However, the latest court documents indicate that Meta’s IAAP program expanded to target encrypted analytics traffic from competitors beyond Snapchat, including YouTube and Amazon. Allegations suggest that Facebook employees developed customized client and server-side code based on Onavo’s VPN proxy app and server stack.
The code included a client-side “kit” that installed a “root” certificate on users’ mobile devices, enabling Facebook to intercept SSL traffic. Additionally, custom server-side code, utilizing an open-source web proxy known as “squid,” was employed to create fake digital certificates. These certificates were used to impersonate trusted analytics servers of Snapchat, YouTube, and Amazon, redirecting and decrypting secure traffic for Facebook’s analysis. As outlined in the court filings, this process underscores Facebook’s strategic and technologically advanced approach to data interception and analysis.
Moreover, the Advertisers Plaintiffs assert that Meta’s legal team was intricately involved in designing, implementing, and expanding the IAAP program throughout its duration. They argue that this level of legal oversight implies complicity in the alleged criminal conduct.
Central to the Advertisers’ argument is the violation of the Wiretap Act, which criminalizes the intentional interception and use of electronic communications without consent. They contend that Meta’s actions breached this statute and interfered with competitors’ contractual relations with their users.
Meta did not respond to requests for comment on the allegations.