some even long after graduating with PhD's and getting low-tier visa-mill jobs. This was not a T10 school, our international students rarely came from wealthy families. One of my Saudi classmates came from a poor family in a remote village near the Iraq border and brushed his teeth with a twig from the Salvadora persica tree.
I couldn't really blame them if they didn't have another good option readily available.
I can't resist annotating the Sri Lanka comment, it was responsible for some of the most absurd headlines I've ever read; completely beyond parody. Typical example:
- Fertiliser ban decimates Sri Lankan crops as government popularity ebbs
> https://www.reuters.com/markets/commodities/fertiliser-ban-d...
Or you have a nice bucket of RSUs that have been jumping in value and figure it’s just another project to pass time.
2 replies →
> Why do people work on such projects?
>> Maybe you're on H1B and if you get let go you have to go back to Sri Lanka...
I mean that's there too, but in this case, the guy who ran this spyware op was a former IDF turned chief of Facebook in Israel, later promoted to CISO for all of Meta.
5 replies →
Your scenario describes real people, but Facebook was not built by vulnerable visa holders.
Facebook hired and retained engineers over its entire company history by offering enormous amounts of stock. They successfully demonstrated there are a lot of engineers willing to build unethical products when offered 2-3x their previous salary.
holy fuck can we please stop letting circumstances be the excuse we continuously fall back on, when enabling and reinforcing behavior with long-term impact and consequences.
imagine all of the times in history where this type of enabling of behavior reached an extreme, and now ask yourself where do you draw the line.
are you really asking me to enjoy the growing consequences of corporate overreach in the name of data, and all the sketchy ass, unethical, and invasive work all these foreign engineers are getting paid ridiculous salaries to propogate, and feel good about being held hostage because said engineers.. don't have a home.
so we are supposed to enable them to wreck mine (ours)?
1 reply →
I was talking about this with friends the other night. If you've been in the industry long enough, you've probably been party to creating something horrible. It takes a while for the reality of horribleness to crack the glamour of creation and monetary reward, but once it does, everyone I personally know has quit and lived with the regret.
I know people who have worked for adtech, gambling and HFT industries who now try to convince younger devs to avoid them. I personally worked briefly for a private prison corp, and I feel dirty and remorseful that I had anything to do with that industry.
Due to an incarcerated family member, I had to deal with privately run prison telecom software, which was as awful and exploitative as you would expect, I could see where someone might feel guilty for working in this area. Evil business model.
But one of the worst things about the software was all the bugs. Silent failures so we couldn't tell what was happening, if it was a software problem or if our loved one was being prevented from communicating with us. The messaging and video call system failed us at some crucial moments and created a lot of emotional stress.
In fact I think this is part of the awful business model -- cut costs even if it hurts people.
Bad software can really make the lives of incarcerated people much worse. So if you were able to do a decent job on that software, whether it was prison telecom or internal tools for a prison contractor, you may have still had a more positive impact than you think, despite the broader business model being totally evil.
4 replies →
> I know people who have worked for adtech, gambling and HFT industries who now try to convince younger devs to avoid them. I personally worked briefly for a private prison corp, and I feel dirty and remorseful that I had anything to do with that industry.
Sounds like getting to feel good after grabbing the bag. Particularly the first three considering how much they pay (even moreso if the gambling was crypto related).
> everyone I personally know has quit and lived with the regret.
Quit for a significantly lower wage job? Or quit in 2021 when they could trivially get another job likely with a raise?
I sound aggressive but these are serious, not rhetorical, questions. I don't know your friends, maybe they're the real deal, in which case massive kudos to them, I'm very happy to see others doing the same and I wish more were like us. But "living with the regret" is empty words if meaningful sacrifices haven't been made to atone for those sins.
FWIF, I left a job that paid more than twice what I'm able to get anywhere else without moving across the globe, for ethics reasons. And the industry wasn't as bad as the ones you've named besides HFT, which is imo pretty average when it comes to societal negative externalities for a tech company.
Trying to bring an open mind, I could see a number of plausible scenarios where an engineer could do this, with various degrees of legitimacy.
It's certainly a complicated subject, but I think in general companies are really good, especially big ones, at getting people to work on things they might not be comfortable with otherwise. This thread has been talking the extremes like immigration status, but there are all kinds of subtle pressures as well. Some people might not believe they have the political capital to outright refuse a project (especially a pet project of the CEO) vs choose to accept and try to nudge the project onto more solid footing. And I suspect many engineers are terrified of being labelled as not a team player, which aids in the creation of group think, but makes it very difficult to foster a healthy culture of discussion that would bring forward the serious concerns of this work. And there is almost always some room of uncertainty as the last convincer... is it unethical to work on the project if the consumer is fully informed and offers consent to the invasion of privacy?
If there is an extreme where it's justifiable, for any reasonable engineer to accept the project, then it get's really muddy on where exactly the line is, and when it should be drawn.
I also suspect many of us envision ourselves having much more fortitude than we really do as well, imagining the heroic efforts we'd put in to changing a companies mind from a bad idea... where the more likely outcome for most of us is to fall silently into the background.
When I was in the music biz I pushed back hard against DRM. I lost, but being on the inside I could swing the needle to the least restrictive DRM as possible (e.g. it let you burn a CD for instance). Most of the other devs I worked with would have simply taken the ultra-restrictive spec, coded it and gone home happy each night. (I did code some shitty ActiveX object for Sony to put on one of their unrippable CDs though... it let you download a DRM-hobbled version of the song)
I can count on one hand though the number of devs I've worked with that saw coding as anything more than a 9-5 grind and would have spoken up if asked to do something shady.
It takes the correct morally bankrupt person to be willing to take the job.
Or a person with a sick kid, or who is about to be evicted, or who made some bad financial decisions or for some other reason is about to run out of food money. In those situations it's very easy to rationalize that the good outweighs the bad.
I've only been in a similar situation once. I could barely sleep at night for a week before I finally told them that I couldn't do it. In my situation I would have taken a financial hit if they decided to let me go, but my wife works and I have savings and there was no immediate threat, and it still was a difficult decision.
3 replies →
You really think the engineers working on this will be personally liable for this? That would honestly surprise me, the worst i can imagine is punishment for the company as an entity.
Yes, we do. Just look at how the engineers get thrown under the bus in a high profile case like the VW car-emissions scandal.
Example: engineers blamed is the title in [1].
[1] https://www.nbcnews.com/business/autos/vw-scandal-top-u-s-ex...
1 reply →