In 2016, Facebook started a top-secret project with the intention of intercepting and decrypting the network traffic between users of Snapchat and its servers. Court documents that were recently unsealed reveal that the objective of this project, codenamed “Project Ghostbusters,” was to gain insight into users’ behavior and compete with Snapchat. The name of this project was a clear nod to Snapchat’s iconic ghost logo.
On Tuesday, a federal court in California released newly discovered documents in the ongoing class-action lawsuit between consumers and Meta, Facebook’s parent company. These documents shed light on Meta’s attempts to gain an advantage over its competitors, including Snapchat, Amazon, and YouTube, by analyzing the network traffic of its users’ interactions with these competing platforms. However, this was not an easy task as these apps all used encryption to protect their traffic. Therefore, Facebook had to develop specialized technology to bypass this encryption.
One of the documents lays out the details of Facebook’s Project Ghostbusters. It was part of the company’s In-App Action Panel (IAPP) program, and it utilized a technique for intercepting and decrypting encrypted app traffic from users of Snapchat, and later from users of YouTube and Amazon, as stated by the consumers’ lawyers in the document.
“Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted, we have no analytics about them,” Meta CEO Mark Zuckerberg wrote in an email dated June 9, 2016, which was made public as part of the lawsuit. “Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this.”
To tackle this challenge, Facebook’s engineers turned to Onavo, a VPN-like service that the company acquired in 2013. However, in 2019, Facebook shut down Onavo after it came to light that the company was secretly paying teenagers to use the service, giving Facebook access to their entire web activity.
After receiving Zuckerberg’s email, the Onavo team took on the project and a month later, proposed a solution. They suggested using “kits” that could be installed on both iOS and Android devices, which would intercept traffic for specific sub-domains. This would allow them to read what would otherwise be encrypted traffic and gather data on in-app usage. This approach is known as a “man-in-the-middle” attack, where hackers intercept internet traffic between two devices and gain access to sensitive data, such as usernames, passwords, and other in-app activity.
However, this technique would not be effective with Snapchat’s encrypted traffic, and that’s why Facebook engineers turned to Onavo. When activated, Onavo could read all of the device’s network traffic before it was encrypted and sent over the internet, giving Facebook the ability to measure detailed in-app activity. This included parsing Snapchat analytics collected from incentivized participants in Onavo’s research program, as stated in another email.
According to the court documents, Facebook eventually expanded the program to also include Amazon and YouTube.
Not everyone at Facebook was on board with Project Ghostbusters. Some employees, including Jay Parikh, the company’s then-head of infrastructure engineering, and Pedro Canahuati, the then-head of security engineering, expressed their concerns.
“I can’t think of a good argument for why this is okay. No security person is comfortable with this, no matter what consent we get from the general public. The general public just doesn’t know how this stuff works,” Canahuati wrote in an email, which was also included in the court documents.
In 2020, two Facebook users, Sarah Grabert and Maximilian Klein, filed a class-action lawsuit against the company, alleging that Facebook lied about its data collection practices and used the data it obtained deceptively to identify competitors and unfairly compete against them.
When reached for comment, an Amazon spokesperson declined to respond. As for Google, Meta, and Snap, they did not respond to requests for comment.
