Just keep in mind that Meta has not changed a bit since then.
This is from two months ago, when it was found that their Android app listens on a localhost port in order to send identifiers from webpages to their app via WebRTC so that they can still track users.
> This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.
I wonder how it feels to be an engineer at Meta. Do you leave your conscience at the door when you start the workday? Make no mistake, if this company pays your salary, you are an accomplice no matter if you personally did take part in it. How do you look yourself in the eyes?
> Onavo Protect Android app, which had over 10 million Android installations, contained code to prompt the user to install a CA (certificate authority) certificate issued by "Facebook Research" in the user trust store of the device. This certificate was required for Facebook to decrypt TLS traffic.
I mostly can't think of a legitimate reason to install your own root certificate for a VPN, so I'm inclined to buy that this is Facebook being Facebook. I would also run as fast as I can if I installed an app and it started prompting me to install a certificate, but 99% of people have absolutely zero idea how TLS and PKI work, so maybe this is taking advantage of their ignorance.
A technical investigation into information uncovered in a class action lawsuit that Facebook had intercepted encrypted traffic from user's devices running the Onavo Protect app in order to gain competitive insights.
If this is true, why is this a civil lawsuit? Shouldn't the government prosecutors handle this "hacking" case and demand jail time, like they do for $random_kid playing around with security vulnerabilities?
I assume because there was no actual hacking. I'm guessing users consented to this. As a user I should be able to view all traffic from my device and also give other third parties permission to view all traffic on my device. If I can't do this, is it really my device? It's not too much different from what Nielsen was doing when they installed boxes in people's homes to record what TV shows they were watching.
>Shouldn't the government prosecutors handle this "hacking" case and demand jail time, like they do for $random_kid playing around with security vulnerabilities?
Because there's probably some clause buried in the ToS that gives them the right to do this, so it would not count as "exceeds authorized access" under the CFAA.
edit: it's not even buried. there's a screen that specifically says "facebook uses aggregated onavo data for market and business analytics"
You can file a civil lawsuit. You may or may not be able to persuade the prosecutor to file a criminal case.
The video near the middle of the page shows fairly clearly what they did, with accurate and understandable descriptions of shady behaviour. I think a capable prosecutor might regard it as difficult to prove that behaviour illegal. Shady, sure, but in dubio pro so why even prosecute.
So that leaves a civil lawsuit. There's no need to persuade a prosecutor for a civil lawsuit, and the balance of evidence counts, there's no in dubio pro.
Because Facebook is key to their online surveillance, so Facebook making itself better is making itself more effective to the state surveillance apparatus
While OP is a bit hyperbolic here CloudFlare essentially is a Man In The Mittle. They serve your content via a CDN and cache it around the globe. If you use cloudflare, the SSL terminates at their servers, meaning that (theoretically) they could read al contents send via their network. While yes, you can put on you tinfoil hat and say that this is an central intelligences dream to have such a global man in the middle proxy there are no fact based reports that undermine cloudflare abusing their position.
They mostly make their money by selling you better services on their CDN such as image scaling etc.
On a side, but related note; all our societies need to reevaluate the corporate protections from personal liability when the activities breach the articles of incorporation, the so called veil; barring demonstrated accident or mistake.
This "corporate veil" and protection is really the same basis as the legal fiction called "qualified immunity"... in the case of police officers, they can even quite literally murder you with impunity in far too many cases that is acceptable. Isn't it odd how a "citizen" who is supposed to actually be in control of the government through self-determination, has approaching zero power, bu the putrid agents of the despotic power of illegitimate government have literal immunity to commit murder.
This kind of activity is not just a corporate whoopsie, it's active, deliberate, criminal activity, and organized criminal activity at that; making in this case (but there are many other examples) Meta an organized criminal outfit.
Are you personally immune from prosecution if a "corporation" tells you to murder someone? Why would you then not be personally criminally liable for perpetrating other crimes because the "corporation" told you to do it; regardless of whether that is committing cybercrimes, committing financial fraud, or even just something as simple as breach of the peace if a manager is accosting an employee?
I'm for more personal liability, but corporate higher-ups are pretty good at communicating their illegal desires to subordinates without saying the illegal part out loud.
I think the corporate death penalty is underused. Being in leadership when a corporation is dissolved for committing crimes is probably bad for one's future employment prospects.
Could it be that the problem is actually prosecutorial discretion?
In Sweden we have something called an absolute duty to prosecute, which means that for most crimes, if there's evidence and enough to get a conviction, the prosecutor has an actual absolutely duty to prosecute.
So if this had happened here, I could report this to the police as 'unapproved intelligence activity against a person' and the prosecutor would have to, provided that there's enough evidence, prosecute the person for this.
Prosecutors here do have a love of dismissing things due to lack of evidence though.
I don't think the "veil" is even relevant here. We have the smoking-gun proof that Mark Z. personally ordered people to illegally spy on other apps' data. And yet, he's walking free. Do we think he's reformed? Or is he probably going to do the same thing again as soon as he gets the chance, knowing that he got away with it once before?
>I don't think the "veil" is even relevant here. We have the smoking-gun proof that Mark Z. personally ordered people to illegally spy on other apps' data.
No, Zuckerberg said to "get reliable analytics" and that maybe they need to "do panels or write custom software". The subsequent emails of "hey I made an app that does MITM on snapchat" did not involve Zuckerberg.
Just keep in mind that Meta has not changed a bit since then.
This is from two months ago, when it was found that their Android app listens on a localhost port in order to send identifiers from webpages to their app via WebRTC so that they can still track users.
Covert web-to-app tracking via localhost on Android - https://news.ycombinator.com/item?id=44175940
> This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.
I wonder how it feels to be an engineer at Meta. Do you leave your conscience at the door when you start the workday? Make no mistake, if this company pays your salary, you are an accomplice no matter if you personally did take part in it. How do you look yourself in the eyes?
The ones I've met thought they were doing the world a favor
Don't run a VPN from a company whose entire business model is knowing everything about you and what you do online.
How is it not a criminal offence to impersonate a different company to decrypt customer data?
What is criminal depends on how much money you have.
It's more about only exploiting people who have less money than you do.
It is, but they bribe the people who police this
> Onavo Protect Android app, which had over 10 million Android installations, contained code to prompt the user to install a CA (certificate authority) certificate issued by "Facebook Research" in the user trust store of the device. This certificate was required for Facebook to decrypt TLS traffic.
I mostly can't think of a legitimate reason to install your own root certificate for a VPN, so I'm inclined to buy that this is Facebook being Facebook. I would also run as fast as I can if I installed an app and it started prompting me to install a certificate, but 99% of people have absolutely zero idea how TLS and PKI work, so maybe this is taking advantage of their ignorance.
Quote:
A technical investigation into information uncovered in a class action lawsuit that Facebook had intercepted encrypted traffic from user's devices running the Onavo Protect app in order to gain competitive insights.
If this is true, why is this a civil lawsuit? Shouldn't the government prosecutors handle this "hacking" case and demand jail time, like they do for $random_kid playing around with security vulnerabilities?
I assume because there was no actual hacking. I'm guessing users consented to this. As a user I should be able to view all traffic from my device and also give other third parties permission to view all traffic on my device. If I can't do this, is it really my device? It's not too much different from what Nielsen was doing when they installed boxes in people's homes to record what TV shows they were watching.
>Shouldn't the government prosecutors handle this "hacking" case and demand jail time, like they do for $random_kid playing around with security vulnerabilities?
Because there's probably some clause buried in the ToS that gives them the right to do this, so it would not count as "exceeds authorized access" under the CFAA.
edit: it's not even buried. there's a screen that specifically says "facebook uses aggregated onavo data for market and business analytics"
5 replies →
You can file a civil lawsuit. You may or may not be able to persuade the prosecutor to file a criminal case.
The video near the middle of the page shows fairly clearly what they did, with accurate and understandable descriptions of shady behaviour. I think a capable prosecutor might regard it as difficult to prove that behaviour illegal. Shady, sure, but in dubio pro so why even prosecute.
So that leaves a civil lawsuit. There's no need to persuade a prosecutor for a civil lawsuit, and the balance of evidence counts, there's no in dubio pro.
Just like AI companies are allowed to do the piracy that Aaron Schwartz was going to be jailed for, Facebook are too big to prosecute for hacking.
Because: $random_kid is not running an outsourced surveillance service for the security state.
Because Facebook is key to their online surveillance, so Facebook making itself better is making itself more effective to the state surveillance apparatus
The stories I could tell you about Onavo. Ask anyone from the Facebook Growth Org. There's so much undisclosed dirt here it's insane...
I bet you could make some decent money by reaching out to the plaintiffs lawyers. Expert Witnesses can easily make $600+ / hr
That's a really cool idea. It's been traumatic carrying this bullshit, tbh. So many nasty secrets.
I saw this story linked from a twitter post, really interesting. It makes a lot of sense, make purchases based upon data / metrics
I don't see what the big deal is. SSL MITM is CloudFlare's whole business model.
Care to elaborate? How do they make money?
While OP is a bit hyperbolic here CloudFlare essentially is a Man In The Mittle. They serve your content via a CDN and cache it around the globe. If you use cloudflare, the SSL terminates at their servers, meaning that (theoretically) they could read al contents send via their network. While yes, you can put on you tinfoil hat and say that this is an central intelligences dream to have such a global man in the middle proxy there are no fact based reports that undermine cloudflare abusing their position.
They mostly make their money by selling you better services on their CDN such as image scaling etc.
4 replies →
Is CloudFlare datamining that traffic to build intelligence profiles on its users and for anti-competitive business practices?
Is CloudFlare hiding that they are a terminating proxy and pretending to be a VPN for the purposes of spying on users?
The big deal isn't the technical aspect, it's what it was used for and how it was used.
Previously:
https://news.ycombinator.com/item?id=41090304
TFA is from 2024, so the title is wrong
Updated, thanks!
On a side, but related note; all our societies need to reevaluate the corporate protections from personal liability when the activities breach the articles of incorporation, the so called veil; barring demonstrated accident or mistake.
This "corporate veil" and protection is really the same basis as the legal fiction called "qualified immunity"... in the case of police officers, they can even quite literally murder you with impunity in far too many cases that is acceptable. Isn't it odd how a "citizen" who is supposed to actually be in control of the government through self-determination, has approaching zero power, bu the putrid agents of the despotic power of illegitimate government have literal immunity to commit murder.
This kind of activity is not just a corporate whoopsie, it's active, deliberate, criminal activity, and organized criminal activity at that; making in this case (but there are many other examples) Meta an organized criminal outfit.
Are you personally immune from prosecution if a "corporation" tells you to murder someone? Why would you then not be personally criminally liable for perpetrating other crimes because the "corporation" told you to do it; regardless of whether that is committing cybercrimes, committing financial fraud, or even just something as simple as breach of the peace if a manager is accosting an employee?
I'm for more personal liability, but corporate higher-ups are pretty good at communicating their illegal desires to subordinates without saying the illegal part out loud.
I think the corporate death penalty is underused. Being in leadership when a corporation is dissolved for committing crimes is probably bad for one's future employment prospects.
Except they keep failing upwards
I wonder if the RICO act could be applied...
1 reply →
Could it be that the problem is actually prosecutorial discretion?
In Sweden we have something called an absolute duty to prosecute, which means that for most crimes, if there's evidence and enough to get a conviction, the prosecutor has an actual absolutely duty to prosecute.
So if this had happened here, I could report this to the police as 'unapproved intelligence activity against a person' and the prosecutor would have to, provided that there's enough evidence, prosecute the person for this.
Prosecutors here do have a love of dismissing things due to lack of evidence though.
I don't think the "veil" is even relevant here. We have the smoking-gun proof that Mark Z. personally ordered people to illegally spy on other apps' data. And yet, he's walking free. Do we think he's reformed? Or is he probably going to do the same thing again as soon as he gets the chance, knowing that he got away with it once before?
>I don't think the "veil" is even relevant here. We have the smoking-gun proof that Mark Z. personally ordered people to illegally spy on other apps' data.
No, Zuckerberg said to "get reliable analytics" and that maybe they need to "do panels or write custom software". The subsequent emails of "hey I made an app that does MITM on snapchat" did not involve Zuckerberg.
4 replies →