Buongiorno, executive summary: «No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn't know how this stuff works.»
https://arstechnica.com/tech-policy/2024/03/facebook-secretly-spied-on-snapchat-usage-to-confuse-advertisers-court-docs-say/ «Facebook secretly spied on Snapchat usage to confuse advertisers, court docs say» --8<---------------cut here---------------start------------->8--- [Ashley Belanger] - Mar 27, 2024 8:25 pm UTC Unsealed court documents have revealed more details about a secret Facebook project initially called "Ghostbusters," designed to sneakily access encrypted Snapchat usage data to give Facebook a leg up on its rival, just when Snapchat was experiencing rapid growth in 2016. The documents were filed in a class-action lawsuit from consumers and advertisers, accusing Meta of anticompetitive behavior that blocks rivals from competing in the social media ads market. "Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted, we have no analytics about them," Facebook CEO Mark Zuckerberg (who has since rebranded his company as Meta) [wrote] in a 2016 email to Javier Olivan. [...] At the time, Olivan was Facebook's head of growth, but now he's Meta's chief operating officer. He responded to Zuckerberg's email saying that he would have the team from Onavo—a [controversial traffic-analysis app] acquired by Facebook in 2013—look into it. [...] What the Onavo team eventually came up with was a project internally known as "Ghostbusters," an obvious reference to Snapchat's logo featuring a white ghost. Later, as the project grew to include other Facebook rivals, including YouTube and Amazon, the project was called the "In-App Action Panel" (IAAP). [...] In an email to Olivan, the Onavo team described the "technical solution" devised to help Zuckerberg figure out how to get reliable analytics about Snapchat users. It worked by "develop[ing] ‘kits' that can be installed on iOS and Android that intercept traffic for specific sub-domains, allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage,” the Onavo team [said]. Olivan was told that these so-called "kits" used a "man-in-the-middle" attack typically employed by hackers to secretly intercept data passed between two parties. Users were recruited by third parties who distributed the kits "under their own branding" so that they wouldn't connect the kits to Onavo unless they used a specialized tool like Wireshark to analyze the kits. TechCrunch [reported] in 2019 that sometimes teens were paid to install these kits. After that report, Facebook promptly shut down the project. This "man-in-the-middle" tactic, consumers and advertisers suing Meta have alleged, "was not merely anticompetitive, but criminal," seemingly violating the Wiretap Act. It was used to snoop on Snapchat starting in 2016, on YouTube from 2017 to 2018, and on Amazon in 2018, relying on creating "fake digital certificates to impersonate trusted Snapchat, YouTube, and Amazon analytics servers to redirect and decrypt secure traffic from those apps for Facebook's strategic analysis." Ars could not reach Snapchat, Google, or Amazon for comment. [wrote] <https://storage.courtlistener.com/recap/gov.uscourts.cand.369872/gov.uscourts.cand.369872.736.0.pdf> [controversial traffic-analysis app] <https://arstechnica.com/tech-policy/2019/02/facebook-pulls-its-privacy-invading-vpn-app-from-google-play-store/> [noted] <https://www.fool.com/investing/2019/12/12/instagram-stories-already-generates-10-of-facebook.aspx> [said] <https://storage.courtlistener.com/recap/gov.uscourts.cand.369872/gov.uscourts.cand.369872.735.0.pdf> [reported] <https://techcrunch.com/2019/01/29/facebook-project-atlas/%20history%E2%86%90priornext%E2%86%92> Facebook allegedly sought to confuse advertisers ───────────────────────────────────────────────── Not everyone at Facebook supported the IAAP program. "The company's highest-level engineering executives thought the IAAP Program was a legal, technical, and security nightmare," another [court document] said. Pedro Canahuati, then-head of security engineering, warned that incentivizing users to install the kits did not necessarily mean that users understood what they were consenting to. “I can't think of a good argument for why this is okay," Canahuati said. "No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn't know how this stuff works.” Mike Schroepfer, then-chief technology officer, argued that Facebook wouldn't want rivals to employ a similar program analyzing their encrypted user data. "If we ever found out that someone had figured out a way to break encryption on [WhatsApp] we would be really upset," Schroepfer said. [...] [According to Business Insider], advertisers suing said that Meta never disclosed its use of Onavo "kits" to "intercept rivals' analytics traffic." This is seemingly relevant to their case alleging anticompetitive behavior in the social media ads market, because Facebook's conduct, allegedly breaking wiretapping laws, afforded Facebook an opportunity to raise its ad rates "beyond what it could have charged in a competitive market." Since the documents were unsealed, Meta has responded with a [court filing] that said: "Snapchat's own witness on advertising confirmed that Snap cannot 'identify a single ad sale that [it] lost from Meta's use of user research products,' does not know whether other competitors collected similar information, and does not know whether any of Meta's research provided Meta with a competitive advantage." This conflicts with testimony from a Snapchat executive, who alleged that the project “hamper[ed] Snap's ability to sell ads" by [causing] "advertisers to not have a clear narrative differentiating Snapchat from Facebook and Instagram.” Both internally and externally, "the intelligence Meta gleaned from this project was described" as "devastating to Snapchat's ads business," a [court filing] said. [court document] <https://storage.courtlistener.com/recap/gov.uscourts.cand.369872/gov.uscourts.cand.369872.743.0.pdf> [According to Business Insider] <https://www.businessinsider.com/mark-zuckerberg-facebook-execs-decrypt-rival-apps-usage-snap-youtube-2024-3> [court filing] <https://storage.courtlistener.com/recap/gov.uscourts.cand.369872/gov.uscourts.cand.369872.749.0.pdf> [causing] <https://storage.courtlistener.com/recap/gov.uscourts.cand.369872/gov.uscourts.cand.369872.736.0.pdf> [court filing] <https://storage.courtlistener.com/recap/gov.uscourts.cand.369872/gov.uscourts.cand.369872.741.0_1.pdf> --8<---------------cut here---------------end--------------->8--- Tutti i dettagli qui: https://ia802908.us.archive.org/29/items/gov.uscourts.cand.369872/gov.uscourts.cand.369872.735.0.pdf Saluti, 380° -- 380° (Giovanni Biscuolo public alter ego) «Noi, incompetenti come siamo, non abbiamo alcun titolo per suggerire alcunché» Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about <https://stallmansupport.org>.
signature.asc
Description: PGP signature
_______________________________________________ nexa mailing list nexa@server-nexa.polito.it https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa
