• just another dev@lemmy.my-box.dev
    link
    fedilink
    English
    arrow-up
    38
    ·
    9 months ago

    What the title and bot don’t mention: They did so by installing spyware on phones of users of a vpn they acquired:

    After Zuckerberg’s email, the Onavo team took on the project and a month later proposed a solution: so-called kits that can be installed on iOS and Android that intercept traffic for specific subdomains, “allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage,” read an email from July 2016. “This is a ‘man-in-the-middle’ approach.”

    What’s more:

    Later, according to the court documents, Facebook expanded the program to Amazon and YouTube.

    Obligatory this is why you shouldn’t use a free/cheap vpn.

        • Synnr@sopuli.xyz
          link
          fedilink
          arrow-up
          6
          ·
          9 months ago

          This only works if you don’t want the privacy enhancing aspect of advertisers not tying your activity to an IP address.

          Beyond more safely using open Wi-Fi or bypassing a censoring ISP, there isn’t much reason there.

          • just another dev@lemmy.my-box.dev
            link
            fedilink
            English
            arrow-up
            4
            ·
            9 months ago

            That’s debatable. In my estimation, by using a “service vpn” you’re giving advertisers some other kind of demographic information, namely that you’re the kind of person that pays for a vpn.

            • Synnr@sopuli.xyz
              link
              fedilink
              arrow-up
              3
              ·
              edit-2
              9 months ago

              Is that better or worse than giving advertisers the data point that you’re high-tech knowledgable and browse personal accounts from a server in a datacenter?

              • just another dev@lemmy.my-box.dev
                link
                fedilink
                English
                arrow-up
                2
                ·
                edit-2
                9 months ago

                Yeah, that’s why I think it’s debatable. It’s a lot easier to make those decisions on traffic coming from a known vpn ip, versus all vps providers in the world - many of which have corporate uses.

                On the other hand - if you’re smart enough to set up a vpn, you’ll also be smart enough to set up ad blocking, so the point is kinda moot anyway. Plus you’ll be a lot less likely to have your traffic logged opposed to a service vpn.

                • Synnr@sopuli.xyz
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  9 months ago

                  That’s true. I’d only use a VPN service that’s been audited (either by a security company or, preferably, law enforcement) not to keep logs. There are only a small handful of those however. It really all depends on your needs. There are far more VPN services that do log and sell the data, and/or turn your host device into a proxy for other users/services.

  • ULS@lemmy.ml
    link
    fedilink
    arrow-up
    14
    ·
    edit-2
    9 months ago

    People don’t mind that mainstream society is built by abusing them. It’s not for us, it’s for them. This isn’t freedom?

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    6
    ·
    9 months ago

    This is the best summary I could come up with:


    In 2016, Facebook launched a secret project designed to intercept and decrypt the network traffic between people using Snapchat’s app and its servers.

    On Tuesday, a federal court in California released new documents discovered as part of the class action lawsuit between consumers and Meta, Facebook’s parent company.

    “Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them,” Meta chief executive Mark Zuckerberg wrote in an email dated June 9, 2016, which was published as part of the lawsuit.

    When the network traffic is unencrypted, this type of attack allows the hackers to read the data inside, such as usernames, passwords, and other in-app activity.

    This is why Facebook engineers proposed using Onavo, which when activated had the advantage of reading all of the device’s network traffic before it got encrypted and sent over the internet.

    “We now have the capability to measure detailed in-app activity” from “parsing snapchat [sic] analytics collected from incentivized participants in Onavo’s research program,” read another email.


    The original article contains 671 words, the summary contains 175 words. Saved 74%. I’m a bot and I’m open source!

  • 7eter@feddit.de
    link
    fedilink
    arrow-up
    6
    ·
    9 months ago

    How does that work?

    Snapchat uses TLS - right?! Did Onavo install a CA? Can every VPN-App do so? Did Snapchat not use certificate pinning?