Meta Platforms Accused of Espionage on Rivals via Onavo VPN Service

In an eyebrow-raising revelation, documents recently unsealed in court have highlighted a controversial practice utilized by Meta Platforms, the company owning Facebook, where it is alleged to have spied on rival company Snapchat’s encrypted traffic. The internal communications indicate that at the core of this espionage was an imperative from Meta CEO Mark Zuckerberg to obtain “reliable analytics” on Snapchat’s growing influence in the social media landscape.

Javier Olivan, who currently serves as Facebook’s Chief Operating Officer, was vocal about his agreement with Zuckerberg’s directive to tap into crucial analytics from Snapchat. The task was delegated to the Onavo team, a web analytics firm acquired by Meta, but not without the preliminary search for legal clearance to analyze Snapchat’s encrypted data.

Addressing this challenge, the Onavo team initiated the so-called “Ghostbusters project,” a clandestine operation coined after Snapchat’s iconic logo. The disclosures detail a technique known as 'SSL Bumping.' This tactic involved Onavo's virtual private network (VPN) service intercepting traffic between users’ devices and Snapchat servers, decrypting this traffic before it was secured by Transport Layer Security (TLS). The information thus harvested, from mid-2016 to early 2019, was utilized to steer Meta’s strategic decisions in the competitive social media arena.

The scope of this surveillance was not limited to Snapchat alone. In a disturbing turn of events, documents ascertain that YouTube and Amazon were also targeted by similar man-in-the-middle attacks between 2017 and 2018. Meta, it appears, had turned its spying apparatus toward broader horizons to gather intelligence on the movements and performance of its formidable competitors in the tech industry.

The backlash from these revelations has been palpable. Onavo, though shuttered in 2019 post-criticisms following a TechCrunch investigation, is again at the center of debates concerning user privacy and corporate ethics. Crucially, the saga deepens with an existing class-action lawsuit filed back in 2020 by Sarah Grabert and Maximilian Klein, focusing on Meta’s "anti-competitive conduct and exploiting user data through deceptive practices."

Whistleblowers had already expressed discomfort with the project's ethical implications, put forth candidly by Pedro Canahuati, then head of structural security engineering at Meta. His assertion that no knowledge of consent absolves the systematic invasion of privacy, as "the general public just doesn’t know how this stuff works," resonates amid a tech landscape fraught with privacy concerns.

These revelations fundamentally challenge the narrative of data privacy protections claimed by technology giants and raise critical questions about the boundaries of competitive intelligence-gathering in digital markets. As regulatory lenses focus ever sharper on the actions of behemoths like Meta, the debates surrounding user privacy, corporate espionage, and the responsibilities of marketplace giants are only likely to intensify.