The ‘Ghostbusters project’ or how Facebook planned to spy on Snapchat users

An email from Mark Zuckerberg pressuring for Snapchat’s encrypted traffic to be analyzed, replies from senior Facebook executives, and the security chief’s misgivings. All this appears in the documents that detail how the company would have used cyberespionage techniques to track user behavior in the rival application Snapchat.

The emails were made public after a group of advertisers filed a lawsuit against Meta. They accuse the company of trying to monopolize the advertising market on social media between 2016 and 2019. The email exchange begins in June 2016. At that time, Snapchat was on the rise. For a brief moment, it was one of the fastest-growing apps. In the first six months of 2016, it went from having around 110 million users to 148 million. Meanwhile, Facebook was losing steam with younger generations and Instagram was in danger of becoming stuck as a photography app. That changed in August, when it launched her Instagram Stories, a carbon copy of Snapchat Stories. Its positive reception turned the tables.

This is just the context of what was happening in the market. What the documents reveal is the creation of a project, called IAAP and nicknamed “Ghostbusters,” in clear reference to the Snapchat logo. The project’s objective was to analyze Snapchat traffic with a kit integrated into the Facebook app. When users installed this app on their cellphone devices, it was able to collect information about their digital activity in other applications.

“Thanks to the kit, all the traffic that came from those phones ended up on a server controlled by Facebook,” explains Juan Tapiador, professor in the Department of Computer Science at the Carlos III University in Spain and specialist in cybersecurity. “In theory, what they did, was see if the traffic was from Snapchat and, if so, they examined a series of analytics on how users controlled the application.”

The documents outline a complex monitoring scheme using cyberespionage techniques. The project was based on the technology of Onavo, a VPN (virtual private network) application acquired by Facebook in 2013. Deepak Daswani, a cybersecurity and hacking consultant, explains that user traffic would have passed through servers that acted as intermediaries. “At a conceptual level, this would be a man-in-the-middle attack, because the VPN service is placed in the middle, between the user traffic and Snapchat. And it can decrypt a certain amount of information,” he explains.

Mission: intercept and decrypt user traffic

The documents reconstruct how Facebook would have launched its Ghostbusters project to intercept user traffic from certain websites. Not only Snapchat, YouTube and Amazon user behavior would also have been analyzed. The company would have offered incentives to some users to install a modified Facebook application. These users would have consented for the app to collect their data.

The initiative was sparked by an email sent by Facebook CEO Mark Zuckerberg on June 9, 2016. In the message, he said there was little analytical data about Snapchat because its traffic was encrypted. “Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this,” Zuckerberg wrote to three senior managers.

In the ensuing email exchange, the difficulty of obtaining the technology necessary to observe Snapchat’s encrypted traffic is discussed. And there is speculation that it would possibly require “legal approval.” However, the Onavo VPN team within Facebook started to developing a solution and came up with a program that the company deployed for three years, according to the documents.

There were misgivings at the highest levels. The documents cite Pedro Canahuati, who was then vice president of Engineering, Security and Privacy: “I can’t think of a good argument for why this is okay. No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn’t know how this stuff works.”

Indeed, it was not at all clear how Facebook would be analyzing users’ data. When connecting to a web page, the page has to be signed by a Certification Authority trusted by the user’s browser or application. This is the only way for a device to know that it is connecting to the authentic site and not an impersonation. However, the kit in the modified Facebook application distorted this process.

Tapidador sheds some light on how the process worked. “If you connect to a web page and that web page is signed by a ‘certification authority,’ you automatically trust it. And you know that you are connecting to snapchat.com or elpais.com. When you installed the Facebook application, what they did was install Facebook’s own certification authority internally.”

Facebook’s certificate authority told the device to trust that the user was connecting to Snapchat. However, the user’s traffic went to Facebook’s servers first, for analysis.

Daswani highlights the importance of VPN technology to the scheme: “Facebook, if it is a VPN provider, can see all my traffic that goes through the VPN, my traffic that goes to Twitter, to Facebook, to WhatsApp and to another provider. With this Onavo application, what they did was access the network traffic and analyze it.”

All this traffic was encrypted. In other words, a third party could not have simply analyzed it. But under this operation, Facebook was no longer a third party. In traffic encryption, the keys that protect information are generated through a collaboration between the application and the destination server: where data is sent from and received. And in this case, the destination server was Facebook’s, which was part of the key generation process and, as a result, could decrypt the traffic.

Tapiador explains that the traffic did not come from the user to Snapchat. “What happens is that they then make what is called a transparent proxy. They take the traffic, open it, look at it and, from that server, they connect to Snapchat pretending to be you,” he explains. In this way, users can see the result of their activity: if they touch an image it opens, if they scroll the screen, it moves. “But in the middle, there is someone who has opened the envelope, read what is inside, put it back in another envelope and sent it to its destination.”

In a letter sent to the judge investigating the case, Meta — Facebook, as a company, changed its name in 2021 — denies that the software discussed in the documents is linked to an alleged monopoly on advertising, which is the object of the lawsuit. It also indicates that users of the modified Facebook application (“Facebook Research App”) consented to giving their browsing data to the company. “There is nothing new here. This matter was reported years ago. The plaintiffs’ allegations are unfounded and completely irrelevant to the case,” said a Meta spokesperson in statements to this newspaper.

According to the documents, a team of senior managers and around 41 lawyers worked on the Ghostbusters project.

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition