A place to cache linked articles (think custom and personal wayback machine)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195
  1. <!doctype html><!-- This is a valid HTML5 document. -->
  2. <!-- Screen readers, SEO, extensions and so on. -->
  3. <html lang="en">
  4. <!-- Has to be within the first 1024 bytes, hence before the `title` element
  5. See: https://www.w3.org/TR/2012/CR-html5-20121217/document-metadata.html#charset -->
  6. <meta charset="utf-8">
  7. <!-- Why no `X-UA-Compatible` meta: https://stackoverflow.com/a/6771584 -->
  8. <!-- The viewport meta is quite crowded and we are responsible for that.
  9. See: https://codepen.io/tigt/post/meta-viewport-for-2015 -->
  10. <meta name="viewport" content="width=device-width,initial-scale=1">
  11. <!-- Required to make a valid HTML5 document. -->
  12. <title>Facebook snooped on users’ Snapchat traffic in secret project, documents reveal (archive) — David Larlet</title>
  13. <meta name="description" content="Publication mise en cache pour en conserver une trace.">
  14. <!-- That good ol' feed, subscribe :). -->
  15. <link rel="alternate" type="application/atom+xml" title="Feed" href="/david/log/">
  16. <!-- Generated from https://realfavicongenerator.net/ such a mess. -->
  17. <link rel="apple-touch-icon" sizes="180x180" href="/static/david/icons2/apple-touch-icon.png">
  18. <link rel="icon" type="image/png" sizes="32x32" href="/static/david/icons2/favicon-32x32.png">
  19. <link rel="icon" type="image/png" sizes="16x16" href="/static/david/icons2/favicon-16x16.png">
  20. <link rel="manifest" href="/static/david/icons2/site.webmanifest">
  21. <link rel="mask-icon" href="/static/david/icons2/safari-pinned-tab.svg" color="#07486c">
  22. <link rel="shortcut icon" href="/static/david/icons2/favicon.ico">
  23. <meta name="msapplication-TileColor" content="#f7f7f7">
  24. <meta name="msapplication-config" content="/static/david/icons2/browserconfig.xml">
  25. <meta name="theme-color" content="#f7f7f7" media="(prefers-color-scheme: light)">
  26. <meta name="theme-color" content="#272727" media="(prefers-color-scheme: dark)">
  27. <!-- Is that even respected? Retrospectively? What a shAItshow…
  28. https://neil-clarke.com/block-the-bots-that-feed-ai-models-by-scraping-your-website/ -->
  29. <meta name="robots" content="noai, noimageai">
  30. <!-- Documented, feel free to shoot an email. -->
  31. <link rel="stylesheet" href="/static/david/css/style_2021-01-20.css">
  32. <!-- See https://www.zachleat.com/web/comprehensive-webfonts/ for the trade-off. -->
  33. <link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
  34. <link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
  35. <link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
  36. <link rel="preload" href="/static/david/css/fonts/triplicate_t3_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
  37. <link rel="preload" href="/static/david/css/fonts/triplicate_t3_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
  38. <link rel="preload" href="/static/david/css/fonts/triplicate_t3_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
  39. <script>
  40. function toggleTheme(themeName) {
  41. document.documentElement.classList.toggle(
  42. 'forced-dark',
  43. themeName === 'dark'
  44. )
  45. document.documentElement.classList.toggle(
  46. 'forced-light',
  47. themeName === 'light'
  48. )
  49. }
  50. const selectedTheme = localStorage.getItem('theme')
  51. if (selectedTheme !== 'undefined') {
  52. toggleTheme(selectedTheme)
  53. }
  54. </script>
  55. <meta name="robots" content="noindex, nofollow">
  56. <meta content="origin-when-cross-origin" name="referrer">
  57. <!-- Canonical URL for SEO purposes -->
  58. <link rel="canonical" href="https://techcrunch.com/2024/03/26/facebook-secret-project-snooped-snapchat-user-traffic/">
  59. <body class="remarkdown h1-underline h2-underline h3-underline em-underscore hr-center ul-star pre-tick" data-instant-intensity="viewport-all">
  60. <article>
  61. <header>
  62. <h1>Facebook snooped on users’ Snapchat traffic in secret project, documents reveal</h1>
  63. </header>
  64. <nav>
  65. <p class="center">
  66. <a href="/david/" title="Aller à l’accueil"><svg class="icon icon-home">
  67. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-home"></use>
  68. </svg> Accueil</a> •
  69. <a href="https://techcrunch.com/2024/03/26/facebook-secret-project-snooped-snapchat-user-traffic/" title="Lien vers le contenu original">Source originale</a>
  70. <br>
  71. Mis en cache le 2024-03-28
  72. </p>
  73. </nav>
  74. <hr>
  75. <p id="speakable-summary">In 2016, Facebook launched a secret project designed to intercept and decrypt the network traffic between people using Snapchat’s app and its servers. The goal was to understand users’ behavior and help Facebook compete with Snapchat, according to newly unsealed court documents. Facebook called this “Project Ghostbusters,” in a clear reference to Snapchat’s ghost-like logo.</p>
  76. <p>On Tuesday, a federal court in California released new documents discovered as part of the class action lawsuit between consumers and Meta, Facebook’s parent company.</p>
  77. <p>The newly released documents reveal how Meta tried to gain a competitive advantage over its competitors, including Snapchat and later Amazon and YouTube, by analyzing the network traffic of how its users were interacting with Meta’s competitors. Given these apps’ use of encryption, Facebook needed to develop special technology to get around it.</p>
  78. <p><a href="https://www.documentcloud.org/documents/24520332-merged-fb" target="_blank" rel="noopener">One of the documents</a> details Facebook’s Project Ghostbusters. The project was part of the company’s In-App Action Panel (IAPP) program, which used a technique for “intercepting and decrypting” encrypted app traffic from users of Snapchat, and later from users of YouTube and Amazon, the consumers’ lawyers wrote in the document.</p>
  79. <p>The document includes internal Facebook emails discussing the project.</p>
  80. <p>“Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them,” Meta chief executive Mark Zuckerberg wrote in an email dated June 9, 2016, which was published as part of the lawsuit. “Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this.”</p>
  81. <p>Facebook’s engineers solution was to use <a href="https://techcrunch.com/tag/onavo/">Onavo</a>, a VPN-like service that Facebook acquired in 2013. In 2019, <a href="https://techcrunch.com/2019/02/21/facebook-removes-onavo/">Facebook shut down Onavo</a> after a TechCrunch investigation revealed that <a href="https://techcrunch.com/2019/01/29/facebook-project-atlas/">Facebook had been secretly paying teenagers to use Onavo</a> so the company could access all of their web activity.</p>
  82. <p>After Zuckerberg’s email, the Onavo team took on the project and a month later proposed a solution: so-called kits that can be installed on iOS and Android that intercept traffic for specific subdomains, “allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage,” read an email from July 2016. “This is a ‘man-in-the-middle’ approach.”</p>
  83. <p>A man-in-the-middle attack — nowadays also called adversary-in-the-middle — is an attack where hackers intercept internet traffic flowing from one device to another over a network. When the network traffic is unencrypted, this type of attack allows the hackers to read the data inside, such as usernames, passwords, and other in-app activity.</p>
  84. <p>Given that Snapchat encrypted the traffic between the app and its servers, this network analysis technique was not going to be effective. This is why Facebook engineers proposed using Onavo, which when activated had the advantage of reading all of the device’s network traffic before it got encrypted and sent over the internet.</p>
  85. <p>“We now have the capability to measure detailed in-app activity” from “parsing snapchat [sic] analytics collected from incentivized participants in Onavo’s research program,” read another email.</p>
  86. <p>Later, according to the court documents, Facebook expanded the program to Amazon and YouTube.</p>
  87. <p>Inside Facebook, there wasn’t a consensus on whether Project Ghostbusters was a good idea. Some employees, including Jay Parikh, Facebook’s then-head of infrastructure engineering, and Pedro Canahuati, the then-head of security engineering, expressed their concern.</p>
  88. <p>“I can’t think of a good argument for why this is okay. No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn’t know how this stuff works,” Canahuati wrote in an email, included in the court documents.</p>
  89. <p>In 2020, Sarah Grabert and Maximilian Klein <a href="https://www.jurist.org/news/2020/12/class-action-lawsuit-against-facebook-alleges-anticompetitive-behavior/" target="_blank" rel="noopener">filed a class action lawsuit against Facebook</a>, claiming that the company lied about its data collection activities and exploited the data it “deceptively extracted” from users to identify competitors and then unfairly fight against these new companies.</p>
  90. <p>An Amazon spokesperson declined to comment.</p>
  91. <p>Google, Meta, and Snap did not respond to requests for comment.</p>
  92. <p><em>This story was updated to correct the link to the discovery documents in the fourth paragraph.</em></p>
  93. </article>
  94. <hr>
  95. <footer>
  96. <p>
  97. <a href="/david/" title="Aller à l’accueil"><svg class="icon icon-home">
  98. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-home"></use>
  99. </svg> Accueil</a> •
  100. <a href="/david/log/" title="Accès au flux RSS"><svg class="icon icon-rss2">
  101. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-rss2"></use>
  102. </svg> Suivre</a> •
  103. <a href="http://larlet.com" title="Go to my English profile" data-instant><svg class="icon icon-user-tie">
  104. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-user-tie"></use>
  105. </svg> Pro</a> •
  106. <a href="mailto:david%40larlet.fr" title="Envoyer un courriel"><svg class="icon icon-mail">
  107. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-mail"></use>
  108. </svg> Email</a> •
  109. <abbr class="nowrap" title="Hébergeur : Alwaysdata, 62 rue Tiquetonne 75002 Paris, +33184162340"><svg class="icon icon-hammer2">
  110. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-hammer2"></use>
  111. </svg> Légal</abbr>
  112. </p>
  113. <template id="theme-selector">
  114. <form>
  115. <fieldset>
  116. <legend><svg class="icon icon-brightness-contrast">
  117. <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-brightness-contrast"></use>
  118. </svg> Thème</legend>
  119. <label>
  120. <input type="radio" value="auto" name="chosen-color-scheme" checked> Auto
  121. </label>
  122. <label>
  123. <input type="radio" value="dark" name="chosen-color-scheme"> Foncé
  124. </label>
  125. <label>
  126. <input type="radio" value="light" name="chosen-color-scheme"> Clair
  127. </label>
  128. </fieldset>
  129. </form>
  130. </template>
  131. </footer>
  132. <script src="/static/david/js/instantpage-5.1.0.min.js" type="module"></script>
  133. <script>
  134. function loadThemeForm(templateName) {
  135. const themeSelectorTemplate = document.querySelector(templateName)
  136. const form = themeSelectorTemplate.content.firstElementChild
  137. themeSelectorTemplate.replaceWith(form)
  138. form.addEventListener('change', (e) => {
  139. const chosenColorScheme = e.target.value
  140. localStorage.setItem('theme', chosenColorScheme)
  141. toggleTheme(chosenColorScheme)
  142. })
  143. const selectedTheme = localStorage.getItem('theme')
  144. if (selectedTheme && selectedTheme !== 'undefined') {
  145. form.querySelector(`[value="${selectedTheme}"]`).checked = true
  146. }
  147. }
  148. const prefersColorSchemeDark = '(prefers-color-scheme: dark)'
  149. window.addEventListener('load', () => {
  150. let hasDarkRules = false
  151. for (const styleSheet of Array.from(document.styleSheets)) {
  152. let mediaRules = []
  153. for (const cssRule of styleSheet.cssRules) {
  154. if (cssRule.type !== CSSRule.MEDIA_RULE) {
  155. continue
  156. }
  157. // WARNING: Safari does not have/supports `conditionText`.
  158. if (cssRule.conditionText) {
  159. if (cssRule.conditionText !== prefersColorSchemeDark) {
  160. continue
  161. }
  162. } else {
  163. if (cssRule.cssText.startsWith(prefersColorSchemeDark)) {
  164. continue
  165. }
  166. }
  167. mediaRules = mediaRules.concat(Array.from(cssRule.cssRules))
  168. }
  169. // WARNING: do not try to insert a Rule to a styleSheet you are
  170. // currently iterating on, otherwise the browser will be stuck
  171. // in a infinite loop…
  172. for (const mediaRule of mediaRules) {
  173. styleSheet.insertRule(mediaRule.cssText)
  174. hasDarkRules = true
  175. }
  176. }
  177. if (hasDarkRules) {
  178. loadThemeForm('#theme-selector')
  179. }
  180. })
  181. </script>
  182. </body>
  183. </html>