[oefrha]

No, the writeup isn’t omitting anything, you’re mixing things up, which this article explicitly called out.

This article is about Onavo Protect[1], “Free VPN + Data Manager”, which was not paying anyone. There was a separate program where Facebook paid teenagers money to install their Facebook Research VPN through their enterprise distribution channel, bypassing the App Store and its rules, so that paid version was even more invasive.[2]

So no, this Onavo bullshit isn’t defensible at all.

[1] https://apkpure.com/onavo-protect-from-facebook/com.onavo.sp...

[2] https://techcrunch.com/2019/01/29/facebook-project-atlas/?re...

[theptip]

This is a bit tangled. I think this is new information but it’s all about Onavo. From OP:

> Note this is different to what TechCrunch had revealed in 2019 in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines. With the new MITM information revealed: what is currently unclear is if all app users had their traffic "intercepted" or just a subset of users.

So this seems to be new information about the Onavo Android app, but it’s not clear to me if the “install cert” button described was exactly the implementation of the previously reported research cert, or a new vector where people other than market research participants were MiTM’d. The analysis is just a bunch of circumstantial observations that _it is possible_ FB was doing more skeezy stuff than was previously known. But nothing here is incompatible with the previously reported stuff being all that happened, AFAICT.

The TechCrunch article clearly states that Onavo was the method they used to get the FB Research cert onto devices. (Presumably they distributed a different build of Onavo with their enterprise distribution channel), it quotes:

> “We now have the capability to measure detailed in-app activity” from “parsing snapchat [sic] analytics collected from incentivized participants in Onavo’s research program,” read another email.

This sounds to me that there was one Onavo research program, but who knows, we have multiple project codenames.

[willstrafach]

“Facebook Research” was the Onavo codebase, under a different name, signed by Facebook’s Enterprise certificate.

[oefrha]

> The analysis is just a bunch of circumstantial observations that _it is possible_ FB was doing more skeezy stuff than was previously known.

No, it was already well-known way back in 2018, which is why that piece of shit app was withdrawn from App Store in the first place. Facebook’s enterprise account later got suspended in 2019 for distributing the paid piece of shit through enterprise MDM.

[theptip]

The claim in the OP is that they might have been MiTM’ing arbitrary users, I believe the previously reported claims were that they only MiTM’d paid research participants. (Please share some links if you have evidence to the contrary, I’d love to get to the bottom of this.)

[oefrha]

Onavo isn’t paid, it’s just a “free” VPN app. There’s no paid participation, you just download it.

https://www.bitdefender.com/blog/hotforsecurity/facebook-pul...

https://www.wsj.com/articles/facebook-to-remove-data-securit...

Edit: Typo.

[valicord]

That doesn't mean that the MITM traffic interception would be enabled for regular users that have downloaded the app from the store. As stated both in the article and in the comments here, both "free" VPN and "paid market research" VPN used the same codebase. Is there any evidence (other than "facebook bad") that the MITM part was enabled for anyone other than consenting/getting paid participants?

[H8crilA]

Why do people work on such projects? I mean specifically the engineers. You're still paid the same engineer salary, except now you expose yourself to criminal prosecution. The corpo is at least getting some extra returns for the risk, you as an engineer are not. So dumb.

[reaperman]

Maybe you're on H1B and if you get let go you have to go back to Sri Lanka, whose government collapsed 2 years ago and left the country in political disarray. Some people have better choices than others.

Like I wouldn't work on this project, but I have US citizenship. In college I slept over at some of my Indian friends' apartments and often they had like 8-12 guys sleeping in one bedroom, it was just a bunch of mattresses all laid together with no specific sleeping arrangement. Generally they made a giant pot of stew/daal/whatever once a week and ate the same thing for every meal all week, some even long after graduating with PhD's and getting low-tier visa-mill jobs. This was not a T10 school, our international students rarely came from wealthy families. One of my Saudi classmates came from a poor family in a remote village near the Iraq border and brushed his teeth with a twig from the Salvadora persica tree.

I couldn't really blame them if they didn't have another good option readily available.

[roenxi]

I can't resist annotating the Sri Lanka comment, it was responsible for some of the most absurd headlines I've ever read; completely beyond parody. Typical example:

- Fertiliser ban decimates Sri Lankan crops as government popularity ebbs

> https://www.reuters.com/markets/commodities/fertiliser-ban-d...

[redserk]

Or you have a nice bucket of RSUs that have been jumping in value and figure it’s just another project to pass time.

[reaperman]

If you have other good options, thats just greed. Sure its painful to turn down $200k in RSU’s but if you can jump ship and still get paid a respectable $160k I don’t have much sympathy for your choice to fuck over millions of people just so you can buy a house two years sooner.

[spencerflem]

I don't either. It seems to me that a lot of CS people don't have the same values as we do unfortunately. A sad mix of computers seeming apolitical - 'I just wanna hack' and as a well paid industry, the same money maximizers that would in previous years been business majors.

[ignoramous]

> Why do people work on such projects?

>> Maybe you're on H1B and if you get let go you have to go back to Sri Lanka...

I mean that's there too, but in this case, the guy who ran this spyware op was a former IDF turned chief of Facebook in Israel, later promoted to CISO for all of Meta.

[reaperman]

Yes, I generally blame management. But sometimes I blame the engineers when its obvious they had other good options.

[ignoramous]

> I blame the engineers when its obvious they had other good options

Their manager was promoted to c-suite for running a covert worldwide spyware op (that also informed the company's M&A strategy). I'd reserve most of my blame on corporate culture that incentivized & rewarded such orgs and its management.

[spencerflem]

I think its fair to blame both, usually. Got enough hate left in my heart for it

[racional]

It's important to note that the "Guy" was not just with the IDF, but with Unit 8200.

Otherwise you'd be essentially saying "Hey look out, the guy who ran this op was an Israeli" (because nearly every male Israeli serves in the IDF).

[ignoramous]

> important to note ... "Guy" [was] with Unit 8200

Good thing they're less Fascist and more upstanding & liberal, yeah? https://www.nytimes.com/interactive/2014/09/12/world/middlee...

> every male Israeli serves in the IDF

Shame on them if they continue to be associated with an institution found guilty by the International courts of occupation, torture, sexual assault, dispossession, crimes against humanity.

https://x.com/wattheactualfuq/status/1818340892651975052 / https://ghostarchive.org/archive/sx6lC

The burden is not mine or anyone else's.

[protastus]

Your scenario describes real people, but Facebook was not built by vulnerable visa holders.

Facebook hired and retained engineers over its entire company history by offering enormous amounts of stock. They successfully demonstrated there are a lot of engineers willing to build unethical products when offered 2-3x their previous salary.

[_proofs]

holy fuck can we please stop letting circumstances be the excuse we continuously fall back on, when enabling and reinforcing behavior with long-term impact and consequences.

imagine all of the times in history where this type of enabling of behavior reached an extreme, and now ask yourself where do you draw the line.

are you really asking me to enjoy the growing consequences of corporate overreach in the name of data, and all the sketchy ass, unethical, and invasive work all these foreign engineers are getting paid ridiculous salaries to propogate, and feel good about being held hostage because said engineers.. don't have a home.

so we are supposed to enable them to wreck mine (ours)?

[reaperman]

> so we are supposed to enable them to wreck mine (ours)?

No, we’re supposed to attack it from a different direction. Whether these people are H1B or outsourced overseas, U.S. corporations will always be able to find people in desperate enough situations (civil war-torn country with a literal famine going on). We can absolutely blame and shame the engineers who have other options for sustenance and medicine for their families, but if you want to solve this problem, it can only be solved through the legislative and executive branches.

[Intermernet]

I was talking about this with friends the other night. If you've been in the industry long enough, you've probably been party to creating something horrible. It takes a while for the reality of horribleness to crack the glamour of creation and monetary reward, but once it does, everyone I personally know has quit and lived with the regret.

I know people who have worked for adtech, gambling and HFT industries who now try to convince younger devs to avoid them. I personally worked briefly for a private prison corp, and I feel dirty and remorseful that I had anything to do with that industry.

[throwaway55717]

Due to an incarcerated family member, I had to deal with privately run prison telecom software, which was as awful and exploitative as you would expect, I could see where someone might feel guilty for working in this area. Evil business model.

But one of the worst things about the software was all the bugs. Silent failures so we couldn't tell what was happening, if it was a software problem or if our loved one was being prevented from communicating with us. The messaging and video call system failed us at some crucial moments and created a lot of emotional stress.

In fact I think this is part of the awful business model -- cut costs even if it hurts people.

Bad software can really make the lives of incarcerated people much worse. So if you were able to do a decent job on that software, whether it was prison telecom or internal tools for a prison contractor, you may have still had a more positive impact than you think, despite the broader business model being totally evil.

[Intermernet]

I was involved in the internal reporting. The clincher was when I saw the P&L for the internal sales of "luxury" items. Literally selling to a captive customer base.

It's weird that such a data point was the final straw, but eventually these small details build up and the whole edifice comes crashing down.

It's especially tragic as the company seemed to be full of talented, intelligent and nice people. Such seems to be the typical makeup of faceless evil.

[qingcharles]

The software on those "Temu" quality Android tablets they sell in prison is the worst I've ever encountered. And I've never seen an update of any note in the years they have been running them. If there is even a dev anywhere that could fix a bug and deploy it...

Anyone know the best way to pull an image off a locked-down Android tablet? I have a prison tablet here and I want to see what is inside the APKs.

[fragmede]

adb pull com.whatever will get you the apks which I think you don't need root for, but there isn't a way to just dd the whole image off, afaik.

[qingcharles]

Sadly I can't get into the settings. It boots into a custom menu, which might just be an app running over the default shell. I also can't get it into recovery mode. I need to do more digging.

[maeil]

> I know people who have worked for adtech, gambling and HFT industries who now try to convince younger devs to avoid them. I personally worked briefly for a private prison corp, and I feel dirty and remorseful that I had anything to do with that industry.

Sounds like getting to feel good after grabbing the bag. Particularly the first three considering how much they pay (even moreso if the gambling was crypto related).

> everyone I personally know has quit and lived with the regret.

Quit for a significantly lower wage job? Or quit in 2021 when they could trivially get another job likely with a raise?

I sound aggressive but these are serious, not rhetorical, questions. I don't know your friends, maybe they're the real deal, in which case massive kudos to them, I'm very happy to see others doing the same and I wish more were like us. But "living with the regret" is empty words if meaningful sacrifices haven't been made to atone for those sins.

FWIF, I left a job that paid more than twice what I'm able to get anywhere else without moving across the globe, for ethics reasons. And the industry wasn't as bad as the ones you've named besides HFT, which is imo pretty average when it comes to societal negative externalities for a tech company.

[kevin_nisbet]

Trying to bring an open mind, I could see a number of plausible scenarios where an engineer could do this, with various degrees of legitimacy.

It's certainly a complicated subject, but I think in general companies are really good, especially big ones, at getting people to work on things they might not be comfortable with otherwise. This thread has been talking the extremes like immigration status, but there are all kinds of subtle pressures as well. Some people might not believe they have the political capital to outright refuse a project (especially a pet project of the CEO) vs choose to accept and try to nudge the project onto more solid footing. And I suspect many engineers are terrified of being labelled as not a team player, which aids in the creation of group think, but makes it very difficult to foster a healthy culture of discussion that would bring forward the serious concerns of this work. And there is almost always some room of uncertainty as the last convincer... is it unethical to work on the project if the consumer is fully informed and offers consent to the invasion of privacy?

If there is an extreme where it's justifiable, for any reasonable engineer to accept the project, then it get's really muddy on where exactly the line is, and when it should be drawn.

I also suspect many of us envision ourselves having much more fortitude than we really do as well, imagining the heroic efforts we'd put in to changing a companies mind from a bad idea... where the more likely outcome for most of us is to fall silently into the background.

[qingcharles]

When I was in the music biz I pushed back hard against DRM. I lost, but being on the inside I could swing the needle to the least restrictive DRM as possible (e.g. it let you burn a CD for instance). Most of the other devs I worked with would have simply taken the ultra-restrictive spec, coded it and gone home happy each night. (I did code some shitty ActiveX object for Sony to put on one of their unrippable CDs though... it let you download a DRM-hobbled version of the song)

I can count on one hand though the number of devs I've worked with that saw coding as anything more than a 9-5 grind and would have spoken up if asked to do something shady.

[kotaKat]

It takes the correct morally bankrupt person to be willing to take the job.

[dl9999]

Or a person with a sick kid, or who is about to be evicted, or who made some bad financial decisions or for some other reason is about to run out of food money. In those situations it's very easy to rationalize that the good outweighs the bad.

I've only been in a similar situation once. I could barely sleep at night for a week before I finally told them that I couldn't do it. In my situation I would have taken a financial hit if they decided to let me go, but my wife works and I have savings and there was no immediate threat, and it still was a difficult decision.

[IG_Semmelweiss]

Why would you diminish all those silent heroes who do decline the morally bankrupt job despite not making rent , or having to carry bad financial decisions?

The truth is that in the US we do have some very expensive social safety nets, and it always comes back to the morals of the individual. You can rationalize just about anything against all kinds situations, but in the end we are talking about someone morally corrupt, or morally steadfast.

Dont justify the injustifiable.

Instead Judge character in the hard times and use that opportunity elevate the heroes that do the right thing im the face of adversity.

[dl9999]

I'm not diminishing anything. I'm just not willing to condemn people without taking into account extenuating circumstances.

People regularly justify things that are not justified. When there's a lot of pressure, rationalizing is very easy. It's not even easy to realize that something is being rationalized.

I'm not justifying the unjustifiable. I'm saying that a person doesn't have be morally "bankrupt" to do something bad. Condemning people as morally bankrupt without taking into account extenuating circumstances is certainly not justified.

[echoangle]

You really think the engineers working on this will be personally liable for this? That would honestly surprise me, the worst i can imagine is punishment for the company as an entity.

[fn-mote]

Yes, we do. Just look at how the engineers get thrown under the bus in a high profile case like the VW car-emissions scandal.

Example: engineers blamed is the title in [1].

[1] https://www.nbcnews.com/business/autos/vw-scandal-top-u-s-ex...

[echoangle]

Saying stuff like that in a hearing to deflect blame doesn’t surprise me, but were any individual engineers punished for this?