Well, this is a transcendent level of evil: Facebook bought a VPN company and deployed it, in part, to spy on its competitor's users.
https://techcrunch.com/2024/03/26/facebook-secret-project-snooped-snapchat-user-traffic/
It's a reminder that VPNs have their own risks, beyond technical ones if operated incompetently -- namely, that you have to trust the VPN company itself.
UPDATED to reflect which users were being spied on.
It's not an additional tunnel it's a different network stack that gives the opportunity to encrypt the traffic and siphon off what's wanted before that happens.
I don't know why it's a class action, if there's evidence there's sufficient criminal law to go after the corporate officers.
"In order to SSL bump Snapchat—and later YouTube and Amazon—Facebook employees created custom client- and server-side code based on Onavo’s VPN proxy app and server stack. This code, which included a client-side “kit” that installed a “root” certificate on Snapchat users’ (and later, YouTube and Amazon users’) mobile devices." They replicated all of the certificates.
https://storage.courtlistener.com/recap/gov.uscourts.cand.369872/gov.uscourts.cand.369872.735.0.pdf
@simon_lucy @charlag @dangillmor
This explanation of how Meta might do evil with a VPN is exactly why most regular users give up and just say, "Make money off of my habits on your social platform." I have not a clue what the post means. But it sounds like the only way to win the game is to not play the game. And if that's the explanation, then just say that.
Someone asked a very reasonable question, how could a VPN 'man in the middle' a secure end to end encryption. I quoted the relevant part of the case papers.
I summarised it in the next comment.
This is a technical issue with ethical, legal and trust concerns there will be technical language. Not explaining it would be worse.
There's a second major point to make, if Meta can and did do this then any govt can do the same. And they already want to.
Dan Gillmor
charlag
Simon Lucy
TopKnot