Facebook's Onavo VPN used to wiretap competitor data, court filings reveal

Mark Zuckerberg, CEO of Meta, is sworn in to the Senate Judiciary Committee hearing titled "Big Tech and the Online Child Sexual Exploitation Crisis," in Dirksen building on Wednesday, January 31, 2024.
(Image credit: Tom Williams/CQ-Roll Call, Inc via Getty Images)

Facebook used its Onavo VPN system to illegally track its users when accessing Snapchat and other competitors' apps, new unsealed court filings can reveal.

So-called Project Ghostbusters—echoing the iconic rival's logo—appears to have been just the beginning of the wider In App Action Panel (IAAP) program which aimed to spy on competitors' traffic to gain commercial advantage. It's thought to have run between June 2016 and approximately May 2019, with YouTube and Amazon being the next targets.

Meta, Facebook's parent company, employed its controversial VPN service as a way to intercept and decrypt the traffic between the people accessing its service and competitors' servers. The company shut down Onavo in 2019, following a TechCrunch investigation revealing the spyware-like VPN software was employed in a research project to collect sensitive user data from paid volunteers aged between 13 and 25.

Facebook new tracking revelations

"Facebook’s IAAP program conduct was not merely anticompetitive, but criminal," read the filings revealed on March 26, 2024, by a federal court in California during the class action lawsuit between consumers and Meta.

Everything kicked off in June 2016 when Mark Zuckerberg, founder and CEO at Meta, actively requested its team to "figure out a new way to get reliable analytics" into Snapchat's encrypted data as the platform was starting to get more traction in the market.

The Onavo team took things into their own hands, coming up with a solution about a month later. They would use a method known as "SSL man-in-the-middle" to decrypt Snapchat's protected traffic to inform Meta's business decision-making. Man-in-the-middle is a popular cyberattack tactic for which perpetrators position themselves between a user (in this case, Facebook users) and a given application.

It looks like the solution was so successful that it was later implemented on a larger scale also against other Facebook rivals, namely YouTube and Amazon starting in 2017 and 2018 respectively. 

See more

According to the court documents, Facebook’s lawyers were "near-constantly involved in the design, deployment, and expansion" of the company’s IAAP program.

However, as TechCrunch reported, not everyone working at Facebook was eager to cross this red line. For instance, the then-head of security engineering Pedro Canahuati expressed his concerns over the practice. "I can’t think of a good argument for why this is okay. No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn’t know how this stuff works," he wrote in an email.

Plaintiffs Sarah Grabert and Maximilian Klein filed the ongoing lawsuit against Facebook in 2020, accusing the company of lying about its data collection practices and deceptively extracting data from users to unfairly compete against new rivals in the market. 

Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com