Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Chiara Castro

Facebook's Onavo VPN used to wiretap competitor data, court filings reveal

Mark Zuckerberg, CEO of Meta, is sworn in to the Senate Judiciary Committee hearing titled "Big Tech and the Online Child Sexual Exploitation Crisis," in Dirksen building on Wednesday, January 31, 2024.

Facebook used its Onavo VPN system to illegally track its users when accessing Snapchat and other competitors' apps, new unsealed court filings can reveal.

So-called Project Ghostbusters—echoing the iconic rival's logo—appears to have been just the beginning of the wider In App Action Panel (IAAP) program which aimed to spy on competitors' traffic to gain commercial advantage. It's thought to have run between June 2016 and approximately May 2019, with YouTube and Amazon being the next targets.

Meta, Facebook's parent company, employed its controversial VPN service as a way to intercept and decrypt the traffic between the people accessing its service and competitors' servers. The company shut down Onavo in 2019, following a TechCrunch investigation revealing the spyware-like VPN software was employed in a research project to collect sensitive user data from paid volunteers aged between 13 and 25.

Facebook new tracking revelations

"Facebook’s IAAP program conduct was not merely anticompetitive, but criminal," read the filings revealed on March 26, 2024, by a federal court in California during the class action lawsuit between consumers and Meta.

Everything kicked off in June 2016 when Mark Zuckerberg, founder and CEO at Meta, actively requested its team to "figure out a new way to get reliable analytics" into Snapchat's encrypted data as the platform was starting to get more traction in the market.

The Onavo team took things into their own hands, coming up with a solution about a month later. They would use a method known as "SSL man-in-the-middle" to decrypt Snapchat's protected traffic to inform Meta's business decision-making. Man-in-the-middle is a popular cyberattack tactic for which perpetrators position themselves between a user (in this case, Facebook users) and a given application.

It looks like the solution was so successful that it was later implemented on a larger scale also against other Facebook rivals, namely YouTube and Amazon starting in 2017 and 2018 respectively. 

According to the court documents, Facebook’s lawyers were "near-constantly involved in the design, deployment, and expansion" of the company’s IAAP program.

However, as TechCrunch reported, not everyone working at Facebook was eager to cross this red line. For instance, the then-head of security engineering Pedro Canahuati expressed his concerns over the practice. "I can’t think of a good argument for why this is okay. No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn’t know how this stuff works," he wrote in an email.

Plaintiffs Sarah Grabert and Maximilian Klein filed the ongoing lawsuit against Facebook in 2020, accusing the company of lying about its data collection practices and deceptively extracting data from users to unfairly compete against new rivals in the market. 

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.