Well, this is a transcendent level of evil: Facebook bought a VPN company and deployed it, in part, to spy on its competitor's users.
https://techcrunch.com/2024/03/26/facebook-secret-project-snooped-snapchat-user-traffic/
It's a reminder that VPNs have their own risks, beyond technical ones if operated incompetently -- namely, that you have to trust the VPN company itself.
UPDATED to reflect which users were being spied on.
It's not an additional tunnel it's a different network stack that gives the opportunity to encrypt the traffic and siphon off what's wanted before that happens.
I don't know why it's a class action, if there's evidence there's sufficient criminal law to go after the corporate officers.
"In order to SSL bump Snapchat—and later YouTube and Amazon—Facebook employees created custom client- and server-side code based on Onavo’s VPN proxy app and server stack. This code, which included a client-side “kit” that installed a “root” certificate on Snapchat users’ (and later, YouTube and Amazon users’) mobile devices." They replicated all of the certificates.
https://storage.courtlistener.com/recap/gov.uscourts.cand.369872/gov.uscourts.cand.369872.735.0.pdf
In other words, they created a client app which intercepted both ends of the connection.
Dan Gillmor
charlag
Simon Lucy
Daniel Gibson