Well, this is a transcendent level of evil: Facebook bought a VPN company and deployed it, in part, to spy on its competitor's users.
https://techcrunch.com/2024/03/26/facebook-secret-project-snooped-snapchat-user-traffic/
It's a reminder that VPNs have their own risks, beyond technical ones if operated incompetently -- namely, that you have to trust the VPN company itself.
UPDATED to reflect which users were being spied on.
This week I have considered deleting my Facebook and Instagram accounts. However, I use them for my business and non-profit groups to extend their reach. If only there was a better alternative with as broad of base I would delete them.
@MichaelBishop @dangillmor The users stay on Facebook because of the businesses and nonprofits. The businesses and nonprofits stay because of the users.
It's a 3-billion wide Mexican standoff.
@pomegranate_stew @MichaelBishop @dangillmor 3 billion wide, people participate in on average 10 forms of a social group, so there's a chance of about 1 in 1000 you're able to evict Facebook from your life without losing some social groups.
Assuming equal distribution, which it does not have.
It's not an additional tunnel it's a different network stack that gives the opportunity to encrypt the traffic and siphon off what's wanted before that happens.
I don't know why it's a class action, if there's evidence there's sufficient criminal law to go after the corporate officers.
"In order to SSL bump Snapchat—and later YouTube and Amazon—Facebook employees created custom client- and server-side code based on Onavo’s VPN proxy app and server stack. This code, which included a client-side “kit” that installed a “root” certificate on Snapchat users’ (and later, YouTube and Amazon users’) mobile devices." They replicated all of the certificates.
https://storage.courtlistener.com/recap/gov.uscourts.cand.369872/gov.uscourts.cand.369872.735.0.pdf
and surely criminal?
In other words, they created a client app which intercepted both ends of the connection.
@simon_lucy @charlag @dangillmor
This explanation of how Meta might do evil with a VPN is exactly why most regular users give up and just say, "Make money off of my habits on your social platform." I have not a clue what the post means. But it sounds like the only way to win the game is to not play the game. And if that's the explanation, then just say that.
@TopKnot actually the explanation is literally analogous to the meme posted above: https://mastodon.social/@christerk/112166240851496258
Where the players are:
Coconut: Snapchat
Woman: Facebook's VPN
Man: User
Straws: encrypted tunnels so both Snapchat and User feel they're using the proper method.
Facebook's VPN client is doing a Man-In-The-Middle (MITM) attack. In this case woman, person in the middle.
Someone asked a very reasonable question, how could a VPN 'man in the middle' a secure end to end encryption. I quoted the relevant part of the case papers.
I summarised it in the next comment.
This is a technical issue with ethical, legal and trust concerns there will be technical language. Not explaining it would be worse.
There's a second major point to make, if Meta can and did do this then any govt can do the same. And they already want to.
Yeah, it doesn't make sense to me either, unless snapchat is downloading encryption keys dynamically? Then you can MITM the key download, give the snapchat app your key, while storing the snapchat server key for your middleman use. Then the app sends you traffic encrypted with your key, your MITM server decrypts it to plaintext, makes a copy for "research", then re-encryps the plaintext with the snapchat-supplied key and sends it off to snapchat.
@DanielEriksson my ISP is the most reliable and affordable option in my physical area for internet. However, it's known for spying, selling user data, and lobbying against civil rights. I know this, so I don't want my ISP collecting all the website addresses I visit.
That's one way a VPN is supposed to help.
There are people for whom Facebook is their ISP. Facebook's Israeli-based VPN was probably advertised as a way to be more secure to people who couldn't easily find any advice about it.
@DanielEriksson in some areas they actually have more choice in the VPN than in the ISP.
But you’re right regardless of that.
@dangillmor
@DanielEriksson @dangillmor ISPs aren’t (that I’ve ever heard) vetted for privacy and data collection matters. There are VPNs — Proton, TunnelBear, IVPN and Mullvad as some examples — who take measures to demonstrably show that they ARE vetted.
People just need to care about their privacy enough to make good choices about such things.
Long live neoliberal capitalism. It will work all of us to death for the benefit of few…
Simply unnatural.
@dangillmor The only thing a VPN does is move your traffic from your ISP's internet link to your VPN's internet link.
If you're in Russia or China, that's likely a good tradeoff. If you're trying to circumvent region blocks, your VPN could be in the country that's not blocked. But in most cases, it's not a net win... and in this case, it's a very big net loss.
@khleedril I don't see a single reference to mixer networks here. That said, a mixer network does provide a lot more anonymization assuming the nodes are not all operated by a single entity.
Remember that most people use VPNs to avoid the firewall from their ISP, or from a content provider. Only some people are trying to be fully anonymous.
Matthew Lennig 🐀
Dan Gillmor
sandywb14
D. Creemer
Michael Bishop ☕
Peter Bindels
Pomegranate_Stew
Seth 🎙️
Joshua Crawford has moved
Leszek
Tom
Greg Johnson
Rod Faulkner
Christer
charlag
Simon Lucy
Andrew Wigglesworth
Daniel Gibson
TopKnot
shom 🐧📷🤿🏔️🪚✊🏽
Artemesia
Dr Daniel, Photon Shepherd🇸🇪🇦🇺
Tesmaia
A.L. Blacklyn
ArneBab
Reay Jespersen
Mike Ingram
zilla
Gemma 👽
xs4me2
Dark Photon Studio
JW prince of CPH
Khleedril
Metin Seven 🎨
tinfoilhat
Tor Iver Wilhelmsen
Waseem
pa28