Meta tried to gain a competitive advantage over its competitors, including Snapchat and later Amazon and YouTube, by analyzing the network traffic of how its users were interacting with Meta’s competitors. Given these apps’ use of encryption, Facebook needed to develop special technology to get around it.

Facebook’s engineers solution was to use Onavo, a VPN-like service that Facebook acquired in 2013. In 2019, Facebook shut down Onavo after a TechCrunch investigation revealed that Facebook had been secretly paying teenagers to use Onavo so the company could access all of their web activity.

After Zuckerberg’s email, the Onavo team took on the project and a month later proposed a solution: so-called kits that can be installed on iOS and Android that intercept traffic for specific subdomains, “allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage,” read an email from July 2016. “This is a ‘man-in-the-middle’ approach.”

A man-in-the-middle attack — nowadays also called adversary-in-the-middle — is an attack where hackers intercept internet traffic flowing from one device to another over a network. When the network traffic is unencrypted, this type of attack allows the hackers to read the data inside, such as usernames, passwords, and other in-app activity.

      • MataVatnik@lemmy.world
        link
        fedilink
        English
        arrow-up
        21
        arrow-down
        1
        ·
        edit-2
        7 months ago

        For me it’s not really about the data, it’s unforseen malicious maneuvers outside data. Sabotaging instances, manipulating feeds for their gain, or try to still centralize the fediverse undermining the whole concept. My point is, we don’t know what bad thing they could/would do, they are creative. But we sure as fuck know it’s an evil organization and they can’t be trusted.

        • nuzzlerat@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          7 months ago

          that’s fair. I fully believe they could pull some fuckery that would make everything worse

    • ramble81@lemm.ee
      link
      fedilink
      English
      arrow-up
      11
      arrow-down
      75
      ·
      7 months ago

      Please tell me what governing body exists for the fediverse that would let us deny them access?

      • ieatpillowtags@lemm.ee
        link
        fedilink
        English
        arrow-up
        75
        ·
        7 months ago

        How is this a relevant question? Nobody said anything about some governing body. There have been discussions on many instances about whether to federate with them or not, and it’s accurate to say that some people think we should.

        • Pips@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          23
          arrow-down
          2
          ·
          7 months ago

          For example, I’m personally of the opinion that instances should be allowed to federate until they prove themselves to be bad actors, but in Meta’s case there’s a lot of existing evidence that shows they shouldn’t be allowed to federate in the first instance.

          • JoBo@feddit.uk
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            12
            ·
            7 months ago

            Who do you imagine is (or should be) making these rules for the Fediverse?

            • Pips@lemmy.sdf.org
              link
              fedilink
              English
              arrow-up
              12
              ·
              7 months ago

              Every instance gets to decide on its own, there’s no set of rules governing the whole thing. That’s why I stated this is my opinion, not some hard and fast rule.

              • JoBo@feddit.uk
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                16
                ·
                7 months ago

                You stated it very much as a set of rules that should exist. Twice.

        • A_Random_Idiot@lemmy.world
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          18
          ·
          edit-2
          7 months ago

          its also accurate to say some people are fucking idiots and think we should federate.

          on the wax winged hope in hell that the bad actor suddenly, miraculously, becomes a good actor…for reasons no one can explain.

      • QuandaleDingle@lemmy.world
        link
        fedilink
        English
        arrow-up
        23
        arrow-down
        3
        ·
        7 months ago

        Do you know how the Fediverse works? Instance maintainers who are less than thrilled with Meta can choose to defederate from Threads.

        • ramble81@lemm.ee
          link
          fedilink
          English
          arrow-up
          11
          arrow-down
          8
          ·
          7 months ago

          Exactly my point. It’d be on an instance by instance basis, there is no “singular group” that can block them from the entire fediverse.

          • knightly the Sneptaur@pawb.social
            link
            fedilink
            English
            arrow-up
            13
            arrow-down
            1
            ·
            7 months ago

            The whole point of federation is that you aren’t locked in the sinking ship. If everyone is defederating from your instance you can move to a better one.

            • ramble81@lemm.ee
              link
              fedilink
              English
              arrow-up
              11
              arrow-down
              1
              ·
              7 months ago

              Yes, but to realistically keep Threads from federating and utilizing people’s posts, every single instance owner would have to defederate. 1) that’s not likely, and 2) that’s a unilateral decision by the instance owner. I’m looking at things from a realistic standpoint, not an idealistic one.

      • MataVatnik@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        7 months ago

        Im more specifically thinking about the big ones when this debate was going on about a couple of months ago.

  • Aniki 🌱🌿@lemm.ee
    link
    fedilink
    English
    arrow-up
    116
    arrow-down
    15
    ·
    7 months ago

    This is blatantly circumventing encryption and a violation of the DMCA but lets see the DoJ do fuck all about it.

    Right, Biden? Facebook, Good, Tiktok, bad?

    • gravitas_deficiency@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      61
      arrow-down
      6
      ·
      7 months ago

      Two things can be bad at once.

      What Meta did/is doing here is unbelievably shitty (but not that shocking).

      That in no way diminishes the incredibly serious implications of TikTok being wholly owned and operated by a PRC-based company, which comes with the implicit but very real and crucial caveat of the CCP will tell you to do just quietly things with your company sometimes, and if you don’t do it, you go to jail indefinitely.

      • Shyfer@ttrpg.network
        link
        fedilink
        English
        arrow-up
        19
        arrow-down
        1
        ·
        7 months ago

        But then it just comes off hypocritical and disingenuous if you selectively apply pressure. Then it just looks like you’re trying to give a competitive edge to US evil social media and preventing youth from learning about the situation in Palestine.

        • Promethiel@lemmy.world
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          1
          ·
          edit-2
          7 months ago

          Then it just looks like you’re trying to give a competitive edge to US evil social media.

          This is not just probable but certain; the whole thing is a very long way of saying this. In a world where the US worked for its citizens, this is a national security no-brainer. But we don’t live in a world where the spirit of things is followed when you can enrich yourself skirting the letter. Shit sucks, but this not a secret conspiracy; it’s realpolitik.

          and preventing youth from learning about the situation in Palestine.

          This one is more subjective…and also still probable for the same fucking reasons and good luck sharing the fact that you can act in a so called ‘security’ driven purpose and this is the perfect time to do sneaky shit. As if all of History wasn’t rife with examples with the Patriot Act being the first USA centric coming to mind amongst fuck what, hundreds?

          That is also realpolitik, and all the players know it. Shit sucks.

        • Cethin@lemmy.zip
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          7 months ago

          It is absolutely giving an edge to “evil” (morality doesn’t matter in politics, especially international politics, and TikTok isn’t good anyway) US social media. China literally blocks all western social media. Everyone plays this game, and TikTok shouldn’t be on a pedestal just because you like using it.

          preventing youth from learning about the situation in Palestine

          OK, I really don’t think this has anything to do with it. There are many more places people’s are discussing this, like Lemmy for instance, that aren’t targeted. I’m sure you can find the same conversations happening on Reddit, Facebook, or whatever other social media. TikTok, though increasingly used for news, is not the only source of news about Palestine, nor is it the best. Short format content will never be good for detailed discussion of news and anyone thinking they’re getting thorough news in that format should reconsider.

      • knightly the Sneptaur@pawb.social
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        5
        ·
        7 months ago

        I’d only accept the TikTok argument when it gets applied to all social media companies in equal measure.

        We don’t need one-off bans that let the worst offenders get away with exploiting people’s personal data. We need a bill of privacy rights.

        • Pips@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          2
          ·
          7 months ago

          So your argument is if the regulation isn’t perfectly applied to every possible instance of a potential violation simultaneously, then it should never be applied? How does that make any sense?

          • Leg@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            7 months ago

            I think it’s a reasonable request that regulations be consistently applied rather than utilized at the whims of corporate favoritism. Facebook deserved a ban well before tiktok was an entity.

          • knightly the Sneptaur@pawb.social
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            3
            ·
            edit-2
            7 months ago

            As opposed to selective enforcement of regulation mostly informed by nationalism and insider trading?

            How is this even a question. XD

          • knightly the Sneptaur@pawb.social
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            5
            ·
            edit-2
            7 months ago

            If you take off the nationalist filter you’ll see that they are the same issue.

            Social networks don’t need middlemen, middlemen need social networks that rely on server/client architecture they can exploit.

    • lurch (he/him)@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      1
      ·
      7 months ago

      While I agree Facebook is also bad, the Tiktok thing is entirely different, because the legal issue is sending Amarican citizens data out to China, which the users agreed to give to Tiktok, but the government doesn’t want to be sent to China. The Facebook crime is secretly snooping without proper user consent.

        • Aatube@kbin.melroy.org
          link
          fedilink
          arrow-up
          7
          arrow-down
          9
          ·
          7 months ago

          That would be if they downloaded the uploaded Snapchats. This takes out web traffic, aka which “locations” your device visited, which 1. isn’t protected by copyright since it’s not a work 2. hasn’t been to Snapchat’s encryption yet. That time Bethesda accidentally shipped a DRM-free version of doom along with the main version, I don’t think opening the DRM-free one would count as circumventing.

          The relevant laws here should be about privacy and hacking.

          • Aniki 🌱🌿@lemm.ee
            link
            fedilink
            English
            arrow-up
            9
            arrow-down
            3
            ·
            edit-2
            7 months ago

            Why did you ask if you already had your answer then? The DMCA has no carve outs.

            • Aatube@kbin.melroy.org
              link
              fedilink
              arrow-up
              11
              arrow-down
              1
              ·
              edit-2
              7 months ago

              Because you may have seen some angle I didn’t anticipate.

              Not sure what you mean about carveouts.

                • Aatube@kbin.melroy.org
                  link
                  fedilink
                  arrow-up
                  2
                  arrow-down
                  3
                  ·
                  7 months ago
                  1. They technically (and legally) didn’t break it as they’re intercepting the traffic before it gets encrypted.
                  2. Not all encryption is DRM and covered by the DMCA. Hacking into and decrypting an encrypted database of passwords is violating hacking laws, not the DMCA. Same would apply to traffic data.

                  Note that IANAL.

  • Adanisi@lemmy.zip
    link
    fedilink
    English
    arrow-up
    78
    ·
    7 months ago

    Let that parasite rot in prison.

    And can somebody split Meta already? Please and thank you.

  • TheDarksteel94@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    35
    ·
    7 months ago

    I was thinking of buying a Meta Quest 3, because of a lack of similar devices. I wasn’t really seriously considering it, but I sure as hell am not at all now.

  • BurningnnTree@lemmy.one
    link
    fedilink
    English
    arrow-up
    18
    ·
    edit-2
    7 months ago

    I must be way out of the loop, cuz I had no idea this was possible. So does this mean the Facebook app on my phone has permission to view all of my network traffic? Why do Android and iOS allow this? Shouldn’t that be a special permission that can only be granted explicitly?

    • diffusive@lemmy.world
      link
      fedilink
      English
      arrow-up
      15
      arrow-down
      1
      ·
      7 months ago

      Nope, because Facebook app is not a VPN service so it cannot intercept traffic.

      What it is unclear from the article is how they circumvented the certificate check on the app side. Probably (given this was many years ago, maybe these apps weren’t setupping certificate pinning/HPKP)

      • phx@lemmy.ca
        link
        fedilink
        English
        arrow-up
        1
        ·
        7 months ago

        In theory, yes. In practice of they found some sort of exploit that allowed this I’d 100% not be surprised if Meta took advantage of it. Facebook app is malware

  • xantoxis@lemmy.world
    link
    fedilink
    English
    arrow-up
    20
    arrow-down
    3
    ·
    7 months ago

    The world would be a better place if Mark Zuckerberg accidentally got sucked into a jetski engine somehow

  • RedFox@infosec.pub
    link
    fedilink
    English
    arrow-up
    15
    ·
    7 months ago

    I’m sure corporations like this would give you free Internet if they could collect and sell all your data. I’m also sure people would still do it, regardless of how much they are being monetized as a product.

    Since companies like Facebook own legislators, our only real choice is to stop using it. Unpopular opinion, but If you really want fuck Zuck, delete your account, and get all your friends and family to as well. Maybe there’s some alternatives for the people who truly use the service to connect with friends/family?

    • rtxn@lemmy.world
      link
      fedilink
      English
      arrow-up
      23
      ·
      7 months ago

      corporations like this would give you free Internet if they could collect and sell all your data

      Facebook Zero is more or less what you described.

    • Senseless@feddit.de
      link
      fedilink
      English
      arrow-up
      7
      ·
      7 months ago

      The free Internet if you give use your data is already a thing. I saw an ad in germany where you get unlimited free internet access (can’t remember if it was a data plan for phones or cable / fibre service) if you use their “payment partner” for your usual payments like rent, loans and salary. So they basically can see your daily payments and will use and sell this data im exchange for “free” Internet access.

      The company and its investors and corporation lead to a weird network of people and a corp in dubai. It’s all quite shady really.

      • RedFox@infosec.pub
        link
        fedilink
        English
        arrow-up
        3
        ·
        7 months ago

        Wow, that is weird. I honestly just made that up in my head when I wrote it.

        The saying is true, if it’s free, you’re the product.

        I don’t actually know why I care about that level of privacy. Some of us are quite fine with companies or their government having any information about them. Some are very opposed.

        Maybe I dislike the idea that information could be used against me somehow or they’re making even more money than I’m already paying in some hypothetical case. Not sure.

        • Senseless@feddit.de
          link
          fedilink
          English
          arrow-up
          3
          ·
          7 months ago

          I work in IT so you might think I might be more into the topic and thus more careful with my data. There are a lot of colleagues of mine that don’t care one bit. Some even jokingly call me paranoid.

          Sure, I use GrapheneOS, a de-googled Android OS, made the switch from Gmail to Tuta (formerly tutanota), a privacy ans security focused mail provider and use my own domain for mailing.

          Then there are some other measurements in place like AdGuard and Pihole to block ads and trackers. I think that’s the bare minimum, especially if you’re working in IT. It doesn’t cost much, the setup is straight forward and the benefits are huge. I haven’t had any ads in my network for years.

          I’m currently switching from windows to Linux as daily driver. There are some issues with getting some games to run, but as soon as they do I’m switching for good.

          There are some easy thing one can do, even without any expertise in IT. There are even things you can do that aren’t finicky (like linux troubleshooting). People are just way to comfortable.

          Maybe they should watch the documentary about Edward Snowden, Citizenfour. That might change their mind.

          • RedFox@infosec.pub
            link
            fedilink
            English
            arrow-up
            1
            ·
            7 months ago

            I watched that. Didn’t surprise me one bit.

            The overreaching government apparatus doesn’t inherently bother me, but we’re really placing a lot of power and trust in those people, and that does concern me.

    • neutron@thelemmy.club
      link
      fedilink
      English
      arrow-up
      3
      ·
      7 months ago

      I’m sure corporations like this would give you free Internet if they could collect and sell all your data.

      Already a thing. I see them advertised everywhere for prepaid plans and people go ‘omg Facebook/Whatsapp/Instagram/TikTok for free!!1!’.

    • webghost0101@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      I dunno, seem like the goal is to get you to buy a subscription to collect your data hostage in their cloud.

      And somehow for enough gullible customers its actually working.

  • Pantherina@feddit.de
    link
    fedilink
    English
    arrow-up
    13
    ·
    7 months ago

    Learning: VPN services are tracking instruments, not some magic tool.

    And its not even new…

  • TORFdot0@lemmy.world
    link
    fedilink
    English
    arrow-up
    12
    ·
    7 months ago

    Certainly they weren’t planning on actually planning on finding a way to get people to install a VPN to decrypt their traffic just to use Facebook, right?

    That’s why they paid teenagers to use the VPN so they could get some “guerrilla market research”.

    Even in 2013 apps didn’t have the permission access to install a device level VPN without some unspecified exploit. 0 chance Facebook would literally hack people’s phones, right?

    Right?

    • pup_atlas@pawb.social
      link
      fedilink
      English
      arrow-up
      15
      ·
      7 months ago

      The VPN adds its own root certs to the device, and just terminates TLS at the gateway, then establishes a second TLS tunnel to the device.

      • Natanael@slrpnk.net
        link
        fedilink
        English
        arrow-up
        5
        ·
        7 months ago

        It can’t do that silently, the user has to approve installation of root certs. This only works silently with apps which have broken (insecure) cert validation

        • pup_atlas@pawb.social
          link
          fedilink
          English
          arrow-up
          1
          ·
          7 months ago

          Can’t do it silently, but it’s not uncommon for root certs to come along with a VPN. I wouldn’t be surprised to see that it’s built into the VPN profile API on Andriod and Apple devices.

    • waitmarks@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      7 months ago

      it doesn’t, what this is suggesting is the vpn was routing traffic through it so they could analyze snapchat traffic. not the contents of it but essentially meta analysis of the traffic. how often it was sending data, how much data, where it was going etc.