Saying we’re going to do “ traffic monitoring” doesn’t carry the weight of “we are going to listen to your private conversations”.

I'd wager that most participants don't know the full details of the program, but "company pays you for your usage information" is a very old thing. You could (maybe you still can) get paid to install a box on your TV that recorded all of your viewing statistics to be used for market research.

To me, the biggest concern is that this is only really viable because Facebook had nontrivial market penetration of a more-or-less unrelated product to their main offering. This isn't something that Snapchat could have easily done to get market research on Facebook usage, for example. This feels (to me) more like an anticompetition concern rather than a privacy concern.

If Facebook wanted to learn the protocol Snapchat uses, they only needed a single test device. If they only needed to learn usage patterns, they could’ve checked where the traffic is sent to or app usage time etc.

Installing a root certificate is very intrusive and they behavior shows that if they are ever given the opportunity to be become a root certificate authority, they are likely to issue malicious certificates. As far as I know, no website can pin their certificates, so this takes us back to pre-HTTPS days where ISPs and network operators had a lot of fun reading user traffic.

Those boxes have been phased out in favour of “Personal People Meters”[0], which are basically a pager with a SIM card that you wear which has a microphone listening 24/7 for TV broadcasts. You must keep it on you, listening at all times.

Nielsen will pay you $250/year (less than a dollar a day) for the data you provide.

[0] https://en.wikipedia.org/wiki/Portable_People_Meter

“They like Itchy, they like Scratchy, one kid seems to love the Speedo man… what more do they want?"

Now, Meta decides to MITM the communications that I intentionally encrypted so that it can gain a competitive advantage…well, remember when meta kicked out researchers what had obtained consent from users to perform research on its platform? That was not even illegal. This is.

The whole thing's a mess, but it's funny to me that people would get indignant over a user letting another party intercept analytics data. "Hey, that's my data from spyware! Get your own!" As if their "consent" to collect the data in the first place were any less flimsy than Facebook's.

edit: I think this is something I wouldn't call informed consent: "Of particular concern was that users as young as 13 were allowed to participate in the program. Connecticut Senator Richard Blumenthal criticized Facebook Research, stating "wiretapping teens is not research, and it should never be permissible. This is yet another astonishing example of Facebook’s complete disregard for data privacy and eagerness to engage in anti-competitive behavior.""[1]

1: https://en.m.wikipedia.org/wiki/Onavo

I'd not last a single day at such a company who would ask me to do such things. I had worked for a national political party in IT and left the job once I found about it corrupt practices and scams.

If we, as engineers collectively upheld ethics as part of work culture, Meta wouldn't have attempted it.

Just saying, it's really hard when your job or even your future green card is on the line. When the grunt engineers are 1 mistake away from being sent away from the US and lose all their potential futures in the US, they are much more likely to bury their heads carry out what they are told from the managers.

We need to go for the higher ups more.

But what will happen when they get caught stealing each other's surveillance booty?

They hired Snapchat users (via a testing services provider ) to let meta observe their usage of Snapchat.

Something akin to paying someone to let a meta researcher sit by your side and observe while you use the app.

This happens all the time (hiring the testing services to recruit users to use your own app and analyze the patterns with screen recordings and such).

The news here is paying for someone to “test” a competitors’ app.

I hope that the testers knew they had Snapchat analyzed and not that they were told they were testing only Onavo.

> Something akin to paying someone to let a meta researcher sit by your side and observe while you use the app.

Onavo Extend and Onavo Protect positioned themselves as providing consumer-oriented benefits (bandwidth reduction and security, respectively).

> The news here is paying for someone to “test” a competitors’ app.

Facebook acquired Onavo in 2013, so this was 100% a first-party effort to turn their first-party products into spyware.

Normal Onavo users were not subject to the decryption (although they were providing Meta information about overall snapchat's marketshare).

For example, all the usual arguments against backdoors are going to be used by intelligence agencies to justify "providing assistance", which isn't even merely a euphemistic excuse given how incredibly valuable it would be for normal organised crime to spy on some of the encrypted data… but also is at least a bit of a euphemism, as I have to assume the controversies about terrorist groups using Cloudfare are only pemitted to happen because someone in US intelligence knows how to squeeze secrets from those groups.

In theory, messing with SSL is one of Cloudfare's features, not a secret; in practice I suspect most end users treat all this as magic — I've directly witnessed magical thinking with the padlock icon in browsers.

The difference in awareness is massive between those two use cases.

Only if you let them manage the SSL connection. Load balancers can easily relay individual TCP connections that are encrypted - load balancing doesn't require decryption.

> And even if not, snooping on VMs is pretty trivial.

They'd have to go out of their way to do this, and this would probably be the end of them if it were ever found out. So it's safe to assume any provider who wants to continue existing will not be doing this.

I did work for a public cloud and we did think of VMI for diagnostics and malware checks. Once deployed and automated, it would be trivial to reuse for other purposes. I don't expect public cloud to use that daily, but I'd be surprised if they didn't have the process ready.

On the other hand, you want to process the LB traffic as fast as you can and any monitoring/reporting delay would have bad effects. Reconfiguring the filters / sinks at runtime takes effort too.

With experience in both areas, I can tell you they're comparable overall. You have to go out of your way to do it, but it's not too far.

Users consent to the website seeing their traffic and the website consents to Cloudflare doing the SSL termination. This isn't too much different from the website consenting to analytics scripts monitoring webpage activity (i.e. Hotjar). If they did something shady, then users & the website would both be rightfully mad at them. But Cloudflare hasn't, so far at least.

Meanwhile, Facebook is known to do literally everything shady that is possible to do with a user's data, as well as plenty of things that weren't even a thing before they invented entirely new methods of tracking and selling data, so it's rightfully insane to trust them with anything, especially website traffic that they have no rights to.

The SSL stuff that Cloudflare offers to protect your websites/APIs etc so you don't have to, their DNS products. The fact that iCloud Private Relay uses Cloudflare under the hood (and so all browsing there happens through their gateways etc).

I hate FB, but all big platforms these days will cooperate with federal agencies in cases like the one described. Doesn't make them "state actors".

Also noteworthy is that Google were also doing something similar at the time, both were side-stepping Apple's privacy protections in iOS by using enterprise certificates that allowed the side-loading of apps without Apple's overview. In response Apple more thoroughly restricted how these certificates can be used.

Interestingly I've noticed in the DMA threads people suggesting that a company exploiting side-loading to dodge Apple's privacy protections was nothing more than fear mongering. As if this is a red line developers won't cross.

To me, it's wild to think that people on HN don't know about this relatively recent history and are so naive to think that these protections were just pulled out of the air to frustrate developers, and not a reaction to an on-going arms war against consumer's right to privacy.

(1) https://www.extremetech.com/internet/284770-apple-kills-face...

IMO we have modern journalism to thank for this sort of thing. People are so misinformed with rage bait articles that they push against policies in their own interest.

But if anyone dare suggest enforcing some minimum level of journalistic ethics they'll get attacked because somehow journalists have painted themselves as some sort of unassailable paragon of righteousness.

I see a lot of cheerleading and parroted talking points against the interests of developers, particularly small and independent developers. A lot of the changes lobbied for by large developers give them an insurmountable pricing and competitive advantage over small developers and startups, yet I don't see much consideration here for that, nor the wishes of bona fide consumers.

Epic is particularly barefaced here, since they claim they are fighting for developers, when their proposals are not altruistic. Each clearly puts them at an advantage over smaller developers and consumers. Do we have such a short memory that we forget that this is the same Epic that settled with the FTC for using dark patterns and violating childrens' privacy for the purpose of tricking kids into accidental Fortnite purchases.(1) That was only 15 months ago.

While I'd expect reddit to be less informed, I'm not so charitable with HN: it's a forum where the bulk of participants claim to be developers.

(1) https://www.ftc.gov/news-events/news/press-releases/2022/12/...

Meanwhile in journalism, ethics is a strong part of the course structure but you see countless journalists writing poorly researched ragebait articles for clicks.

The "programmers don't know ethics" meme is just that, a meme. The fact that there even is a required ethics course in most universities is far more than you can say for most other majors. Nearly every single programmer knows about Therac-25, I'd wager most graduates today are also learning about MCAS, etc.

Emphasis mine. you'd likely win that wager, I don't disagree, and that's great for today's graduating classes, but because engineer is not a protected term, especially not software engineer and definitely not prompt engineer, theres no requirement for a CS graduate to go back and do continuing education like there is in other fields, so graduates who don't seek out and do the, eg, OCW CS ethics class aren't going to find themselves in one. Curriculum has evolved over the years to include ethics as a requirement, but that meme isn't a meme because it isn't true in a vast number of cases, as evidenced by the multiple failures in, eg, this case here.

"... the Wiretap Act provides that an interception is not unlawful if a party to the communication “has given prior consent to such interception.” 18 U.S.C. § 2511(2)(d). Advertisers conspicuously fail to mention—and apparently do not contest—that Meta obtained participants’ prior consent to participate in the Facebook Research App, and with good reason: Participants affirmatively consented to “Facebook … collecting data about [their] Internet browsing activity and app usage” to enable Facebook to “understand how [they] browse the Internet, how [they] use the features in the apps [they’ve] installed, and how people interact with the content [they] send and receive."

So users consented?

No.

They have ...'d out an important part of 2511(2)(d).

(and they probably meant (c))

First, it starts out with: "It shall not be unlawful under this chapter for a person not acting under color of law "

This basically means a state/federal official or someone acting in their capacity as one (the color of law part basically means it applies even when they act beyond their legal authority by accident)

Which they aren't. So this doesn't apply at all. (d) has an additional requirement they ...'d out at the end, but (c) does not.

So it's both a wrong cite and a dumb one.

Second, you'll note "competitive research" or anything similar is not one of the allowage usages of collecting data that facebook got.

Third, the return argument will also be "the how matters", and users did not consent to this how, and would not have.

If I give consent to participate in collection of my internet data, it doesn't give you authorization to like, have someone live in my house and follow me around 24/7 so they can see what i do on the internet.

TV ratings used to be collected from panelists using a wearable device that literally had an always-on microphone recording you 24/7 : https://en.wikipedia.org/wiki/Portable_People_Meter

How is the situation of Onavo/Meta panelists worse ?

Here it is saying it’s illegal unless you are an official acting under color of law and there is one party consent

because the document says here that it was going to be given to trial participants as part of yougov(and others) survey. Which implies that they would have been informed/paid.

If its the former, then obviously thats unauthorised wiretapping. If its the latter so long as informed consent is given, that a shittonne better that the advertising tech we have now.

for TLS traffic you need to also install onavo.

But the app does scan your contact list every couple minutes and send diffs to their servers. Even if you have never opened the app. And on previous android versions all your recently open apps list too.

But again, if you install whatsapp you must give them the contact list permission anyway otherwise the app is intentionally broken and annoying.

(However, if you have time on your hand and principles, you can use WhatsApp on a burner phone, I guess?)

remember the backlash fb got when they offered free internet in india and africa but only for the Facebook app?

well, everywhere in the world you get free whatsapp traffic, so everyone now is on whatsapp.

good luck convincing a business who get hundreds of sales call via WhatsApp tobuse signal.

or convincing people who can barely afford their water bill that they now need a data plan to use signal instead of free whatsapp.

metabook won on this.

They won on distributing E2EE and the Signal Protocol to 99% of the world, which previously transmitted everything in plain? Sounds like a pretty good win to me.

> you are a fool if you install WhatsApp [...] meta is balls deep inside the app and watching what you do.

WhatsApp uses the same protocols as Signal under the hood. The Signal team even helped WhatsApp implement it. Furthermore, the app has been extensively RE'd by third parties to validate it's doing what it says on the tin.

https://signal.org/blog/whatsapp-complete/

> When I hear friends talk about WhatsApp I cringe. The few who have signal I regard highly.

Your clear lack of knowledge on the subject matter combined with your judgement of others says far more about you than your friends. It seems that you have fallen victim to the Dunning-Kruger curve, so consider not judging people until that is rectified.

thats a freaking lie and you should feel bad for repeating it.

it was barely reviewd years ago. before all the shady features that even caused the original founder to leave the company (and a few billions worth of golden handcuffs) with an open letter about how fb destroyed privacy in WhatsApp.

EU and all sane state actors forbid its use (some recommends signal)

all recent political leaks was from fb (e.g. brazil, italy)

It's trivial to RE the app. Plenty of 3Ps continually RE the app.

Support your claims of WhatsApp being backdoored with facts, not random assertions you pull out of - where, exactly?

> EU and all sane state actors forbid its use

Because it is E2EE. You don't want government employees to use an E2EE service because it kills transparency.

> some recommends signal

WhatsApp and Signal share the same exact protocol.

> all recent political leaks was from fb (e.g. brazil, italy)

Irrelevant to WhatsApp. They're run by a completely separate team within Meta, have completely different leadership and reporting chains, and has a completely separate codebase and architecture.

Again, support your claims with actual facts instead of incoherent angry rambling. Is it backdoored? Can Meta access your messages? Provide proof.

I didn't work with the data collection, so my info is a bit limited. Facebook was our customer even though they had already bought Onavo.

I can answer some questions if you have any.

The company did go bankrupt and the technology was sold.

That’s what Facebook enticed users to do here. Without that root cert they wouldn’t have been able to see as much as they did.

First, this is not wiretapping, come on. There's targeted man-in-the-middle (MITM) attacks, and then there's this. This is plainly "we are using advanced powers to analyze your traffic".

This is not even Superfish[2] type of stuff, where Lenovo had preinstalled root certs onto laptops to display ads. This is "if you opt in we will analyze your data".

Every program you install on your laptop can basically do WHATEVER it wants. This is how viruses work. When you install a program, you agree to give it ALL power. This is true on computers generally, and this is true on phones when you side-load programs. The key is that when we install something we understand the type of program we're installing, and we trust that the program doesn't do more than what it _claims to be doing_.

So the question here is not "how does Onavo manage to analyze traffic that's encrypted", it's "does Onavo abuses the trust and the contract it has with its users?"

[1]: https://variety.com/2017/digital/news/google-gmail-ads-email...

[2]: https://www.virusbulletin.com/blog/2015/02/lenovo-laptops-pr...

I don't know about Windows or Linux though.

I can't find the consent page/legalese shown to users, do you have a link?

Facebook’s SSL bump technology was deployed against Snapchat starting in 2016, then against YouTube in 2017-2018, and eventually against Amazon in 2018.

The goal of Facebook’s SSL bump technology was the company’s acquisition, decryption, transfer, and use in competitive decision making of private, encrypted in-app analytics from the Snapchat, YouTube, and Amazon apps, which were supposed to be transmitted over a secure connection between those respective apps and secure servers (sc-analytics.appspot.com for Snapchat, s.youtube.com and youtubei.googleapis.com for YouTube, and *.amazon.com for Amazon).

This code, which included a client-side “kit” that installed a “root” certificate on Snapchat users’ (and later, YouTube and Amazon users’) mobile devices, see PX 414 at 6, PX 26 (PALM-011683732)(“we install a root CA on the device and MITM all SSL traffic”), also included custom server-side code based on “squid” (an open-source web proxy) through which Facebook’s servers created fake digital certificates to impersonate trusted Snapchat, YouTube, and Amazon analytics servers to redirect and decrypt secure traffic from those apps for Facebook’s strategic analysis, see PX 26 at 3-4 (Sep. 12, 2018: “Today we are using the Onavo vpn-proxy stack to deploy squid with ssl bump the stack runs in edge on our own hosts (onavopp and onavolb) with a really old version of squid (3.1).”); see generally http://wiki.squid-cache.org/Features/SslBump

Malware Bytes Article: https://www.malwarebytes.com/blog/news/2024/03/facebook-spie...

Sure enough all the API requests for data were coming through, but whenever a request for image happened - nothing would hit the servers.

What the heck I thought to myself?

I said to the client 'that can't be, that's almost impossible....the only way that's possible is if the SSL traffic is decrypted, inspected, and images blocked from being requested, which, is a MITM attack".

He redirected me to his IT provider. I phoned them up, and explained the situation.

"Ahh so they're _____"

Me: "So what does that have to do with the price of fish?"

Them : "Content filtering..., you need to talk to ____"

Sure as the day is long, the content filter was a VPN all members of ____ had to have on their mobile devices (I don't know how widespread this is, whether it was just this business, or the entire ____ )

I applied to have our system approved, it was, and just like magic the next day photos started coming through.

I'm guessing basically it detected any .jpg/.mp4 etc URL's in https requests and flagged it up and blocked them from being requested. You can be sure on those devices the VPN would have been somehow locked in with device management, and there's no way on gods green earth they were getting at Facebook/insta etc.

So, it's not just meta. That really hammered home how seamless it can be to end users that they really can't trust what's actually happening on their devices.

It certainly seemed for all intents and purposes if you were a member of _____ group (wider than the company) you had the vpn on your device, and it was filtering content. I've found other reports in other countries of that happening with the same group.

So it's not corporate content filtering, it's personal content filtering and our app got caught up in it (and approved).

It certainly made my skin crawl for anyone in that religion. That means the central filtering service could be reading messages. Not sure if they're that sophisticated but certainly they didn't want people to see random images/videos.

You could imagine a standard for a network to signal to a client that it does not allow certain privacy features like ECH, and then clients can accept that or not. Instead I expect browsers will eventually mandate ECH, so people will have to MITM instead.

It also sounds like their issue was at the ISP provider level, as well, which takes the business out of the loop of being the data controller/owner (of the collected data) at that point.

Note: I'm not saying that your comment doesn't have merit, I just don't think that the points that you made apply - specifically - in this case?

So, member of the church? you get this VPN on your phone, (not sure whether phone was supplied by the church, but certainly this VPN was on it) VPN is effectively content filtering and blocking content.

I had our app whitelisted by that central company (literally raised a ticket with them, next day magically fixed).

Sorry I meant the optimize the content for their peers and shield them from harmful content for the better of humanity // irony

1. https://www.acm.org/code-of-ethics

Onavo provided a compression + VPN service for people traveling; they let users use little or no data while roaming, and still get internet access. I do not know what their original business plan was, but Facebook bought them for the ability to spy on users.

Their MITM was, in fact, the raison d’etre of Onavo. And then, they were bought by Facebook. And then there was just some more analytics added. At no point, as I understand it, was it built explicitly for evil - and I suspect very few employees were in on the real reasons.

Plausible deniability works for many things.

I am happy to answer any questions you have about questioning or ethics at the time. Assuming that people's reaction to this was wrong, while not knowing what that reaction was, or having less than 5% of the context, isn’t going to help much.

Short answer: No, there were strong arguments for it. I reached out for institutional support to answer some questions, groups that I expected to be a lot more supportive than the ACM, but I found the reaction seriously lacking. Your intuition that groups like the ACM should offer assistance is sensible but completely overlooks many problems: geopolitics, different types of security, and individual capacities, among others. Each institution has its priorities; those are not always compatible, and it’s unclear who should have precedence. The ACM won’t help you if the argument is the kind of compromise with the devil that spy agencies often make or if problematic tools are used in efforts to dismantle large criminal groups.

We seem to be able to manage this with bridges, planes, electrical & hydro installations etc. No reason it shouldn't be the same for critical software infrastructure.

In Microsoft, Google, and Apple's cases, they all have substantial enterprise business that would shit a brick if they were caught doing this.

Ergo, it's not in their best interest to do it.

Safer to rely on a company's desire to make money than any sense of "good".

Yeah, crap move but my concern isn't those other scoundrels, it's me / us.

Your comment seems to infer that you're unable to empathize with people who might think/understand differently than you. It also seems to negate that you avail of other services/non-self-controlled processes without worrying about the threat models, there.

Just hand-waiving with a "Why don't people just do 'x'?" is ironic - in the sense of "Why do you do your own medical care?" or "Why don't you grow your own food and slaughter your own animals?" or "Why don't you manufacture your own phone, it's operating system - oh, and the cellular tower closest to you?".

Threat models exist, _everywhere_, and it's impossible for someone to build all of the pieces, themselves, to prevent all threat models at every possible avenue/point.

In other words, at a non-arbitrary point, doing _everything_ yourself is untenable and that's precisely why services in society exist, today (that and ease of access, use, required foreknowledge, and - most notably - cost).

And it doesn't anonymize you that well. When you post a message that draws the attention of law enforcement, the IP will lead them to a VPN provider that hopefully doesn't keep any logs.

But if it leads them to a specific server, the hosting provider will disclose your account and payment data, since it is linked to your private server. Unless they accept fully pseudonymous accounts and let you pay for your VPS in cash, Monero or tumbled Bitcoins, finding you is much easier now.

For 99.9% of people a VPN is just something they use to access something in another country or because some YouTube ad scared them into believing you need a VPN as soon as you step into a coffee shop.

The threat model of most people does not include state actors or intelligence actors and they just don’t care.

Both are Swiss zero log, Mullvad has a flat 5 euro/month charge that goes back to when they started to (they say) forever - you can send them cash in envolope for the next twenty years with a generated account number and you're away.

ProtonVPN has plans - the two year streaming sign up is 4.99 euro/month.

There is also no comparison between Crypto AG and us. Our encryption occurs client-side, our cryptographic code is open source ( https://proton.me/community/open-source ), and our tech can and has been independently verified. More about this here: https://proton.me/blog/is-protonmail-trustworthy

Finally, regarding payment in cryptocurrency, you can also pay for Proton's services in Bitcoin: https://proton.me/support/payment-options#bitcoin.

That person isn't just a climate activist, they (and others who used that email account) broke French laws. Swiss authorities compelled the disclosure.

That's a terrible reason. Torrenting breaks French law. Having the wrong bread or cheese with your wine probably breaks French law.

And if your company can be compelled via gag order to give up your users' privacy whenever the authorities feel like it, well, your product isn't very effective anyways, and you should stop pretending you offer any meaningful level of protection.

Not to mention the other stuff the VPN providers give you as standard which you'd have to implement and maintain yourself.