[mcherm]

I'm not clear whether I understood what the article is claiming. It's clear they claim that Meta shared customer's direct messages with a business partner without notifying the individuals who sent and received the messages. It also SOUNDED to me like the article was claiming they did so AFTER Meta introduced "end-to-end encryption" (which would ALSO mean that they were lying about offering end-to-end encryption). Am I reading that correctly?

[benreesman]

The cluster of allegations is that the Onavo acquisition put FB-designed and built rootkits underneath TLS on a significant fraction of all smartphones in the United States and that FB/IG (now Meta) used clear text access to ostensibly secure HTTPS sessions to extract arbitrary data from both competitors and partner companies to play poker with X-Ray glasses on as concerned all competition in an ostensibly free and fair and competitive marketplace while simultaneously creating scope for arbitrary other advanced actors to exploit the same intentionally crippled OS-level security at the cost of weakening the entire world’s digital security infrastructure for pure financial profit without so much as a FISA court order to justify such actions.

If substantiated, such accusations would be among the most damning in the history of technology.

[nemothekid]

>If substantiated, such accusations would be among the most damning in the history of technology.

If substantiated? Just search Onavo on HN search - I thought this was widely known for years.

[benreesman]

As a former employee until 2018, I heard the words “Project Ghostbusters” two days ago. I was peripherally aware of something called Onavo but I had no notion that anyone was talking about “kits”, we all thought it was some kind of metrics thing that was sort of iffy sounding but lots of iffy ideas got proposed by some PM looking to make a name and shot down by the grownups, what is alleged would have provoked a riot at the weekly all hands.

If any of this is true they didn’t tell people like me about it, and at one point there were three people on the org chart between myself and the CEO.

I’m very skeptical of the allegations, but I’d be lying if I said I found them to be flat impossible. I tread very lightly on this sort of thing and I didn’t even acknowledge I’d ever heard the word Onavo until I read it on TechCrunch.

I certainly hope they’re false: FAIR seems to be the last real hope for an Open future on AI short of a complete housecleaning of the whole Valley.

[nemothekid]

I had a friend tell me about Onavo in ~2015. I wont delve into what he told me, but at the time I had the "move fast and break things" spirit and thought it was a pretty cool tool that they had figured out to get competitive information. He never showed me anything, but allegedly they could even see what features were being used in other apps.

But I don't think this is something he made up, it's been discussed on HN.

https://news.ycombinator.com/item?id=16381812

>I wonder if it's be possible to make a social networking startup, optimise solely for Onavo metrics, and get bought out by Facebook.

https://news.ycombinator.com/item?id=16373339

>The Onavo VPN service from Facebook is disguised as a protection mechanism but tracks the user for the benefit of Facebook.

https://news.ycombinator.com/item?id=14971839

>The database stems from Facebook’s 2013 acquisition of a Tel Aviv-based startup, Onavo, which had built an app that secures users’ privacy by routing their traffic through private servers. The app gives Facebook an unusually detailed look at what users collectively do on their phones, these people say.

I am surprised that this accusation is at all controversial.

[1oooqooq]

My guess: you were in ads/targeting. And at most a Director. i.e. mostly operations.

The people in targeting/demand/supply knows absolutely nothing about profile building. And there is where all the competitive advantages lies. And also all the shady deals.

We usually keep everything very secret in profile building because that is the knowledge that allows people to leave and start competitors, but we disguise it as the usual think-of-the-children and say that profile building deals with all sort of borderline-PII and only the most vetted people should work on it.

Ask some sysadmin to list the ACL to the main ads profile HDFS or whatever it is today. it will show a couple architects who report to one SVP each.

[benreesman]

A remarkably astute analysis based on very limited information.

My job was to use information retrieval, machine learning / AI, auction theory, and pragmatic statistical sampling to both accurately model and stably price ads inventory and later dollarized organic inventory to drive specific policy agendas about what got clicked on, dwelled on, commented on, seen in recommender systems in equilibrium to achieve specific policy agendas of various kinds but all ultimately tying out at top-line revenue and engagement metrics.

It did not take me long to work out that PII was useless in this pursuit, there’s no entropy in the off-property like button table as concerns CTR.

It did not take me long to realize that I didn’t want to know what it was useful for.

I easily had the seniority to run queries against Hive tables that I had an explicit personal priority of never querying.

And I left the senior leadership track at the last stop before a directorship.

[1oooqooq]

oh the "monetization wizard" team. driving excel with hundreds of sheets to squeeze regulated products till the last drop. while documenting all the tweaks for the next round of certification with trepidly named forprofit industry self regulatory watch dogs.

all the sexy stuff like Bluetooth beacon, and reverse email targeting etc are all before your team, because they're still not regulated and are profitable. i bet the team just got to turn DOoH knobs last years?

[sunshowers]

Ex-FB here -- I do feel like I knew about the general scope of what Onavo did, which was to incentivize people so FB could snoop on TLS traffic and grab data about competitor usage.

[benreesman]

Could be a question of what we worked on. I did Ads ML Infrastructure, Abuse Detection Systems (spam basically), and then more ML Infrastructure on IG Feed/Stories. I was deep enough in the engine room it was all more or less feature embeddings. So it’s probably fair to say I would have known less about strategic maneuvering than plenty of less tenured folks closer to the surface.

I knew it sounded vaguely sketchy but you remember how many vaguely sketchy things some frisky new PM tried to get pushed through a launch card meeting only to have someone on Sheryl’s radar detonate it on the launch pad. The timeframe is the main reason I’m skeptical: Sheryl didn’t put up with crap like that she knew what was at stake.

[sunshowers]

I was on devinfra/source control (worked 2012-2018 in that area before switching to Libra) so we weren't making decisions, but we got to saw a bunch of what happened as it happened. Onavo was always treated as pretty sus among the people I worked with, who were largely linux/free software/security types.

As Pedro said in the email described in [1], no sufficiently well-informed, security-minded person could ever be comfortable with Onavo.

[1]: https://techcrunch.com/2024/03/26/facebook-secret-project-sn...

[ahahahahah]

This article has nothing to do with onavo.

[ajdude]

If this is true that sounds really, really, bad.

[loeg]

> such accusations would be among the most damning in the history of technology.

You're putting this up there with IBM in the holocaust?

[tobias2014]

I find the article quite confusing and unclear to be honest. Are there any other sources?

This is the original NYT article from 2018 https://www.nytimes.com/2018/12/18/technology/facebook-priva... "Internal documents show that the social network gave Microsoft, Amazon, Spotify and others far greater access to people’s data than it has disclosed."

Facebook promised E2E at the end of 2023.

[tssge]

Here's the source media is probably using: https://www.courtlistener.com/docket/18714274/klein-v-meta-p...

To be honest I found I got much better grasp on the whole debacle by just reading the court papers themselves.

[dylan604]

> Facebook promised E2E at the end of 2023.

Wait, seriously? Like 4-6 months ago? Like, yesterday in terms of how long they haven't had it? Sheesh, a day doesn't go by that I'm not reminded of how happy I am to have dropped FB so long ago.

[ahahahahah]

They've had it for years, it was just opt-in. More recently they've applied it to everything.

[rgbrenner]

FB has supported e2e messaging since 2016, but it wasn't the default until 4 months ago (Dec 2023). So likely very few users had it enabled (much less on both ends needed to protect a message from FB).

The netflix deal starts in 2013. Even after 2016, e2e would just mean netflix would get slightly fewer messages.

So I don't see anything that would necessarily indicate FB is lying about e2e.

[petesergeant]

I wonder if there’s a timing connection here with FB Messenger “upgraded the security of this chat” messages I’ve had on a couple of long-running conversations recently

[Jerrrry]

sheer coincidence, not to google-slide.

[bastawhiz]

It sounds like it, and if true, is pretty damning.