In a revelation stemming from a recently unsealed court document, Meta, formerly Facebook, is being sued by a group of advertisers for its alleged secret project, “Project Ghostbusters,” a moniker seemingly inspired by Snapchat’s ghost logo. This project raises concerns about digital espionage and competition tactics.
The crux of the matter, as outlined in the court filing, revolves around Meta’s In-App Action Panel (IAAP) program, which was active between June 2016 and May 2019. “The IAAP program, launched at the request of Mark Zuckerberg (CEO of Meta), used a cyberattack method called ‘SSL man-in-the-middle’ to intercept and decrypt Snapchat’s — and later YouTube’s and Amazon’s — SSL-protected analytics traffic to inform Facebook’s competitive decision-making.”
This project reportedly began in 2016 when Facebook, under Zuckerberg’s leadership, started intercepting and deciphering data traffic from Snapchat users. The aim was purported to gather insights into user behavior, potentially granting Facebook a competitive edge by accessing sensitive data. The method allegedly involved wiretapping communications between Snapchat users and the app’s servers, raising concerns about the potential impact on Snapchat’s advertising business.
The roots of this accusation trace back to June 9, 2016, when Zuckerberg reportedly communicated with top executives about the lack of “Snapchat analytics” data, prompting urgent action to rectify the situation. Documents presented in court filings reveal discussions among executives and legal counsel regarding potential methods to obtain this data, including the controversial SSL decryption tactic facilitated by Onavo, a company specializing in mobile utility apps acquired by Facebook in 2013.
Meta wrote targeted code based on Onavo tech
In a separate court filing by Facebook advertisers, it’s alleged that by July 2013, Facebook had access to detailed intelligence on 30 million Onavo users. By 2017, Onavo’s mobile apps had been downloaded an estimated 24 million times, with Facebook reportedly collecting and leveraging all the data obtained. Furthermore, by February 2018, Onavo apps had been downloaded 33 million times across both iOS and Android platforms.
In its defense, responding to inquiries from the Committee on the Judiciary and Subcommittee on Antitrust, Commercial and Administrative Law regarding Onavo, Facebook stated in 2019 that the purpose of Onavo was to enhance products and cater better to consumer needs, with data collection based on user consent. The company maintained that Onavo did not collect proprietary competitor data but instead gathered information from users who consented to share their device usage data. Facebook emphasized that such data collection practices are standard in the industry and crucial for product improvement.
However, the latest court documents indicate that Meta’s IAAP program expanded to target encrypted analytics traffic from competitors beyond Snapchat, including YouTube and Amazon. Allegations suggest that Facebook employees developed customized client and server-side code based on Onavo’s VPN proxy app and server stack.
The code included a client-side “kit” that installed a “root” certificate on users’ mobile devices, enabling Facebook to intercept SSL traffic. Additionally, custom server-side code, utilizing an open-source web proxy known as “squid,” was employed to create fake digital certificates. These certificates were used to impersonate trusted analytics servers of Snapchat, YouTube, and Amazon, redirecting and decrypting secure traffic for Facebook’s analysis. As outlined in the court filings, this process underscores Facebook’s strategic and technologically advanced approach to data interception and analysis.
Moreover, the Advertisers Plaintiffs assert that Meta’s legal team was intricately involved in designing, implementing, and expanding the IAAP program throughout its duration. They argue that this level of legal oversight implies complicity in the alleged criminal conduct.
Central to the Advertisers’ argument is the violation of the Wiretap Act, which criminalizes the intentional interception and use of electronic communications without consent. They contend that Meta’s actions breached this statute and interfered with competitors’ contractual relations with their users.
Meta did not respond to requests for comment on the allegations.