I also hope that any ethically minded engineers inside Meta take a stand against this BS. The only way stuff like this happens is because engineers working on these projects decide that they can set aside whatever morals they may have had for the price of a big fat FAANG pay cheque. It's about time our profession adopted a code of ethics, like that of the ACM[1]. To the engineers who _have_ walked away despite the obvious pressures, I salute you.
This was news … 5 years ago, I think, I don’t know why it blew up again. But context matters:
Onavo provided a compression + VPN service for people traveling; they let users use little or no data while roaming, and still get internet access. I do not know what their original business plan was, but Facebook bought them for the ability to spy on users.
Their MITM was, in fact, the raison d’etre of Onavo. And then, they were bought by Facebook. And then there was just some more analytics added. At no point, as I understand it, was it built explicitly for evil - and I suspect very few employees were in on the real reasons.
Nah, I've met enough amoral people over the course of my career to know that's not the case. However, the overwhelming majority of people I've worked with are people who do have morals and do care about the outcomes they're creating, and that gives me great hope.
I am happy to answer any questions you have about questioning or ethics at the time. Assuming that people's reaction to this was wrong, while not knowing what that reaction was, or having less than 5% of the context, isn’t going to help much.
Short answer: No, there were strong arguments for it. I reached out for institutional support to answer some questions, groups that I expected to be a lot more supportive than the ACM, but I found the reaction seriously lacking. Your intuition that groups like the ACM should offer assistance is sensible but completely overlooks many problems: geopolitics, different types of security, and individual capacities, among others. Each institution has its priorities; those are not always compatible, and it’s unclear who should have precedence. The ACM won’t help you if the argument is the kind of compromise with the devil that spy agencies often make or if problematic tools are used in efforts to dismantle large criminal groups.
I understand that things are often more nuanced than they may appear, and in questions of moral judgement there will always be room for fuzziness. Personally I think the idea of compromising security for everyone in order to make life a little easier for the TLA's is not something I'd feel comfortable doing. I consider an individuals right to privacy paramount, something without which we risk unbounded tyrannical rule. Others will probably feel differently when presented with 'think of the children' style arguments. I'm glad to hear though that you were at least conflicted enough to be asking questions.
You simply legislate that if a company is building anything that will be used regularly by more than eg. a few thousand people, then the work must be designed and/or signed off by a licensed engineer, who will a) be subject to a code of ethics and b) be professionally liable for any failures causing loss or damage to the public.
We seem to be able to manage this with bridges, planes, electrical & hydro installations etc. No reason it shouldn't be the same for critical software infrastructure.
I mean with a thing like a plane you can say "that's not allowed in our state/country", with software that starts to get a whole lot more problematic. Soon you'll see people starting to push laws that say things like "because people are running dangerous software from outside the country we demand that only signed software can run on our phones/computers and that devices here must enforce it" coming out of our politicians that seemingly get a pile of cash from groups like Microsoft and META.
It's perhaps not 'critical' in the sense that losing it would matter much, but it is worth caring about because of the number of people who are affected if/when things go wrong.
1. https://www.acm.org/code-of-ethics