Facebook's Onavo VPN used to wiretap competitor data, court filings reveal

Mark Zuckerberg, CEO of Meta, is sworn in to the Senate Judiciary Committee hearing titled "Big Tech and the Online Child Sexual Exploitation Crisis," in Dirksen building on Wednesday, January 31, 2024.
(Image credit: Tom Williams/CQ-Roll Call, Inc via Getty Images)

Facebook used its Onavo VPN system to illegally track its users when accessing Snapchat and other competitors' apps, new unsealed court filings can reveal.

So-called Project Ghostbusters—echoing the iconic rival's logo—appears to have been just the beginning of the wider In App Action Panel (IAAP) program which aimed to spy on competitors' traffic to gain commercial advantage. It's thought to have run between June 2016 and approximately May 2019, with YouTube and Amazon being the next targets.

Meta, Facebook's parent company, employed its controversial VPN service as a way to intercept and decrypt the traffic between the people accessing its service and competitors' servers. The company shut down Onavo in 2019, following a TechCrunch investigation revealing the spyware-like VPN software was employed in a research project to collect sensitive user data from paid volunteers aged between 13 and 25.

Facebook new tracking revelations

"Facebook’s IAAP program conduct was not merely anticompetitive, but criminal," read the filings revealed on March 26, 2024, by a federal court in California during the class action lawsuit between consumers and Meta.

Everything kicked off in June 2016 when Mark Zuckerberg, founder and CEO at Meta, actively requested its team to "figure out a new way to get reliable analytics" into Snapchat's encrypted data as the platform was starting to get more traction in the market.

The Onavo team took things into their own hands, coming up with a solution about a month later. They would use a method known as "SSL man-in-the-middle" to decrypt Snapchat's protected traffic to inform Meta's business decision-making. Man-in-the-middle is a popular cyberattack tactic for which perpetrators position themselves between a user (in this case, Facebook users) and a given application.

It looks like the solution was so successful that it was later implemented on a larger scale also against other Facebook rivals, namely YouTube and Amazon starting in 2017 and 2018 respectively. 

According to the court documents, Facebook’s lawyers were "near-constantly involved in the design, deployment, and expansion" of the company’s IAAP program.

However, as TechCrunch reported, not everyone working at Facebook was eager to cross this red line. For instance, the then-head of security engineering Pedro Canahuati expressed his concerns over the practice. "I can’t think of a good argument for why this is okay. No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn’t know how this stuff works," he wrote in an email.

Plaintiffs Sarah Grabert and Maximilian Klein filed the ongoing lawsuit against Facebook in 2020, accusing the company of lying about its data collection practices and deceptively extracting data from users to unfairly compete against new rivals in the market. 

TOPICS
Chiara Castro
News Editor (Tech Software)

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life – wherever cybersecurity, markets, and politics tangle up. She writes news, interviews, and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar and TechRadar Pro. Got a story, tip-off, or something tech-interesting to say? Reach out to chiara.castro@futurenet.com

Read more
WhatsApp China VPN
Paragon spyware campaign targeting journalists disrupted by WhatsApp
Zuckerberg Meta AI
Meta purportedly trained its AI on more than 80TB of pirated content and then open-sourced Llama for the greater good
Spyware
Government-linked Italian spyware maker caught distributing malicious Android apps
malware
Google warns of legit VPN apps being used to infect devices with malware
Kaspersky Report on Stalkerware
Security flaw in popular stalkerware apps is exposing phone data of millions
Outdoor photograph of a pair of hands holding a smartphone with navigator location points in the background
Millions of phone location records feared leaked as one of the biggest data leaks ever may be a whole lot worse
Latest in VPN
Proton VPN and Vivaldi partnership – promo image
Proton joins forces with Vivaldi browser to help you break free from Big Tech
Swiss flag with view of Geneva city, Switzerland
Secure encryption and online anonymity are now at risk in Switzerland – here's what you need to know
Demonstrators protesting against the arrest of the Mayor of Istanbul Ekrem Imamoglu block Atatürk Boulevard on March 22, 2025 in Ankara, Türkiye.
Turkey's social media ban has been lifted, but VPN usage is still high
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
A hand holds a smartphone displaying the NordVPN logo
NordVPN Prime hits lowest-ever price in VPN Spring sale
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address
What does your IP address reveal about you?
Latest in News
Google Pixel Watch 3 side dial and button
Google Gemini reportedly spotted on Wear OS – could a rollout be close at hand?
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Toni Collette in Hereditary
Everything leaving Netflix in April 2025 – from the scariest movie ever made to a beloved DreamWorks animation with 99% on Rotten Tomatoes
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think