[pacificresearch]

The technical details page says this works by running a VPN and intercepting all the traffic. Therefore it seems it would only work on unencrypted traffic.

This makes the following claim seem inaccurate: > Our system is accurate, identifying 98.2% of leaks for the vast majority of flows in our dataset

There is no way <2% of the web and application traffic is encrypted. Bypassing all detection would be as easy as going to the HTTPS version of a website.

This also seems like it would pose a significant security risk as the servers would be a very juicy target to hack (holding all their customer's personal information and passwords) as well as ability for the staff themselves to surveil their users.

[bhhaskin]

They could require a root ssl cert to be installed and then just MITM all the traffic. And Org that wants to protect personal data might be willing to do something stupid like that.

[revelation]

For a properly engineered mobile app there are only downsides to using the public CA system (and thereby the devices CA store). So that would not work.

[equalunique]

True. This is not hard to deploy if they leverage a centralized management solution for PKI, such as MS Active Directory.