Newly unsealed emails reveal that when Meta was still called Facebook, CEO Mark Zuckerberg told his executives to find a way to learn how people were using competing apps like Snapchat, even if the information was encrypted.
Zuckerberg wrote in a June 2016 email to Javier Olivan, who was then Facebook’s head of growth, that he wanted a better answer to questions about Snapchat’s usage and growth than “because their analytics are encrypted we have no analytics about them.” At the time, Snapchat was still a private company with strong user growth.
The correspondence was made public last week as part of ongoing litigation in a California federal court, in which Meta is accused of anticompetitive behavior in the social-media ads market.
Two months after the email was sent, Facebook launched Instagram Stories, where users could post pictures and videos that would disappear after 24 hours — a feature pioneered by Snapchat. Stories has since become one of Instagram’s most successful developments.
“Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them,” Zuckerberg said about Snapchat in the email to Olivan. “Perhaps we need to do panels or write custom software. You should figure out how to do this,” he wrote.
Olivan, who has since become Meta’s chief operating officer, replied to Zuckerberg’s email saying he had been “looking into this with the Onavo team,” referring to the traffic-analysis app that Facebook acquired in 2013, which was working on a project to gather samples of how people used their phones beyond Facebook’s apps.
Olivan then passed along Zuckerberg’s email to Guy Rosen, who cofounded and continued to run Onavo, asking for “out of the box thinking.” Rosen is now Meta’s chief information-security officer.
The eventual result was a “task force” within Onavo called the “In-App Action Panel,” or IAPP (it was internally called the “Ghostbusters” project because Snapchat’s logo is a white cartoon ghost), according to a July 2016 email written to Olivan included in the unsealed court documents.
Decrypting data to track competitors
Facebook’s use of Onavo to get insights into how mobile users interacted with competitors’ apps was the focus of a 2017 story by The Wall Street Journal. The app “doesn’t (can’t) decrypt data,” a Facebook employee said in an email to Zuckerberg that was included in a court document.
The email said the task force created software “kits” that could be “installed on iOS and Android that intercept traffic for specific sub-domains, allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage (i.e. specific actions that people are performing in the app, rather than just overall app visitation). This is a ‘man-in-the-middle approach.'”
Meta did not reply to a request for comment from Business Insider before this story’s publication. A spokesperson later replied, saying: “There is nothing new here — this issue was reported on years ago. The plaintiffs’ claims are baseless and completely irrelevant to the case.” Though outlets have reported on Onavo’s work tracking rival app usage, the details of Meta’s role, the executives involved, and the surrounding communications have only come to light since the documents were unsealed.
These software “kits” created a path for Onavo to redirect and decrypt mobile–user traffic by effectively impersonating the servers of Snapchat, and later YouTube and Amazon, according to an unsealed letter to the court from the advertiser plaintiffs. The letter claimed that Facebook did this through a process called secure sockets layer, or SSL, bumping, which is a method of encrypting internet traffic.
The advertisers suing Meta have said the company failed to disclose its use of Onavo technology to intercept rivals’ analytics traffic. They said such conduct violated US wiretapping laws and allowed Facebook to hike its ad rates beyond what it could have charged in a competitive market.
The July 2016 email said that third parties could be used to recruit users to install Onavo’s software and that these users would not see any company branding unless they took the extra step of using a tool like Wireshark to analyze it. In 2019, TechCrunch uncovered a link between Onavo, Facebook, and a “research” app that people — including kids as young as 13 — had been paid to download.
Not all of Facebook’s leadership was happy about the company’s efforts to decrypt user traffic on competing platforms. In another letter from the advertising plaintiffs, a former vice president of security and privacy said of the IAAP: “I can’t think of a good argument for why this is okay.” Mike Schroepfer, Meta’s former chief technology officer, is quoted as saying at the time: “If we ever found out that someone had figured out a way to break encryption on [WhatsApp] we would be really upset.”
Are you a Meta employee or someone with a tip or insight to share? Contact Kali Hays at [email protected] or on secure messaging app Signal at 949-280-0267. Reach out using a non-work device.
Read the full article here