A technical investigation into information uncovered in a class action lawsuit that Facebook had intercepted encrypted traffic from user's devices running the Onavo Protect app in order to gain competitive insights.
On a side, but related note; all our societies need to reevaluate the corporate protections from personal liability when the activities breach the articles of incorporation, the so called veil; barring demonstrated accident or mistake.
This "corporate veil" and protection is really the same basis as the legal fiction called "qualified immunity"... in the case of police officers, they can even quite literally murder you with impunity in far too many cases that is acceptable. Isn't it odd how a "citizen" who is supposed to actually be in control of the government through self-determination, has approaching zero power, bu the putrid agents of the despotic power of illegitimate government have literal immunity to commit murder.
This kind of activity is not just a corporate whoopsie, it's active, deliberate, criminal activity, and organized criminal activity at that; making in this case (but there are many other examples) Meta an organized criminal outfit.
Are you personally immune from prosecution if a "corporation" tells you to murder someone? Why would you then not be personally criminally liable for perpetrating other crimes because the "corporation" told you to do it; regardless of whether that is committing cybercrimes, committing financial fraud, or even just something as simple as breach of the peace if a manager is accosting an employee?
> Onavo Protect Android app, which had over 10 million Android installations, contained code to prompt the user to install a CA (certificate authority) certificate issued by "Facebook Research" in the user trust store of the device. This certificate was required for Facebook to decrypt TLS traffic.
I mostly can't think of a legitimate reason to install your own root certificate for a VPN, so I'm inclined to buy that this is Facebook being Facebook. I would also run as fast as I can if I installed an app and it started prompting me to install a certificate, but 99% of people have absolutely zero idea how TLS and PKI work, so maybe this is taking advantage of their ignorance.
Just keep in mind that Meta has not changed a bit since then.
This is from two months ago, when it was found that their Android app listens on a localhost port in order to send identifiers from webpages to their app via WebRTC so that they can still track users.
> This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.
I wonder how it feels to be an engineer at Meta. Do you leave your conscience at the door when you start the workday? Make no mistake, if this company pays your salary, you are an accomplice no matter if you personally did take part in it. How do you look yourself in the eyes?
14 comments
[ 3.5 ms ] story [ 30.7 ms ] threadA technical investigation into information uncovered in a class action lawsuit that Facebook had intercepted encrypted traffic from user's devices running the Onavo Protect app in order to gain competitive insights.
https://news.ycombinator.com/item?id=41090304
This "corporate veil" and protection is really the same basis as the legal fiction called "qualified immunity"... in the case of police officers, they can even quite literally murder you with impunity in far too many cases that is acceptable. Isn't it odd how a "citizen" who is supposed to actually be in control of the government through self-determination, has approaching zero power, bu the putrid agents of the despotic power of illegitimate government have literal immunity to commit murder.
This kind of activity is not just a corporate whoopsie, it's active, deliberate, criminal activity, and organized criminal activity at that; making in this case (but there are many other examples) Meta an organized criminal outfit.
Are you personally immune from prosecution if a "corporation" tells you to murder someone? Why would you then not be personally criminally liable for perpetrating other crimes because the "corporation" told you to do it; regardless of whether that is committing cybercrimes, committing financial fraud, or even just something as simple as breach of the peace if a manager is accosting an employee?
But when Zuckerberg did it at an industrial scale, he was just "training his AI model", which made it just fine.
Same thing here.
I mostly can't think of a legitimate reason to install your own root certificate for a VPN, so I'm inclined to buy that this is Facebook being Facebook. I would also run as fast as I can if I installed an app and it started prompting me to install a certificate, but 99% of people have absolutely zero idea how TLS and PKI work, so maybe this is taking advantage of their ignorance.
This is from two months ago, when it was found that their Android app listens on a localhost port in order to send identifiers from webpages to their app via WebRTC so that they can still track users.
Covert web-to-app tracking via localhost on Android - https://news.ycombinator.com/item?id=44169115
Meta pauses mobile port tracking tech on Android after researchers cry foul - https://news.ycombinator.com/item?id=44175940
> This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.
That combined with people whoa are more into the technical challenge of it and won't be thinking about the moral implications.