Facebook’s reputation has sunk to a new low as it repeatedly prioritizes profits over privacy and user safety, according to a fresh batch of explosive court documents unsealed this week. The filings detail an elaborate, years-long scheme called “Project Ghostbusters” in which Facebook allegedly developed covert spyware to intercept and decrypt encrypted communications from rival apps and services like Snapchat, YouTube, and Amazon.
The revelations come from internal emails, memos and witness testimony made public as part of an ongoing antitrust lawsuit alleging that Meta Platforms (META) – Facebook’s parent company – abused its market dominance to unfairly kneecap competitors.
If proven true, the tactics described in Project Ghostbusters could constitute serious violations of federal and state wiretapping laws, computer fraud statutes, and data privacy regulations.
Crucially, the documents directly implicate Facebook’s founder and CEO Mark Zuckerberg as the leader of this operation who both orchestrated and green-lighted the digital surveillance program and theft of trade secrets from competitor platforms.
The Origins of “Project Ghostbusters”
Newly unsealed emails show that the seeds of Project Ghostbusters were planted in June 2016, when Zuckerberg raised concerns that Facebook lacked visibility into metrics and analytics for Snapchat’s burgeoning user base due to the app’s use of encryption to protect communications.
“Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them”, Zuckerberg wrote in a June 9, 2016 email addressed to Javier Olivan, then Facebook’s VP of Growth. “Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them”, he added.
Zuckerberg then issued a direct order to Olivan: “You should figure out how to do this.”
Olivan quickly turned to a team at Onavo, an Israeli mobile analytics company that Facebook had acquired in 2013, responding that he had been “looking into this with the Onavo team” and suggesting that they could potentially pay users to “install a really heavy piece of software (that could even do man in the middle, etc.).”
The Solution: Decrypting User Traffic
Over the next month, Onavo staffers formulated a secret plan to develop covert software that could be installed on iOS and Android devices to intercept and decrypt communications to and from Snapchat’s servers before the data was encrypted. An internal email from July 2016 laid out their proposed technical approach:
“We developed ‘kits’ that can be installed on iOS and Android that intercept traffic for specific sub-domains, allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage (i.e. specific actions that people are performing in the app, rather than just overall app visitation). This is a ‘man-in-the-middle approach”, the communications revealed in the court documents reveal.
By positioning the spyware between users’ devices and Snapchat, the Facebook team could essentially impersonate Snapchat’s official app and analytics servers through a technique called “SSL bumping” that tricks users’ phones into thinking that they are communicating with Snapchat (SNAP) when, in reality, their encrypted data was being intercepted, decrypted and copied to Facebook’s servers.
If this all sounds pretty crazy to you, you’re not alone. Facebook and essentially all other social media sites like to collect as much data as possible from you without ruining the user experience. However, they don’t often install covert software to steal your data from another app.
In summary, Facebook (allegedly) intercepted communications that should have remained private, decrypted that confidential information, and used it to gain an unfair competitive advantage.
Ghostbusters Spied on YouTube and Amazon As Well
While Project Ghostbusters initially focused on getting inside Snapchat, the unsealed records indicate that these unlawful surveillance tactics were subsequently expanded to YouTube starting in 2017 and Amazon (AMZN) in 2018 as Facebook aggressively sought intelligence on how users engaged with a growing array of competitors.
In one particularly brazen email, a Facebook strategist conceded that Snapchat’s competitive struggles were likely due in part to changes that the social media company implemented as a result of its findings associated with the Onavo deployment under Project Ghostbusters. In other words, Facebook was weaponizing the stolen data to undermine Snapchat’s business by cloning its core features.
Indeed, within months of Ghostbusters launching in 2016, Facebook hurried its own copycat product called “Instagram Stories” to market, mimicking Snapchat’s signature ephemeral messaging capabilities.
A Snap executive testified that Facebook’s mimicry tactics, enabled by the covertly harvested data, impaired the company’s ability to effectively monetize its platform through advertising.
Even Facebook Knew Its Spying Operation Was Wrong
While Project Ghostbusters originated directly from Zuckerberg’s directives and involved senior executives like Olivan and others, the unsealed materials reveal that the program was not universally accepted within Facebook’s ranks.
Multiple messages show that the company’s head of security engineering at the time, Pedro Canahuati, strongly objected to the unethical digital espionage on both legal and moral grounds.
“I can’t think of a good argument for why this is okay”, Canahuati wrote in one 2017 email. “No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn’t know how this stuff works.”
This gets t0 an extremely important point. Facebook may have engineered its terms of service so that its users would agree to this kind of spying but that doesn’t mean it’s ok. Absolutely no one, outside of a handful of cybersecurity experts, reads a platform’s terms of service. It’s simply way too much effort for users to get through it. Even worse, much of it is in technical or legal language that most people wouldn’t understand even if they read it.
Also read: 12 Best Phone Spy Apps Compared for 2024
Facebook’s then VP of infrastructure engineering, Jay Parikh, was quoted expressing similar legal concerns about the “man-in-the-middle” interception methods deployed under Project Ghostbusters.
The warnings appear to have gone unheeded, as damning evidence shows that Project Ghostbusters kept spying on competitors until around 2019 when the scheme was abruptly halted amidst scrutiny from journalists and regulators over Facebook’s data collection and privacy practices.
In early 2019, once the legal and PR dangers had crystalized, Zuckerberg himself was directly consulted on whether to terminate the wiretapping initiative. While the contents of the discussions are still sealed, what is clear is that the program’s potential criminal and legal exposure were squarely on Facebook’s radar.
As one former Facebook executive lamented in the court documents: “The company’s highest-level engineering executives thought the IAAP Program [Project Ghostbusters] was a legal, technical, and security nightmare.”
Epic Legal Jeopardy for Meta
For Facebook’s new parent company, Meta, the fallout from the Project Ghostbusters scandal could be catastrophic on multiple fronts. The most serious risk is likely criminal prosecution by the US Department of Justice for potential violations of federal and state wiretapping statutes. But it might not end there either. If Facebook spied on users from outside the US, it may be in legal jeopardy in the EU, UK, and elsewhere.
The documents outline practices that may violate laws such as the Federal Wiretap Act, which prohibits the intentional “interception” of electronic communications without consent.
Plaintiffs have directly accused Facebook of illegal wiretapping through Project Ghostbusters’ tapping and decryption of messages intended for the secure servers of YouTube, Snapchat, and other platforms.
This allegation could open the door for the companies directly affected by these spying activities to file civil lawsuits against Meta for intellectual property theft and violations of the Computer Fraud and Abuse Act, which bars unauthorized computer access to compromise security protocols.
Given the global scale of Facebook’s user base at the time, hundreds of millions of dollars may have had their privacy violated through Project Ghostbusters without their knowledge or consent. If it is found to have violated much of its entire user base, the company could go bankrupt to pay monolithic class action settlements.
Also read: New Regulations Gravely Threaten Apple’s $85 Billion Annual Services Revenue
Meta could also face severe regulatory blowback, fines, and penalties for the covert surveillance program from agencies like the Federal Trade Commission (FTC) and Attorney General’s offices from various states empowered to enforce data privacy and consumer protection laws.
Already, the company is facing intense antitrust scrutiny for its alleged anti-competitive practices that have undermined consumer privacy and suppressed competition. Meta, along with many of its big tech rivals like Apple, are facing potentially existential threats in these antitrust cases.
Having now been caught red-handed stealing trade secrets from its rivals, Meta may be hard-pressed to defend itself against allegations that it broke antitrust laws.
Severe Reputational Scandals Keep Popping Up
Beyond the legal liability headaches, perhaps the most damaging impact could be to Meta’s already tarnished reputation and trustworthiness with users, lawmakers, and marketers. The public perception that Facebook was knowingly and systematically violating their privacy on a massive scale to thwart competition could prove to be a corporate ethics scandal of epic proportions.
The fact that Project Ghostbusters was spearheaded directly by Zuckerberg and top lieutenants and continued for years, even after internal objections over its legality, only exacerbates concerns about accountability and guardrails at the company. It lays bare a callous, win-at-all-costs culture condoned at the highest levels.
Given the reputational hits that Facebook has already absorbed over data privacy fiascoes like the Cambridge Analytica scandal, the revelations concerning Project Ghostbusters may prompt another crisis of confidence from which Meta may struggle to recover once again.
Trust is the fundamental currency that allows a social media and ad-driven business model like Meta’s to flourish. However, faith in the platform is rapidly eroding amid cascading privacy violations, anti-competitive practices, and apparent contempt from leadership for ethical boundaries.
As the legal saga over Project Ghostbusters plays out, the societal reckoning over allowing Facebook to accumulate such unchecked power and engage in unlawful private surveillance activities may ultimately prove to be Meta’s biggest existential threat.
Even if it survives any lawsuits and regulatory scrutiny to come, the company’s shameful abuse of user privacy and digital subterfuge against rivals has been laid bare for all to see.