In 2016, Facebook launched a secret project designed to intercept and decrypt network traffic between people using Snapchat’s app and its servers. The goal was to understand user behavior and help Facebook compete with Snapchat, according to recently unsealed court documents. Facebook called it “Project Ghostbusters,” in a clear reference to Snapchat’s ghost-like logo.
On Tuesday, a federal court in California released new documents discovered as part of a class-action lawsuit between consumers and Meta, Facebook’s parent company.
The newly released documents reveal how Meta tried to gain a competitive advantage over its competitors, including Snapchat and later Amazon and YouTube, by analyzing network traffic for how its users interacted with Meta’s competitors. Given the use of encryption by these apps, Facebook had to develop special technology to overcome it.
One of the documents details about Facebook’s Project Ghostbusters. The project was part of the company’s In-App Action Panel (IAPP) program, which used a technique to “sniff and decrypt” encrypted app traffic from Snapchat users and later YouTube and Amazon users, lawyers for the companies wrote. consumers in the document.
The document includes internal Facebook emails discussing the project.
“Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted, we don’t have analytics about them,” Meta CEO Mark Zuckerberg wrote in an email dated June 9, 2016. which was published as part of the lawsuit. . “Given how fast they are growing, it seems important to find a new way to get reliable analytics about them. We may need to make tables or write custom software. You’ll have to figure out how to do that.”
Facebook engineers’ solution was to use Onavo, a VPN-like service that Facebook acquired in 2013. In 2019, Facebook shut down Onavo after a TechCrunch investigation revealed that Facebook was secretly paying teenagers to use Onavo so that the company to have access to all their web activity.
After Zuckerberg’s email, the Onavo team took up the project and a month later proposed a solution: so-called kits that can be installed on iOS and Android that intercept traffic for specific subdomains, “allowing us to read what would otherwise be encrypted movement. we can measure usage within the app,” read an email from July 2016. “This is a man-in-the-middle approach.
Contact us
Do you know more about Project Ghostbusters? Or other Facebook privacy issues? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email. You can also contact TechCrunch via SecureDrop.
A man-in-the-middle attack — today also called an adversary-in-the-middle — is an attack where hackers intercept Internet traffic flowing from one device to another across a network. When network traffic is not encrypted, this type of attack allows hackers to read the data that exists inside, such as usernames, passwords, and other in-app activity.
Since Snapchat encrypted the traffic between the app and its servers, this network analysis technique would not be effective. That’s why Facebook engineers suggested using Onavo, which when enabled had the advantage of reading all of the device’s network traffic before it was encrypted and sent over the Internet.
“We now have the ability to measure detailed in-app activity” by “parsing snapchat”. [sic] analytics collected from incentivized participants in Onavo’s research program,” another email said.
Later, according to court documents, Facebook expanded the program to Amazon and YouTube.
Within Facebook, there was no consensus on whether Project Ghostbusters was a good idea. Some employees, including Jay Parikh, then Facebook’s chief infrastructure engineer, and Pedro Canahuati, then chief security engineer, expressed concern.
“I can’t think of a good argument for why this is okay. No security person is ever comfortable with this regardless of the consent we get from the general public. The general public just doesn’t know how this thing works,” Kanahuati wrote in an email, included in court documents.
In 2020, Sarah Grabert and Maximilian Klein filed a class action lawsuit against Facebookalleging that the company lied about its data collection activities and took advantage of data that was “misleadingly extracted” from users to identify competitors and then unfairly wage war against these new companies.
An Amazon representative declined to comment.
Google, Meta and Snap did not respond to requests for comment.
