New documents, unsealed by a federal court in California on Tuesday, show that Facebook used Onavo VPN to monitor user activity on rival platforms like Snapchat, YouTube, and Amazon.
The now-defunct VPN (virtual private network) service was marketed as a privacy tool to help users secure their internet traffic. However, Facebook used Onavo VPN to intercept the traffic of rival apps, spying on users’ activities to get a competitive advantage.
The documents from a 2016 class action lawsuit labeled these actions as Wiretap Act violations, which are serious federal offenses in the U.S.
Facebook Used a ‘Cyberattack Method’ to Spy on Competitors
Facebook’s surveillance operation, allegedly named “Project Ghostbusters,” spanned from June 2016 to around May 2019. According to the court documents, the name of the operation was “an apparent reference to Snapchat’s corporate logo, a white ghost on a yellow background.”
The documents reveal that Facebook used Onavo VPN to deploy a cyberattack technique known as “SSL man-in-the-middle” to position itself between its users and competitors’ apps. This allowed Facebook to decrypt and analyze encrypted traffic and gain strategic insights into how users engage with Snapchat, YouTube, and Amazon.
The court documents show that high-level Facebook executives, including Zuckerberg and COO Javier Olivan, were directly involved in the scheme to spy on users.
Zuckerberg and Olivan Emails Revealed
In 2016, Meta’s CEO, Mark Zuckerberg, expressed concerns over the growing popularity of Snapchat and the encrypted nature of its traffic, which prevented Facebook from gathering analytics through conventional means. According to the unsealed documents, Zuckerberg wrote to executives about harvesting analytics on Snapchat.
“Given how quickly they’re [Snapchat] growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this,” he wrote.
Olivan’s response suggested potentially paying users to “let us install a really heavy piece of software (that could even do man in the middle, etc.).”
In 2019, disclosures from a Congressional inquiry revealed that Facebook paid teenagers and adults to install research apps on their Android and iOS devices, granting the company access to their internet traffic.
The Onavo VPN Controversy Continues
This isn’t the first time Facebook has found itself at the center of a privacy controversy involving Onavo VPN.
Apple removed Onavo VPN from its App Store in 2018, citing privacy concerns. Google’s Play Store soon followed in 2019. That same year, Facebook stopped further development and support for the app.
In 2023, Australian officials fined Meta $13.5 million for using Onavo VPN to harvest user data for business purposes.
This revelation emphasizes the evidence of using a trusted VPN. We only recommend VPN services with a history of transparency and dedication to protecting user data.
Our cybersecurity experts have run extensive tests on dozens of VPN services, and NordVPN topped our rankings. This VPN has multiple cutting-edge features and has displayed its commitment to transparency with multiple audits by independent third parties to prove that it doesn’t store user data.
Read our full NordVPN review to learn more about this VPN service and discover why it’s at the top of our rankings.
For more news, follow us on X (Twitter), Threads, and Mastodon!
