An email from Mark Zuckerberg pushing to analyze Snapchat’s encrypted traffic, emails from senior Facebook executives, and the security manager’s objections. All this appears in the documents that detail how the company would have used cyberespionage techniques to track user behavior in its rival application.
The emails were made public following a lawsuit filed by a group of advertisers against Meta. They accuse the company of trying to monopolize the advertising market on social networks between 2016 and 2019. The email exchange begins in June 2016. At that time Snapchat had momentum. Briefly, it became the hottest app. In the first six months of that year it went from having around 110 million users to 148 million. Meanwhile, Facebook was losing steam with the new generations and Instagram was in danger of becoming stuck as a photography app. Until in August she launched her Instagram Stories, a carbon copy of Snapchat Stories. Its good reception among users turned the tables.
This is just the context of the market. What the documents reveal is the creation of a project, called IAAP and nicknamed Ghostbusters (“ghostbusters”) in clear reference to the Snapchat logo. The objective was to analyze the traffic of this application thanks to a kit integrated into the Facebook app itself, which users installed on their devices, and which served to collect information about their digital activity in other applications.
“This kit gave Facebook the ability for all traffic that came from those phones to end up on a server controlled by Facebook,” explains Juan Tapiador, professor in the Department of Computer Science at the Carlos III University and specialist in cybersecurity. “In theory, what they did was see if the traffic was from Snapchat and, if so, they looked at a series of analytics about how users controlled the app.”
The documents present a complex monitoring scheme that uses cyberespionage techniques. The project was based on technology from Onavo, a VPN (virtual private network) application acquired by Facebook in 2013. Deepak Daswani, cybersecurity consultant and hacking, points out that user traffic would have passed through servers that acted as intermediaries. “Conceptually, this would be a ‘man-in-the-middle’ attack, because the VPN service is placed in the middle of the traffic between the user and Snapchat. And it can decipher a certain amount of information,” he says.
Mission: intercept and decrypt user traffic
The documents reconstruct how Facebook would have articulated its project Ghostbusters to intercept user traffic from certain websites. Not only Snapchat, the behavior of YouTube and Amazon users would also have been analyzed. The company would have offered incentives to some users to install a modified Facebook application. Those gave their consent for the app to collect their data.
The initiative is based on an email sent by Mark Zuckerberg, CEO of Facebook, on June 9, 2016. In it he alluded to the lack of analytical data about Snapchat because its traffic was encrypted. “Given how quickly they are growing, it seems important to think of a new way to obtain analytical information about them. Maybe we need to make user panels or program specific software. You must think about how to do it,” Zuckerberg wrote in an email to three senior managers.
An email exchange discusses the difficulty of obtaining the technology necessary to observe Snapchat’s encrypted traffic. And there is speculation that it would possibly require “legal approval.” However, the Onavo VPN team within Facebook got to work on it and came up with a solution that the company deployed for three years, according to published documents.
There were objections at the highest levels. The documentation quotes Pedro Canahuati, who was then vice president of Engineering, Security and Privacy: “I can’t think of any valid argument to justify that this is okay. No one working in cybersecurity will ever feel comfortable with this, no matter what consent we get from the general public. “The general public just doesn’t know how this works.”
It is not an intuitive scheme, of course. When connecting to a web page, it must be signed by a Certification Authority that our browser or the application we use trusts. It is the only way for a device to know that it is connecting to the authentic site and that there is no impersonation. However, the kit that included the modified Facebook application distorted this process.
Tapidador sheds some light on how the process worked. “If you connect to a web page and that web page is signed by a “certification authority”, you automatically trust it. And you know that you are connecting to snapchat.com or elpais.com. When you installed the Facebook application, what they did was install an internal certification authority own of Facebook.”
In this way, Facebook’s certificate authority told the device to trust that the user was connecting to Snapchat. However, what happened is that the user’s traffic went to Facebook’s servers first, for analysis.
Daswani highlights the importance of VPN technology to achieve this information tracking: “Facebook, if it is a VPN provider, can see all my traffic that goes through the VPN, my traffic that goes to Twitter, to Facebook, to WhatsApp and to another provider. With this Onavo application, what they did was access the network traffic and analyze it.”
All this traffic was encrypted. That is, a third party outside the equation could not have simply read it. But Facebook was no longer a third party, really. In traffic encryption, the keys that protect information are generated through a collaboration between the two ends between which the data travels: the application and the destination server. And here the destination server was Facebook’s, which was part of the key generation process and, with them, could decrypt the traffic.
Tapiador explains that the traffic did not come from the user to Snapchat. “What happens is that they then do what is called a proxy transparent. They take the traffic, open it, look at it and, from that server, they connect to Snapchat pretending it’s you,” he explains. In this way, users can see the result of their activity: if they touch an image it opens, if they scroll the screen moves. “But in the middle there is someone who has opened the envelope, read what is inside, put it back in another envelope and sent it to its destination.”
In a letter sent to the judge investigating the case, Meta – Facebook, as a company, changed its name in 2021 – refutes that the software mentioned in the documents is linked to a possible monopoly. We must not forget that this is the object of the lawsuit filed. It also indicates that users of the modified Facebook application (“Facebook Research App”) consented to giving their browsing data to the company. “There is nothing new here. This matter was reported years ago. The plaintiffs’ allegations are unfounded and completely irrelevant to the case,” said a Meta spokesperson in statements to this newspaper.
According to the case documents, in the project Ghostbusters A team of senior managers and around 41 lawyers worked.