Tue, Oct 15 2024
In order to capture and decode network information between users of Snapchat's app and its servers, Facebook initiated a covert initiative in 2016. According to recently released court filings, the objective was to comprehend user behavior and assist Facebook in competing with Snapchat. Facebook dubbed this "Project Ghostbusters," obviously alluding to the spectral appearance of Snapchat's emblem.
Tuesday saw the release of further records by a federal court in California related to the class action lawsuit that customers are bringing against Meta, the parent corporation of Facebook.
According to the recently disclosed documents, Meta attempted to outperform its rivals—Snapchat, YouTube, and eventually Amazon and YouTube—by monitoring user behavior on their networks and examining network data. Because these applications utilize encryption, Facebook has to create unique technologies in order to circumvent it.
Project Ghostbusters at Facebook is described in one of the documents. The initiative was a component of the business's In-App Action Panel (IAPP) program, according to the paper the customers' attorneys filed. This program employed a method for "intercepting and decrypting" encrypted app traffic from users of Snapchat, and later from users of YouTube and Amazon.
Internal Facebook communications addressing the project are included in the dossier.
"When someone inquires about Snapchat, the typical response is that we don't have any analytics about them due to their encrypted traffic," said Mark Zuckerberg, the CEO of Meta, in an email dated June 9, 2016, which was made public as part of the case. "It seems important to figure out a new way to get trustworthy analytics about them, given how quickly they're growing." Maybe we should create panels or design our own program. You ought to work out how to accomplish this.
Utilizing Onavo, a VPN-like service that Facebook purchased in 2013, was the developers' option. Facebook closed down Onavo in 2019 after learning via a TechCrunch investigation that the firm had been paying kids in secret to use the app so it could access all of their online behavior.
Following Zuckerberg's email, the Onavo team took up the project and, a month later, put forth a solution: kits, which are installed on iOS and Android devices and intercept traffic for particular subdomains, can be used to measure in-app usage by "allowing us to read what would otherwise be encrypted traffic," according to an email from July 2016. "This strategy is known as'man-in-the-middle'."
Hackers use a man-in-the-middle assault, also known as an adversary-in-the-middle attack, to intercept internet communication as it travels across a network from one device to another. This kind of attack enables hackers to access data, including usernames, passwords, and other in-app behavior, when network traffic is not secured.
This network analysis method was not going to function with Snapchat since the app and its servers encrypted the data. For this reason, the engineers at Facebook suggested utilizing Onavo, which, when turned on, had the benefit of being able to see all network activity on the device before it was encrypted and transmitted online.
Another email stated, "Parsing snapchat [sic] analytics collected from incentivized participants in Onavo's research program, we now have the capability to measure detailed in-app activity."
Afterwards, Facebook extended the initiative to include YouTube and Amazon, according to court records.
There was disagreement inside Facebook on the merits of Project Ghostbusters. A few staff members voiced their concerns, including Pedro Canahuati, the head of security engineering at the time, and Jay Parikh, the head of infrastructure engineering at Facebook.
"I am at a loss as to how this can be justified. Whatever public approval we receive, no security professional is ever at ease with this. In an email that was included in the court filings, Canahuati stated, "The general public just doesn't know how this stuff works."
Maximilian Klein and Sarah Grabert sued Facebook as part of a class action lawsuit in 2020, alleging that the corporation had misled investors about its data gathering practices and had "deceptively extracted" user data in order to discover rival businesses and then unfairly compete with them.
Leave a Comment