Facebook may have exploited user devices to spy on competitors, documents show

In 2016, Facebook launched a secret project to acquire, decrypt, transfer, and use private, encrypted in-app analytics from Snapchat, YouTube, and Amazon, according to a new set of unsealed court documents. The Mark Zuckerberg-owned tech empire discussed paying teenagers to install “kits” on their devices, according to plaintiffs.

Facebook was caught using a cyberattack method, “SSL man-in-the-middle,” to intercept and decrypt Snapchat, YouTube, and Amazon encrypted analytics traffic.

Codenamed “Ghostbusters,” the project aimed at intercepting rivals’ encrypted app traffic for analytics despite some internal dissent. This practice is likely in violation of wiretapping laws and “potentially criminal,” advertisers suing Meta claim.

Facebook developed custom technology, so-called “kits,” on both Android and iOS devices that impersonated official servers and decrypted traffic Facebook wasn't authorized to access. The data allowed Facebook to plan competitive moves against Snapchat and other companies.

“We developed “kits” that can be installed on iOS and Android that intercept traffic for specific sub-domains, allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage (i.e., specific actions that people are performing in the app, rather than just overall app visitation). This is a “man-in-the-middle” approach,” the internal email made public in the court document reads.

The plan was also detailed: to recruit panelist via third parties and distribute the “kits” under their own branding. The users couldn’t detect secret kits unless they used a specialized tool like Wireshark.

Facebook’s so-called In-App Action Panel (“IAAP”) program existed between June 2016 and approximately May 2019.

“There is nothing new here – this issue was reported on years ago. The plaintiffs’ claims are baseless and completely irrelevant to the case,” a Meta spokesperson told Cybernews.

Meta has since responded to the plaintiffs' filing in their own court filing on Tuesday.

“Snapchat’s own 30(b)(6) witness on advertising confirmed that Snap cannot “identify a single ad sale that [it] lost from Meta’s use of user research products,” does not know whether other competitors collected similar information, and does not know whether any of Meta’s research provided Meta with a competitive advantage,” Meta claims.

Zuckerberg’s involvement

According to advertisers suing Meta, the secret program was launched at the request of Mark Zuckerberg. Zuckerberg’s quotes from the internal emails to top executives in June 2016 reveal that he was worried about the quick growth of Snapchat. Facebook did not have analytics about a competitor because their traffic was encrypted.

Zuckerberg said it seemed important to “figure out a new way to get reliable analytics about them” through panels or custom software, “given how quickly they’re growing.”


Javier Olivan, who is now Facebook’s chief operating officer, agreed and tasked Onavo, a VPN-like service that Meta acquired in 2013, with “out of the box thinking” on this “really important” task.

Olivan suggested potentially paying users to let them “install a really heavy piece of software (that could even do man in the middle, etc.).”

By mid-June 2016, the Onavo team created a “Ghostbusters project” kickoff presentation, referencing Snapchat's ghost logo.

“Documents and testimony show that this “man-in-the-middle” approach – which relied on a technology known as a server-side SSL bump performed on Facebook’s Onavo servers – was in fact implemented, at scale, between June 2016 and early 2019,” plaintiffs claim.


The spyware capable of acquiring, decrypting, and transferring the data was allegedly deployed against YouTube in 2017-2018 and against Amazon in 2018.

The code included a client-side “kit” that installed a root certificate on Snapchat users’ mobile devices. Server-side code allegedly used Facebook's servers to create fake digital certificates to impersonate the apps’ trusted analytics servers in order to redirect and decrypt the analytics traffic for Facebook's own analysis.

One Facebook strategist stated that Snapchat’s competitive struggles were likely connected to the product efforts they informed via this Onavo analysis.

A Snap executive testified that Facebook's redesigns based on this data hampered the company’s ability to sell ads.

During that time, Facebook introduced Stories on Instagram, a feature effectively identical to Snapchat's core feature of disappearing photo posts, according to Business Insider.

In early 2019, in response to an Apple enforcement action implicating the IAAP conduct, Meta executives engaged in a companywide effort to analyze and describe the program’s risks and rewards to Zuckerberg so that he could personally decide whether to continue, another document reveals.

Facebook’s secret program likely violated the Wiretap Act, which prohibits intentionally intercepting electronic communications and using such intercepted communications. Snapchat did not consent to Facebook intercepting, decrypting its traffic, and using it for “tortious purposes.”

Not all Facebook employees supported the Ghostbusters program. Jay Parikh and security engineering head Pedro Canahuati expressed concerns, with the latter stating, “I can't think of a good argument for why this is okay. No security person is ever comfortable with this, no matter what consent we get from the general public,” NDTV reported.

“The company's highest-level engineering executives thought the IAAP Program was a legal, technical, and security nightmare,” a court document says.

The documents were revealed as part of a class action lawsuit against Facebook in the California federal court. Meta is accused of lying about its data collection activities and exploitation of the data it “deceptively extracted” from users for an unfair fight, TechCrunch reported.

In 2019, Facebook shut down Onavo after a TechCrunch investigation revealed that Facebook had been secretly paying teenagers to use Onavo so the company could access all of their web activity.

A man-in-the-middle (MITM) attack is a type of cyber attack in which a threat actor secretly intercepts communication between two parties to eavesdrop on traffic and possibly manipulate the data being transmitted.

Updated on March 27th [01:40 p.m. GMT] with a statement from Meta.


Shopify plugins leaked data from nearly 2K stores

Musk's AI chatbot Grok now comes with X Premium subscription

Apple Worldwide Developer Conference – June dates confirmed

Meta urged to lift ban on Arabic word for ‘martyr’

Giant Tiger customers exposed via third party

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked