I heard about this a few years ago. The trial participants were informed, consented, and paid. If you consent to a root cert being installed and analytics being proxied, well, that's that.
Why would Snapchat need to consent? It's my traffic.
I'd wager that most participants don't know the full details of the program, but "company pays you for your usage information" is a very old thing. You could (maybe you still can) get paid to install a box on your TV that recorded all of your viewing statistics to be used for market research.
To me, the biggest concern is that this is only really viable because Facebook had nontrivial market penetration of a more-or-less unrelated product to their main offering. This isn't something that Snapchat could have easily done to get market research on Facebook usage, for example. This feels (to me) more like an anticompetition concern rather than a privacy concern.
Here’s how I see it. This is akin to opening your USPS mail and reading your correspondence with a friend. When instead they could’ve checked who the mails were addressed.
If Facebook wanted to learn the protocol Snapchat uses, they only needed a single test device. If they only needed to learn usage patterns, they could’ve checked where the traffic is sent to or app usage time etc.
Installing a root certificate is very intrusive and they behavior shows that if they are ever given the opportunity to be become a root certificate authority, they are likely to issue malicious certificates. As far as I know, no website can pin their certificates, so this takes us back to pre-HTTPS days where ISPs and network operators had a lot of fun reading user traffic.
That box on your TV would have been a Nielsen box which sat on your TV and was connected to your landline. It didn’t collect anything automatically: every time you turned the TV on you were contractually obligated to press a button every 20 minutes to have the box call Nielsen and log a datapoint.
Those boxes have been phased out in favour of “Personal People Meters”[0], which are basically a pager with a SIM card that you wear which has a microphone listening 24/7 for TV broadcasts. You must keep it on you, listening at all times.
Nielsen will pay you $250/year (less than a dollar a day) for the data you provide.
Had them here in the UK, used to get a free TV license for the inconvenience. My mate always pressed the same button despite what channel we were watching though, so there is that...
They would because the communications involve 2 parties. Your consent to someone snooping on my calls with you should not be enough, because for example, you still need my consent to record calls I have with you.
Now, Meta decides to MITM the communications that I intentionally encrypted so that it can gain a competitive advantage…well, remember when meta kicked out researchers what had obtained consent from users to perform research on its platform? That was not even illegal. This is.
At least in the US, most states are single party consent.
The whole thing's a mess, but it's funny to me that people would get indignant over a user letting another party intercept analytics data. "Hey, that's my data from spyware! Get your own!" As if their "consent" to collect the data in the first place were any less flimsy than Facebook's.
Afaik only in some instances, in some they were not paid and informed consent is in all cases quite questionable
edit: I think this is something I wouldn't call informed consent: "Of particular concern was that users as young as 13 were allowed to participate in the program. Connecticut Senator Richard Blumenthal criticized Facebook Research, stating "wiretapping teens is not research, and it should never be permissible. This is yet another astonishing example of Facebook’s complete disregard for data privacy and eagerness to engage in anti-competitive behavior.""[1]
