Facebook used its Onavo VPN system to illegally track its users when accessing Snapchat and other competitors' apps, new unsealed court filings can reveal.
So-called Project Ghostbusters—echoing the iconic rival's logo—appears to have been just the beginning of the wider In App Action Panel (IAAP) program which aimed to spy on competitors' traffic to gain commercial advantage. It's thought to have run between June 2016 and approximately May 2019, with YouTube and Amazon being the next targets.
Meta, Facebook's parent company, employed its controversial VPN service as a way to intercept and decrypt the traffic between the people accessing its service and competitors' servers. The company shut down Onavo in 2019, following a TechCrunch investigation revealing the spyware-like VPN software was employed in a research project to collect sensitive user data from paid volunteers aged between 13 and 25.
Facebook new tracking revelations
“Facebook’s IAAP program conduct was not merely anticompetitive, but criminal,” read the filings revealed on March 26, 2024, by a federal court in California during the class action lawsuit between consumers and Meta.
Everything kicked off in June 2016 when Mark Zuckerberg, founder and CEO at Meta, actively requested its team to “figure out a new way to get reliable analytics” into Snapchat's encrypted data as the platform was starting to get more traction in the market.
The Onavo team took things into their own hands, coming up with a solution about a month later. They would use a method known as “SSL man-in-the-middle” to decrypt Snapchat's protected traffic to inform Meta's business decision-making. Man-in-the-middle is a popular cyberattack tactic for which perpetrators position themselves between a user (in this case, Facebook users) and a given application.
It looks like the solution was so successful that it was later implemented on a larger scale also against other Facebook rivals, namely YouTube and Amazon starting in 2017 and 2018 respectively.
This story is mind boggling, @lorenzofb have done a fantastic job navigating the complexity of how it unfolded.I drew a diagram here below for how the so called “Project Ghostbusters” was executed form what I understand. https://t.co/s80raBw5NZ pic.twitter.com/YFJ66tpdHSMarch 26, 2024
According to the court documents, Facebook’s lawyers were “near-constantly involved in the design, deployment, and expansion” of the company’s IAAP program.
However, as TechCrunch reported, not everyone working at Facebook was eager to cross this red line. For instance, the then-head of security engineering Pedro Canahuati expressed his concerns over the practice. “I can’t think of a good argument for why this is okay. No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn’t know how this stuff works,” he wrote in an email.
Plaintiffs Sarah Grabert and Maximilian Klein filed the ongoing lawsuit against Facebook in 2020, accusing the company of lying about its data collection practices and deceptively extracting data from users to unfairly compete against new rivals in the market.