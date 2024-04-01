Meta allegedly launched a secret project called “Project Ghostbusters,” to intercept data on Snapchat’s network traffic, reported TechCrunch . New documents in a class action lawsuit by consumers against Meta revealed that the project, whose name alludes to Snapchat’s ghost logo, intended to decrypt Snapchat’s encrypted network traffic analytics in a bid to understand user behaviour and compete with Snapchat. They later extended this project to Amazon and YouTube, alleged the lawsuit. E-mails between high-level executives, presented as evidence in the lawsuit, revealed that Meta created apps that could be installed on iOS and Android to measure in-app usage. Furthermore, Meta paid users, some of them teenagers, to install this app on their devices, to access Snapchat’s traffic analytics.

What was Project Ghostbusters?

An e-mail by Meta chief executive Mark Zuckerberg dated June 9, 2016, said “Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them. Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this.”



As Zuckerberg noted, Snapchat’s in-app analytics, the information about when, how, and what specifically Snapchat users were doing, were encrypted and sent to Snapchat’s secure analytics server. The lawsuit notes the importance of this, calling it the “secret sauce” behind Snapchat’s engagement and differentiating features.” Thus in 2016, Meta created an In-App Action Panel (“IAAP”) program. This program aimed to bypass Snapchat’s encryption and get access to the app’s analytics.

An e-mail discussing a “technical solution” created by the panel revealed that they planned to “develop ‘kits’ that can be installed on iOS and Android that intercept traffic for specific sub-domains, allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage.” They called this the “‘man-in-the-middle’ approach.” The US National Institute of Standards and Technology defines “man in the middle” as “a form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one or more of the entities involved in a communication association.”

Carrying out this “man-in-the-middle” plan, required installing an app on the device that could intercept data from users before it is encrypted. For this, Meta planned to pay users to install the app “Onavo” on their devices.

What were the apps used?

‘Onavo’ is a VPN app acquired by Meta in 2013. The lawsuit stated that an “Onavo Research Taskforce” created a custom client- and server-side code based on Onavo’s VPN proxy app and server stack. This meant that by downloading Onavo on their device users would deploy a code on their device that would decrypt secure traffic from the analytics servers of apps like Snapchat and redirect it to Facebook’s servers. Facebook could then use this data for its analytics. Onavo had the ability to decrypt data from Snapchat YouTube and Amazon’s analytics servers revealed the lawsuit. The lawsuit alleges that the code was deployed against Snapchat starting in 2016, then against YouTube in 2017-2018, and eventually against Amazon in 2018. They provided emails from Onavo’s team that revealed this information.

To access this data, Onavo’s team proposed using “incentivized participants in Onavo’s research program.” The lawsuit alleges that Meta solicited and paid Snapchat users, some of them teenagers, to install Onavo on their devices. In this way, the app could gain access to Snapchat’s and later YouTube and Amazon’s servers. In 2017, the Wall Street Journal reported that Facebook was using Onavo to collect data on its competitor Snapchat. Apple also asked Facebook to remove the app from its app store.

However, Facebook introduced a new app called FacebookResearch, which used the same code as Onavo. An investigation by TechCrunch revealed that users ages 13 to 35 were offered up to $20 per month plus referral fees to install the FacebookResearch app on their phones. An email between executives at Meta confirms this. The emails discuss the criticism Meta received for the apps and in doing so also reveal their functioning.

Meta shut down Onavo in 2019 after acquiring it in 2013 for $200 million which helped it to own WhatsApp. The lawsuit states that a document titled “IAAP Technical Analysis” was created by the Onavo team, Meta’s then-CTO, Meta’s then-head of security engineering, and more than 41 different attorneys and presents in “painstaking detail” the history, purpose, and details of the IAAP program that ran from 2016 to 2019.

Pushback from Facebook employees

Notably, not all Facebook employees were on board with the decision to collect data from users. The lawsuit reveals that some employees, including Jay Parikh, Facebook’s then-head of infrastructure engineering, and Pedro Canahuati, the then-head of security engineering, had reservations. They expressed their concern to the team

“I can’t think of a good argument for why this is okay. No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn’t know how this stuff works,” Canahuati wrote in an email, included in the court documents.

The court documents revealed that Mike Schroepfer, then-CTO said: “If we ever found out that someone had figured out a way to break encryption on [WhatsApp] we would be really upset.”)

Allegations in the lawsuit

The class action lawsuit was filed in 2020 by Sarah Grabert and Maximilian Klein. It accused Meta of maintaining a monopoly and being anti-competitive, by deceptively-obtaining intelligence— including information about users.

The lawsuit also submitted evidence to the court, in the form of e-mails that allegedly revealed Meta’s C-suite executive discussing plans to gain access to “valuable analytics” to help “trying to build a clone of Snapchat.” This, they claim is anti-competitive behaviour. The lawsuit claimed, “In 2016, Meta’s advertising hegemony was threatened by nascent rival Snapchat, which was aggressively expanding its advertising business ahead of a 2017 IPO. To counteract this competitive threat, Zuckerberg obsessively sought to redesign Meta’s products.”

The lawsuit claimed that Meta’s actions are not only anti-competitive but criminal. They accuse Meta of violating the US’s WireTap Act that criminalizes “intentionally intercept[ing] . . . any electronic communications,”

Further, they allege that Zuckerberg was aware of the IAAP and Onavo’s actions, dismissing his testimony where he claimed that he had not had the time to read the “IAAP technical analysis” report.

