Don't run a VPN from a company whose entire business model is knowing everything about you and what you do online.
dehrmann · 38m ago
> Onavo Protect Android app, which had over 10 million Android installations, contained code to prompt the user to install a CA (certificate authority) certificate issued by "Facebook Research" in the user trust store of the device. This certificate was required for Facebook to decrypt TLS traffic.
I mostly can't think of a legitimate reason to install your own root certificate for a VPN, so I'm inclined to buy that this is Facebook being Facebook. I would also run as fast as I can if I installed an app and it started prompting me to install a certificate, but 99% of people have absolutely zero idea how TLS and PKI work, so maybe this is taking advantage of their ignorance.
drraah · 53m ago
How is it not a criminal offence to impersonate a different company to decrypt customer data?
kiawe · 19m ago
It is, but they bribe the people who police this
dboreham · 22m ago
What is criminal depends on how much money you have.
xrayarx · 5h ago
Quote:
A technical investigation into information uncovered in a class action lawsuit that Facebook had intercepted encrypted traffic from user's devices running the Onavo Protect app in order to gain competitive insights.
nottorp · 3h ago
If this is true, why is this a civil lawsuit? Shouldn't the government prosecutors handle this "hacking" case and demand jail time, like they do for $random_kid playing around with security vulnerabilities?
benmmurphy · 2h ago
I assume because there was no actual hacking. I'm guessing users consented to this. As a user I should be able to view all traffic from my device and also give other third parties permission to view all traffic on my device. If I can't do this, is it really my device? It's not too much different from what Nielsen was doing when they installed boxes in people's homes to record what TV shows they were watching.
gruez · 2h ago
>Shouldn't the government prosecutors handle this "hacking" case and demand jail time, like they do for $random_kid playing around with security vulnerabilities?
Because there's probably some clause buried in the ToS that gives them the right to do this, so it would not count as "exceeds authorized access" under the CFAA.
edit: it's not even buried. there's a screen that specifically says "facebook uses aggregated onavo data for market and business analytics"
salawat · 1h ago
So... Where was the negotiation step where there was the option to do VPN'ry without the surveillance? Take it or leave it license agreements in my opinion violate meeting-of-the-minds, and our legal system has just cut a pass for the last half a century to one sided take it or leave it levels of exploitative entering into contracts at scale. Not one company, in particular, tech companies, have a legal pipeline that can support redlining a contract or facilitating negotiation at scale which is the actual desired incarnation of contract law as a tool of mutual empowerment through agreements. We need to seriously hold our system to account for building only the accept as-is part of the pipeline, but not the negotiation side of the pipeline.
Make no mistake either, as that was an intentional decision to chase growth in the interests of becoming TBTF. We need to clamp down and make it clear, big mofos do not get to call unilateral shots and that it is not acceptable for terms to be dictated only in one direction. Yes, this complicates the hell out of business logic, but ya know what, the ones who have TBTF'd have drank of the waters of economies of scale to get the sweet draught, it's about damn time they got the bitters too.
gruez · 1h ago
>Take it or leave it license agreements in my opinion violate meeting-of-the-minds, and our legal system has just cut a pass for the last half a century to one sided take it or leave it levels of exploitative entering into contracts at scale.
I might be sympathetic to this if this was some essential service with strong network effects such that there's no alternative (eg. facebook or whatsapp), but that's not the case here. This is a separate "security" app, of which there's probably dozens of competitors that you can choose from if you don't like the ToS/privacy policy of this one, so the "one sided take it or leave it levels of exploitative entering into contracts at scale" aspect you're decrying really rings hollow.
salawat · 8m ago
>This is a separate "security" app, of which there's probably dozens of competitors that you can choose from if you don't like the ToS/privacy policy of this one, so the "one sided take it or leave it levels of exploitative entering into contracts at scale" aspect you're decrying really rings hollow.
You mean like a loud ass bell rings? Point out to me a single piece of software utilizing a EULA that supports individual redlining and renegotiation on a user by user basis, with a feedback loop tight enough to be reasonable. I'll wait. The point is there might be the illusion of user choice there, but when the overarching legal framework operates in unity in a take it or leave it fashion, with no escape hatch, every business model behaves the same. No one builds the business willing to charge for contractual dumb pipe, because everyone is just dumping anyone else who won't take the default terms. The entire architecture of our networked world has turned into building machines through which everyone gives up every right and civil protection through a goddamn click, nevermind the fact Third Party Doctrine in this age has completely dismantled the 4th Amendment by extension.
pjc50 · 50m ago
Just like AI companies are allowed to do the piracy that Aaron Schwartz was going to be jailed for, Facebook are too big to prosecute for hacking.
Arnt · 2h ago
You can file a civil lawsuit. You may or may not be able to persuade the prosecutor to file a criminal case.
The video near the middle of the page shows fairly clearly what they did, with accurate and understandable descriptions of shady behaviour. I think a capable prosecutor might regard it as difficult to prove that behaviour illegal. Shady, sure, but in dubio pro so why even prosecute.
So that leaves a civil lawsuit. There's no need to persuade a prosecutor for a civil lawsuit, and the balance of evidence counts, there's no in dubio pro.
yubblegum · 3h ago
Because: $random_kid is not running an outsourced surveillance service for the security state.
DrillShopper · 2h ago
Because Facebook is key to their online surveillance, so Facebook making itself better is making itself more effective to the state surveillance apparatus
I don't see what the big deal is. SSL MITM is CloudFlare's whole business model.
vaylian · 2h ago
Care to elaborate? How do they make money?
tom1337 · 1h ago
While OP is a bit hyperbolic here CloudFlare essentially is a Man In The Mittle. They serve your content via a CDN and cache it around the globe. If you use cloudflare, the SSL terminates at their servers, meaning that (theoretically) they could read al contents send via their network. While yes, you can put on you tinfoil hat and say that this is an central intelligences dream to have such a global man in the middle proxy there are no fact based reports that undermine cloudflare abusing their position.
They mostly make their money by selling you better services on their CDN such as image scaling etc.
encom · 1h ago
Hyperbole is my middle name, but I just find it repulsive that CloudFlare breaks the chain of trust, and somehow everybody is just okay with that. I'm not saying it makes HTTPS pointless, but we've moved from end-to-end encryption to trust-me-bro. Is CloudFlare malicious? Probably not - at least not right now. But I think my browser should warn me that my connection is not E2E secure, because it's not.
devmor · 2h ago
Is CloudFlare datamining that traffic to build intelligence profiles on its users and for anti-competitive business practices?
Is CloudFlare hiding that they are a terminating proxy and pretending to be a VPN for the purposes of spying on users?
The big deal isn't the technical aspect, it's what it was used for and how it was used.
xrayarx · 5h ago
TFA is from 2024, so the title is wrong
tomhow · 3h ago
Updated, thanks!
hopelite · 3h ago
On a side, but related note; all our societies need to reevaluate the corporate protections from personal liability when the activities breach the articles of incorporation, the so called veil; barring demonstrated accident or mistake.
This "corporate veil" and protection is really the same basis as the legal fiction called "qualified immunity"... in the case of police officers, they can even quite literally murder you with impunity in far too many cases that is acceptable. Isn't it odd how a "citizen" who is supposed to actually be in control of the government through self-determination, has approaching zero power, bu the putrid agents of the despotic power of illegitimate government have literal immunity to commit murder.
This kind of activity is not just a corporate whoopsie, it's active, deliberate, criminal activity, and organized criminal activity at that; making in this case (but there are many other examples) Meta an organized criminal outfit.
Are you personally immune from prosecution if a "corporation" tells you to murder someone? Why would you then not be personally criminally liable for perpetrating other crimes because the "corporation" told you to do it; regardless of whether that is committing cybercrimes, committing financial fraud, or even just something as simple as breach of the peace if a manager is accosting an employee?
Zak · 3h ago
I'm for more personal liability, but corporate higher-ups are pretty good at communicating their illegal desires to subordinates without saying the illegal part out loud.
I think the corporate death penalty is underused. Being in leadership when a corporation is dissolved for committing crimes is probably bad for one's future employment prospects.
Could it be that the problem is actually prosecutorial discretion?
In Sweden we have something called an absolute duty to prosecute, which means that for most crimes, if there's evidence and enough to get a conviction, the prosecutor has an actual absolutely duty to prosecute.
So if this had happened here, I could report this to the police as 'unapproved intelligence activity against a person' and the prosecutor would have to, provided that there's enough evidence, prosecute the person for this.
Prosecutors here do have a love of dismissing things due to lack of evidence though.
phendrenad2 · 3h ago
I don't think the "veil" is even relevant here. We have the smoking-gun proof that Mark Z. personally ordered people to illegally spy on other apps' data. And yet, he's walking free. Do we think he's reformed? Or is he probably going to do the same thing again as soon as he gets the chance, knowing that he got away with it once before?
gruez · 2h ago
>I don't think the "veil" is even relevant here. We have the smoking-gun proof that Mark Z. personally ordered people to illegally spy on other apps' data.
No, Zuckerberg said to "get reliable analytics" and that maybe they need to "do panels or write custom software". The subsequent emails of "hey I made an app that does MITM on snapchat" did not involve Zuckerberg.
stackskipton · 2h ago
Or it did involve Zuckerberg and his team and him were smart enough not to put in email/chat.
gruez · 2h ago
1. regardless of whether zuckerberg was actually involved or not, the evidence presented so far isn't a "smoking gun".
2. they're apparently smart enough to not put it down on email, but apparently Ferrante (a Director of Data Science, according to a hardvard site) was too dumb and wrote a email that said "yep, we made an app that does MITM attacks on snapchat"?
dkdcio · 1h ago
"Will no one rid me of this troublesome data encryption?"
I mostly can't think of a legitimate reason to install your own root certificate for a VPN, so I'm inclined to buy that this is Facebook being Facebook. I would also run as fast as I can if I installed an app and it started prompting me to install a certificate, but 99% of people have absolutely zero idea how TLS and PKI work, so maybe this is taking advantage of their ignorance.
A technical investigation into information uncovered in a class action lawsuit that Facebook had intercepted encrypted traffic from user's devices running the Onavo Protect app in order to gain competitive insights.
Because there's probably some clause buried in the ToS that gives them the right to do this, so it would not count as "exceeds authorized access" under the CFAA.
edit: it's not even buried. there's a screen that specifically says "facebook uses aggregated onavo data for market and business analytics"
Make no mistake either, as that was an intentional decision to chase growth in the interests of becoming TBTF. We need to clamp down and make it clear, big mofos do not get to call unilateral shots and that it is not acceptable for terms to be dictated only in one direction. Yes, this complicates the hell out of business logic, but ya know what, the ones who have TBTF'd have drank of the waters of economies of scale to get the sweet draught, it's about damn time they got the bitters too.
I might be sympathetic to this if this was some essential service with strong network effects such that there's no alternative (eg. facebook or whatsapp), but that's not the case here. This is a separate "security" app, of which there's probably dozens of competitors that you can choose from if you don't like the ToS/privacy policy of this one, so the "one sided take it or leave it levels of exploitative entering into contracts at scale" aspect you're decrying really rings hollow.
You mean like a loud ass bell rings? Point out to me a single piece of software utilizing a EULA that supports individual redlining and renegotiation on a user by user basis, with a feedback loop tight enough to be reasonable. I'll wait. The point is there might be the illusion of user choice there, but when the overarching legal framework operates in unity in a take it or leave it fashion, with no escape hatch, every business model behaves the same. No one builds the business willing to charge for contractual dumb pipe, because everyone is just dumping anyone else who won't take the default terms. The entire architecture of our networked world has turned into building machines through which everyone gives up every right and civil protection through a goddamn click, nevermind the fact Third Party Doctrine in this age has completely dismantled the 4th Amendment by extension.
The video near the middle of the page shows fairly clearly what they did, with accurate and understandable descriptions of shady behaviour. I think a capable prosecutor might regard it as difficult to prove that behaviour illegal. Shady, sure, but in dubio pro so why even prosecute.
So that leaves a civil lawsuit. There's no need to persuade a prosecutor for a civil lawsuit, and the balance of evidence counts, there's no in dubio pro.
https://news.ycombinator.com/item?id=41090304
They mostly make their money by selling you better services on their CDN such as image scaling etc.
Is CloudFlare hiding that they are a terminating proxy and pretending to be a VPN for the purposes of spying on users?
The big deal isn't the technical aspect, it's what it was used for and how it was used.
This "corporate veil" and protection is really the same basis as the legal fiction called "qualified immunity"... in the case of police officers, they can even quite literally murder you with impunity in far too many cases that is acceptable. Isn't it odd how a "citizen" who is supposed to actually be in control of the government through self-determination, has approaching zero power, bu the putrid agents of the despotic power of illegitimate government have literal immunity to commit murder.
This kind of activity is not just a corporate whoopsie, it's active, deliberate, criminal activity, and organized criminal activity at that; making in this case (but there are many other examples) Meta an organized criminal outfit.
Are you personally immune from prosecution if a "corporation" tells you to murder someone? Why would you then not be personally criminally liable for perpetrating other crimes because the "corporation" told you to do it; regardless of whether that is committing cybercrimes, committing financial fraud, or even just something as simple as breach of the peace if a manager is accosting an employee?
I think the corporate death penalty is underused. Being in leadership when a corporation is dissolved for committing crimes is probably bad for one's future employment prospects.
https://law.stackexchange.com/questions/60509/what-is-the-th...
In Sweden we have something called an absolute duty to prosecute, which means that for most crimes, if there's evidence and enough to get a conviction, the prosecutor has an actual absolutely duty to prosecute.
So if this had happened here, I could report this to the police as 'unapproved intelligence activity against a person' and the prosecutor would have to, provided that there's enough evidence, prosecute the person for this.
Prosecutors here do have a love of dismissing things due to lack of evidence though.
No, Zuckerberg said to "get reliable analytics" and that maybe they need to "do panels or write custom software". The subsequent emails of "hey I made an app that does MITM on snapchat" did not involve Zuckerberg.
2. they're apparently smart enough to not put it down on email, but apparently Ferrante (a Director of Data Science, according to a hardvard site) was too dumb and wrote a email that said "yep, we made an app that does MITM attacks on snapchat"?