Hacker News new | ask | show | jobs
by theptip 698 days ago
So just to be clear on what is being alleged, because the write-ups are omitting this detail: from what I can tell FB paid SC users to participate in “market research” and install the proxy.

The way most of the writeups make it sound is that it’s some sort of hack, but this doesn’t seem to be the case. (I’d love to get more detail on exactly what the participants were told they were getting paid for, but I’d be surprised if they did not know their actions were being monitored.)

The accusation that it’s wiretapping if one party in the communication channel is actively breaking the encryption (even with a tool provided by a third party) seems tenuous to me, but IANAL. If this is wiretapping, is it also wiretapping for me to use a local SSL proxy to decrypt and analyze traffic to a service’s API?
6 comments
ec109685 698 days ago
Neilson does something similar with TV where they install capture boxes in people’s houses to determine what they’re watching for their panels: https://www.nytimes.com/athletic/3194414/2022/03/22/the-ulti...

I hope they were upfront about what they were collecting. The article didn’t show what the consent screen was before installing the proxy.

link
vlovich123 698 days ago
From the article:

> Note this is a new case, different from the one that TechCrunch also covered in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines.

link
theptip 698 days ago
This has since been edited in OP, and the full quote I think supports my claim more:

> Note this is different to what TechCrunch had revealed in 2019 in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines. With the new MITM information revealed: what is currently unclear is if all app users had their traffic "intercepted" or just a subset of users.

link
BobaFloutist 698 days ago
> The way most of the writeups make it sound is that it’s some sort of hack, but this doesn’t seem to be the case.

All the best/most effective hacks involve convincing someone to download something they shouldn't that lets you sidestep security.

link
halJordan 697 days ago
It was fully clear and fully remunerated. It was no way a hack and thats disingenuous wording so you can hate on FB. If you install a vpn then you are affirmatively giving control of your traffic tot he vpn. FB isnt under any obligation to explain how networks work. In the same way we don't explain dns or routing. Is your boss obligated to tell you ACH transactions are in the clear and anyone can watch settlement? No. You're not being hacked when your bank sends payments via ach.
link
BobaFloutist 697 days ago
I'm not arguing that the users got hacked, I'm arguing that the competitors got hacked.
link
oefrha 698 days ago
No, the writeup isn’t omitting anything, you’re mixing things up, which this article explicitly called out.

This article is about Onavo Protect[1], “Free VPN + Data Manager”, which was not paying anyone. There was a separate program where Facebook paid teenagers money to install their Facebook Research VPN through their enterprise distribution channel, bypassing the App Store and its rules, so that paid version was even more invasive.[2]

So no, this Onavo bullshit isn’t defensible at all.

[1] https://apkpure.com/onavo-protect-from-facebook/com.onavo.sp...

[2] https://techcrunch.com/2019/01/29/facebook-project-atlas/?re...

link
theptip 698 days ago
This is a bit tangled. I think this is new information but it’s all about Onavo. From OP:

> Note this is different to what TechCrunch had revealed in 2019 in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines. With the new MITM information revealed: what is currently unclear is if all app users had their traffic "intercepted" or just a subset of users.

So this seems to be new information about the Onavo Android app, but it’s not clear to me if the “install cert” button described was exactly the implementation of the previously reported research cert, or a new vector where people other than market research participants were MiTM’d. The analysis is just a bunch of circumstantial observations that _it is possible_ FB was doing more skeezy stuff than was previously known. But nothing here is incompatible with the previously reported stuff being all that happened, AFAICT.

The TechCrunch article clearly states that Onavo was the method they used to get the FB Research cert onto devices. (Presumably they distributed a different build of Onavo with their enterprise distribution channel), it quotes:

> “We now have the capability to measure detailed in-app activity” from “parsing snapchat [sic] analytics collected from incentivized participants in Onavo’s research program,” read another email.

This sounds to me that there was one Onavo research program, but who knows, we have multiple project codenames.

link
willstrafach 697 days ago
“Facebook Research” was the Onavo codebase, under a different name, signed by Facebook’s Enterprise certificate.
link
oefrha 697 days ago
> The analysis is just a bunch of circumstantial observations that _it is possible_ FB was doing more skeezy stuff than was previously known.

No, it was already well-known way back in 2018, which is why that piece of shit app was withdrawn from App Store in the first place. Facebook’s enterprise account later got suspended in 2019 for distributing the paid piece of shit through enterprise MDM.

link
theptip 697 days ago
The claim in the OP is that they might have been MiTM’ing arbitrary users, I believe the previously reported claims were that they only MiTM’d paid research participants. (Please share some links if you have evidence to the contrary, I’d love to get to the bottom of this.)
link
oefrha 697 days ago
Onavo isn’t paid, it’s just a “free” VPN app. There’s no paid participation, you just download it.

https://www.bitdefender.com/blog/hotforsecurity/facebook-pul...

https://www.wsj.com/articles/facebook-to-remove-data-securit...

Edit: Typo.

link
valicord 697 days ago
That doesn't mean that the MITM traffic interception would be enabled for regular users that have downloaded the app from the store. As stated both in the article and in the comments here, both "free" VPN and "paid market research" VPN used the same codebase. Is there any evidence (other than "facebook bad") that the MITM part was enabled for anyone other than consenting/getting paid participants?
link
H8crilA 698 days ago
Why do people work on such projects? I mean specifically the engineers. You're still paid the same engineer salary, except now you expose yourself to criminal prosecution. The corpo is at least getting some extra returns for the risk, you as an engineer are not. So dumb.
link
reaperman 698 days ago
Maybe you're on H1B and if you get let go you have to go back to Sri Lanka, whose government collapsed 2 years ago and left the country in political disarray. Some people have better choices than others.

Like I wouldn't work on this project, but I have US citizenship. In college I slept over at some of my Indian friends' apartments and often they had like 8-12 guys sleeping in one bedroom, it was just a bunch of mattresses all laid together with no specific sleeping arrangement. Generally they made a giant pot of stew/daal/whatever once a week and ate the same thing for every meal all week, some even long after graduating with PhD's and getting low-tier visa-mill jobs. This was not a T10 school, our international students rarely came from wealthy families. One of my Saudi classmates came from a poor family in a remote village near the Iraq border and brushed his teeth with a twig from the Salvadora persica tree.

I couldn't really blame them if they didn't have another good option readily available.

link
roenxi 698 days ago
I can't resist annotating the Sri Lanka comment, it was responsible for some of the most absurd headlines I've ever read; completely beyond parody. Typical example:

- Fertiliser ban decimates Sri Lankan crops as government popularity ebbs

> https://www.reuters.com/markets/commodities/fertiliser-ban-d...

link
redserk 698 days ago
Or you have a nice bucket of RSUs that have been jumping in value and figure it’s just another project to pass time.
link
reaperman 698 days ago
If you have other good options, thats just greed. Sure its painful to turn down $200k in RSU’s but if you can jump ship and still get paid a respectable $160k I don’t have much sympathy for your choice to fuck over millions of people just so you can buy a house two years sooner.
link
spencerflem 698 days ago
I don't either. It seems to me that a lot of CS people don't have the same values as we do unfortunately. A sad mix of computers seeming apolitical - 'I just wanna hack' and as a well paid industry, the same money maximizers that would in previous years been business majors.
link
ignoramous 698 days ago
> Why do people work on such projects?

>> Maybe you're on H1B and if you get let go you have to go back to Sri Lanka...

I mean that's there too, but in this case, the guy who ran this spyware op was a former IDF turned chief of Facebook in Israel, later promoted to CISO for all of Meta.

link
reaperman 698 days ago
Yes, I generally blame management. But sometimes I blame the engineers when its obvious they had other good options.
link
ignoramous 698 days ago
> I blame the engineers when its obvious they had other good options

Their manager was promoted to c-suite for running a covert worldwide spyware op (that also informed the company's M&A strategy). I'd reserve most of my blame on corporate culture that incentivized & rewarded such orgs and its management.

link
spencerflem 698 days ago
I think its fair to blame both, usually. Got enough hate left in my heart for it
link
racional 697 days ago
It's important to note that the "Guy" was not just with the IDF, but with Unit 8200.

Otherwise you'd be essentially saying "Hey look out, the guy who ran this op was an Israeli" (because nearly every male Israeli serves in the IDF).

link
ignoramous 695 days ago
> important to note ... "Guy" [was] with Unit 8200

Good thing they're less Fascist and more upstanding & liberal, yeah? https://www.nytimes.com/interactive/2014/09/12/world/middlee...

> every male Israeli serves in the IDF

Shame on them if they continue to be associated with an institution found guilty by the International courts of occupation, torture, sexual assault, dispossession, crimes against humanity.

https://x.com/wattheactualfuq/status/1818340892651975052 / https://ghostarchive.org/archive/sx6lC

The burden is not mine or anyone else's.

link
protastus 697 days ago
Your scenario describes real people, but Facebook was not built by vulnerable visa holders.

Facebook hired and retained engineers over its entire company history by offering enormous amounts of stock. They successfully demonstrated there are a lot of engineers willing to build unethical products when offered 2-3x their previous salary.

link
_proofs 697 days ago
holy fuck can we please stop letting circumstances be the excuse we continuously fall back on, when enabling and reinforcing behavior with long-term impact and consequences.

imagine all of the times in history where this type of enabling of behavior reached an extreme, and now ask yourself where do you draw the line.

are you really asking me to enjoy the growing consequences of corporate overreach in the name of data, and all the sketchy ass, unethical, and invasive work all these foreign engineers are getting paid ridiculous salaries to propogate, and feel good about being held hostage because said engineers.. don't have a home.

so we are supposed to enable them to wreck mine (ours)?

link
reaperman 697 days ago
> so we are supposed to enable them to wreck mine (ours)?

No, we’re supposed to attack it from a different direction. Whether these people are H1B or outsourced overseas, U.S. corporations will always be able to find people in desperate enough situations (civil war-torn country with a literal famine going on). We can absolutely blame and shame the engineers who have other options for sustenance and medicine for their families, but if you want to solve this problem, it can only be solved through the legislative and executive branches.

link
Intermernet 698 days ago
I was talking about this with friends the other night. If you've been in the industry long enough, you've probably been party to creating something horrible. It takes a while for the reality of horribleness to crack the glamour of creation and monetary reward, but once it does, everyone I personally know has quit and lived with the regret.

I know people who have worked for adtech, gambling and HFT industries who now try to convince younger devs to avoid them. I personally worked briefly for a private prison corp, and I feel dirty and remorseful that I had anything to do with that industry.

link
throwaway55717 698 days ago
Due to an incarcerated family member, I had to deal with privately run prison telecom software, which was as awful and exploitative as you would expect, I could see where someone might feel guilty for working in this area. Evil business model.

But one of the worst things about the software was all the bugs. Silent failures so we couldn't tell what was happening, if it was a software problem or if our loved one was being prevented from communicating with us. The messaging and video call system failed us at some crucial moments and created a lot of emotional stress.

In fact I think this is part of the awful business model -- cut costs even if it hurts people.

Bad software can really make the lives of incarcerated people much worse. So if you were able to do a decent job on that software, whether it was prison telecom or internal tools for a prison contractor, you may have still had a more positive impact than you think, despite the broader business model being totally evil.

link
Intermernet 697 days ago
I was involved in the internal reporting. The clincher was when I saw the P&L for the internal sales of "luxury" items. Literally selling to a captive customer base.

It's weird that such a data point was the final straw, but eventually these small details build up and the whole edifice comes crashing down.

It's especially tragic as the company seemed to be full of talented, intelligent and nice people. Such seems to be the typical makeup of faceless evil.

link
qingcharles 697 days ago
The software on those "Temu" quality Android tablets they sell in prison is the worst I've ever encountered. And I've never seen an update of any note in the years they have been running them. If there is even a dev anywhere that could fix a bug and deploy it...

Anyone know the best way to pull an image off a locked-down Android tablet? I have a prison tablet here and I want to see what is inside the APKs.

link
fragmede 697 days ago
adb pull com.whatever will get you the apks which I think you don't need root for, but there isn't a way to just dd the whole image off, afaik.
link
maeil 697 days ago
> I know people who have worked for adtech, gambling and HFT industries who now try to convince younger devs to avoid them. I personally worked briefly for a private prison corp, and I feel dirty and remorseful that I had anything to do with that industry.

Sounds like getting to feel good after grabbing the bag. Particularly the first three considering how much they pay (even moreso if the gambling was crypto related).

> everyone I personally know has quit and lived with the regret.

Quit for a significantly lower wage job? Or quit in 2021 when they could trivially get another job likely with a raise?

I sound aggressive but these are serious, not rhetorical, questions. I don't know your friends, maybe they're the real deal, in which case massive kudos to them, I'm very happy to see others doing the same and I wish more were like us. But "living with the regret" is empty words if meaningful sacrifices haven't been made to atone for those sins.

FWIF, I left a job that paid more than twice what I'm able to get anywhere else without moving across the globe, for ethics reasons. And the industry wasn't as bad as the ones you've named besides HFT, which is imo pretty average when it comes to societal negative externalities for a tech company.

link
kevin_nisbet 697 days ago
Trying to bring an open mind, I could see a number of plausible scenarios where an engineer could do this, with various degrees of legitimacy.

It's certainly a complicated subject, but I think in general companies are really good, especially big ones, at getting people to work on things they might not be comfortable with otherwise. This thread has been talking the extremes like immigration status, but there are all kinds of subtle pressures as well. Some people might not believe they have the political capital to outright refuse a project (especially a pet project of the CEO) vs choose to accept and try to nudge the project onto more solid footing. And I suspect many engineers are terrified of being labelled as not a team player, which aids in the creation of group think, but makes it very difficult to foster a healthy culture of discussion that would bring forward the serious concerns of this work. And there is almost always some room of uncertainty as the last convincer... is it unethical to work on the project if the consumer is fully informed and offers consent to the invasion of privacy?

If there is an extreme where it's justifiable, for any reasonable engineer to accept the project, then it get's really muddy on where exactly the line is, and when it should be drawn.

I also suspect many of us envision ourselves having much more fortitude than we really do as well, imagining the heroic efforts we'd put in to changing a companies mind from a bad idea... where the more likely outcome for most of us is to fall silently into the background.

link
qingcharles 697 days ago
When I was in the music biz I pushed back hard against DRM. I lost, but being on the inside I could swing the needle to the least restrictive DRM as possible (e.g. it let you burn a CD for instance). Most of the other devs I worked with would have simply taken the ultra-restrictive spec, coded it and gone home happy each night. (I did code some shitty ActiveX object for Sony to put on one of their unrippable CDs though... it let you download a DRM-hobbled version of the song)

I can count on one hand though the number of devs I've worked with that saw coding as anything more than a 9-5 grind and would have spoken up if asked to do something shady.

link
kotaKat 698 days ago
It takes the correct morally bankrupt person to be willing to take the job.
link
dl9999 698 days ago
Or a person with a sick kid, or who is about to be evicted, or who made some bad financial decisions or for some other reason is about to run out of food money. In those situations it's very easy to rationalize that the good outweighs the bad.

I've only been in a similar situation once. I could barely sleep at night for a week before I finally told them that I couldn't do it. In my situation I would have taken a financial hit if they decided to let me go, but my wife works and I have savings and there was no immediate threat, and it still was a difficult decision.

link
IG_Semmelweiss 698 days ago
Why would you diminish all those silent heroes who do decline the morally bankrupt job despite not making rent , or having to carry bad financial decisions?

The truth is that in the US we do have some very expensive social safety nets, and it always comes back to the morals of the individual. You can rationalize just about anything against all kinds situations, but in the end we are talking about someone morally corrupt, or morally steadfast.

Dont justify the injustifiable.

Instead Judge character in the hard times and use that opportunity elevate the heroes that do the right thing im the face of adversity.

link
dl9999 698 days ago
I'm not diminishing anything. I'm just not willing to condemn people without taking into account extenuating circumstances.

People regularly justify things that are not justified. When there's a lot of pressure, rationalizing is very easy. It's not even easy to realize that something is being rationalized.

I'm not justifying the unjustifiable. I'm saying that a person doesn't have be morally "bankrupt" to do something bad. Condemning people as morally bankrupt without taking into account extenuating circumstances is certainly not justified.

link
echoangle 698 days ago
You really think the engineers working on this will be personally liable for this? That would honestly surprise me, the worst i can imagine is punishment for the company as an entity.
link
fn-mote 698 days ago
Yes, we do. Just look at how the engineers get thrown under the bus in a high profile case like the VW car-emissions scandal.

Example: engineers blamed is the title in [1].

[1] https://www.nbcnews.com/business/autos/vw-scandal-top-u-s-ex...

link
echoangle 698 days ago
Saying stuff like that in a hearing to deflect blame doesn’t surprise me, but were any individual engineers punished for this?
link
haxrob 698 days ago
> from what I can tell FB paid SC users to participate in “market research” and install the proxy.

The app was available on both the Google Play and Apple App stores for anyone to download.

> The way most of the writeups make it sound is that it’s some sort of hack, but this doesn’t seem to be the case.

It could be that you are confused with a previous case. From the blog post:

> The wiretapping claim is new and perhaps not to be confused with the prior controversy and litigation: In 2023, two subsidiaries of Facebook was ordered to pay a total of $20M by the Australian Federal Court for "engaging in conduct liable to mislead in breach of the Australian Consumer Law", according to the ACCC ... Facebook had shutdown Onavo in 2019 after an investigation revealed they had been paying teenagers to use the app to track them. Also that year, Apple went as far as to revoke Facebook's developer program certificates, sending a clear message.

> If this is wiretapping, is it also wiretapping for me to use a local SSL proxy to decrypt and analyze traffic to a service’s API

If by "local" on your own network/machine with your own traffic then obviously no.

link
hollerith 698 days ago
SC == Snapchat
link