Just keep in mind that Meta has not changed a bit since then.
This is from two months ago, when it was found that their Android app listens on a localhost port in order to send identifiers from webpages to their app via WebRTC so that they can still track users.
> This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.
I wonder how it feels to be an engineer at Meta. Do you leave your conscience at the door when you start the workday? Make no mistake, if this company pays your salary, you are an accomplice no matter if you personally did take part in it. How do you look yourself in the eyes?
A technical investigation into information uncovered in a class action lawsuit that Facebook had intercepted encrypted traffic from user's devices running the Onavo Protect app in order to gain competitive insights.
If this is true, why is this a civil lawsuit? Shouldn't the government prosecutors handle this "hacking" case and demand jail time, like they do for $random_kid playing around with security vulnerabilities?
I assume because there was no actual hacking. I'm guessing users consented to this. As a user I should be able to view all traffic from my device and also give other third parties permission to view all traffic on my device. If I can't do this, is it really my device? It's not too much different from what Nielsen was doing when they installed boxes in people's homes to record what TV shows they were watching.
>Shouldn't the government prosecutors handle this "hacking" case and demand jail time, like they do for $random_kid playing around with security vulnerabilities?
Because there's probably some clause buried in the ToS that gives them the right to do this, so it would not count as "exceeds authorized access" under the CFAA.
edit: it's not even buried. there's a screen that specifically says "facebook uses aggregated onavo data for market and business analytics"
So... Where was the negotiation step where there was the option to do VPN'ry without the surveillance? Take it or leave it license agreements in my opinion violate meeting-of-the-minds, and our legal system has just cut a pass for the last half a century to one sided take it or leave it levels of exploitative entering into contracts at scale. Not one company, in particular, tech companies, have a legal pipeline that can support redlining a contract or facilitating negotiation at scale which is the actual desired incarnation of contract law as a tool of mutual empowerment through agreements. We need to seriously hold our system to account for building only the accept as-is part of the pipeline, but not the negotiation side of the pipeline.
Make no mistake either, as that was an intentional decision to chase growth in the interests of becoming TBTF. We need to clamp down and make it clear, big mofos do not get to call unilateral shots and that it is not acceptable for terms to be dictated only in one direction. Yes, this complicates the hell out of business logic, but ya know what, the ones who have TBTF'd have drank of the waters of economies of scale to get the sweet draught, it's about damn time they got the bitters too.
>Take it or leave it license agreements in my opinion violate meeting-of-the-minds, and our legal system has just cut a pass for the last half a century to one sided take it or leave it levels of exploitative entering into contracts at scale.
I might be sympathetic to this if this was some essential service with strong network effects such that there's no alternative (eg. facebook or whatsapp), but that's not the case here. This is a separate "security" app, of which there's probably dozens of competitors that you can choose from if you don't like the ToS/privacy policy of this one, so the "one sided take it or leave it levels of exploitative entering into contracts at scale" aspect you're decrying really rings hollow.
>This is a separate "security" app, of which there's probably dozens of competitors that you can choose from if you don't like the ToS/privacy policy of this one, so the "one sided take it or leave it levels of exploitative entering into contracts at scale" aspect you're decrying really rings hollow.
You mean like a loud ass bell rings? Point out to me a single piece of software utilizing a EULA that supports individual redlining and renegotiation on a user by user basis, with a feedback loop tight enough to be reasonable. I'll wait. The point is there might be the illusion of user choice there, but when the overarching legal framework operates in unity in a take it or leave it fashion, with no escape hatch, every business model behaves the same. No one builds the business willing to charge for contractual dumb pipe, because everyone is just dumping anyone else who won't take the default terms. The entire architecture of our networked world has turned into building machines through which everyone gives up every right and civil protection through a goddamn click, nevermind the fact Third Party Doctrine in this age has completely dismantled the 4th Amendment by extension.
>Point out to me a single piece of software utilizing a EULA that supports individual redlining and renegotiation on a user by user basis, with a feedback loop tight enough to be reasonable. I'll wait.
If you want apps priced at $0.99 or even $99.99, standard form, take it or leave it contracts is the only game in town, for pure economic reasons. No company is going to bother getting legal involved to negotiate a bespoke contract for anything with less than 5 figures TCV.
And that's the problem. Contracts weren't meant to cover everything. We've taken a legal instrument, and based the entire bloody economy around it without bloody stopping to realize that, oh geez maybe having people click through a billion contracts they don't bloody read might cause deleterious effects in the civic macrocosm. The fact you're sitting here telling me it's a non starter just cements my point. The tech industry is predicated on predatory legalism, and click wrapped contracting. In point of fact, if you took the digital product away and tried to click wrapped literally anything else, the consumer would laugh at you. Only with digital products, whose terms can be changed at the will of the hosting company's legal department unilaterally, with no notice, and no recourse, other than termination of service is the root of the bloody problem. And we have an entire generation of business people who have been educated to think this behavior that results in massive exposure of clients personal data to outside firms and legal processes are 100% A-OK. If you think it'd be impossible to do business any other way, you are unironically one of the benefactors of the problen created and enabled by tech.
You can file a civil lawsuit. You may or may not be able to persuade the prosecutor to file a criminal case.
The video near the middle of the page shows fairly clearly what they did, with accurate and understandable descriptions of shady behaviour. I think a capable prosecutor might regard it as difficult to prove that behaviour illegal. Shady, sure, but in dubio pro so why even prosecute.
So that leaves a civil lawsuit. There's no need to persuade a prosecutor for a civil lawsuit, and the balance of evidence counts, there's no in dubio pro.
Because Facebook is key to their online surveillance, so Facebook making itself better is making itself more effective to the state surveillance apparatus
> Onavo Protect Android app, which had over 10 million Android installations, contained code to prompt the user to install a CA (certificate authority) certificate issued by "Facebook Research" in the user trust store of the device. This certificate was required for Facebook to decrypt TLS traffic.
I mostly can't think of a legitimate reason to install your own root certificate for a VPN, so I'm inclined to buy that this is Facebook being Facebook. I would also run as fast as I can if I installed an app and it started prompting me to install a certificate, but 99% of people have absolutely zero idea how TLS and PKI work, so maybe this is taking advantage of their ignorance.
While OP is a bit hyperbolic here CloudFlare essentially is a Man In The Mittle. They serve your content via a CDN and cache it around the globe. If you use cloudflare, the SSL terminates at their servers, meaning that (theoretically) they could read al contents send via their network. While yes, you can put on you tinfoil hat and say that this is an central intelligences dream to have such a global man in the middle proxy there are no fact based reports that undermine cloudflare abusing their position.
They mostly make their money by selling you better services on their CDN such as image scaling etc.
There was a guy, Snowden or something, who got some first party reports. They stated that no magical quantum crypto breaking happened at global scale, keys were simply stolen, or backdoors were used to access clear text on sender or receiver.
Ephemeral keys (not stored for possible future leakage) quickly became the default, and assumptions about global data gathering changed. Then, all of a sudden, “free” service appears that makes all of TLS improvements, bug and small, practical and theoretical, useless. What a coincidence!
For some reason, you assume that people who have been stealing everything they can (because doing crime for the Big Guy is not a crime) consider this specific company untouchable. This is impossible. Every country in the world wants to have its spying capacity at maximum (following the shameless example), and to flex muscles at American services doing the same. The reason we only read about clashes over movie piracy and other petty stuff is because more serious matters have been discussed and dealt with.
Facebook offers “free” hosting and other services for individuals (social networks are poor walled versions of the Web). Cloudflare offers “free” CDN and other services for website owners. Actual business model is the same, lies are still lies.
Hyperbole is my middle name, but I just find it repulsive that CloudFlare breaks the chain of trust, and somehow everybody is just okay with that. I'm not saying it makes HTTPS pointless, but we've moved from end-to-end encryption to trust-me-bro. Is CloudFlare malicious? Probably not - at least not right now. But I think my browser should warn me that my connection is not E2E secure, because it's not.
All cloud services are in a similar position; they hold the private TLS keys and could reveal them in response to legal process, allowing active MITM (perfect forward secrecy prevents passive data theft without more intrusive realtime access to VM RAM).
Only a very specific configuration of "Confidential Computing" (based on AMD SEV or Intel TDX) where boot attestation is checked remotely before private keys are sent from an on-premise store (or a fully trusted hosted HSM) to the remote VM could prevent a cloud provider from intercepting private key material, and only then as far as boot attestation and SEV/TDX is trusted.
On a side, but related note; all our societies need to reevaluate the corporate protections from personal liability when the activities breach the articles of incorporation, the so called veil; barring demonstrated accident or mistake.
This "corporate veil" and protection is really the same basis as the legal fiction called "qualified immunity"... in the case of police officers, they can even quite literally murder you with impunity in far too many cases that is acceptable. Isn't it odd how a "citizen" who is supposed to actually be in control of the government through self-determination, has approaching zero power, bu the putrid agents of the despotic power of illegitimate government have literal immunity to commit murder.
This kind of activity is not just a corporate whoopsie, it's active, deliberate, criminal activity, and organized criminal activity at that; making in this case (but there are many other examples) Meta an organized criminal outfit.
Are you personally immune from prosecution if a "corporation" tells you to murder someone? Why would you then not be personally criminally liable for perpetrating other crimes because the "corporation" told you to do it; regardless of whether that is committing cybercrimes, committing financial fraud, or even just something as simple as breach of the peace if a manager is accosting an employee?
I'm for more personal liability, but corporate higher-ups are pretty good at communicating their illegal desires to subordinates without saying the illegal part out loud.
I think the corporate death penalty is underused. Being in leadership when a corporation is dissolved for committing crimes is probably bad for one's future employment prospects.
Could it be that the problem is actually prosecutorial discretion?
In Sweden we have something called an absolute duty to prosecute, which means that for most crimes, if there's evidence and enough to get a conviction, the prosecutor has an actual absolutely duty to prosecute.
So if this had happened here, I could report this to the police as 'unapproved intelligence activity against a person' and the prosecutor would have to, provided that there's enough evidence, prosecute the person for this.
Prosecutors here do have a love of dismissing things due to lack of evidence though.
I don't think the "veil" is even relevant here. We have the smoking-gun proof that Mark Z. personally ordered people to illegally spy on other apps' data. And yet, he's walking free. Do we think he's reformed? Or is he probably going to do the same thing again as soon as he gets the chance, knowing that he got away with it once before?
>I don't think the "veil" is even relevant here. We have the smoking-gun proof that Mark Z. personally ordered people to illegally spy on other apps' data.
No, Zuckerberg said to "get reliable analytics" and that maybe they need to "do panels or write custom software". The subsequent emails of "hey I made an app that does MITM on snapchat" did not involve Zuckerberg.
If I were a lawyer trying to defend Zuckerberg, in a court where we take turns pontificating in front of a jury, and I wanted to do some lying by omission and hope that is the one thing that sticks in their minds, I'd probably say exactly what you just wrote.
But this is the court of public opinion, and people are going to read your post about 5 seconds before they read mine, so that won't work. I think online debate is a lot better at getting to the truth than courts of law, actually. So while Zuckerberg may be ruled innocent, we can put him in the same category as OJ Simpson and Donald Trump and carefully caveat our assertions that he's guilty with "in my opinion" to avoid a slander case.
Of course, what you said is false. He didn't just shoot off an email with "get reliable analytics!", as you put it, like some kind of whimsical silly CEO on a kid's cartoon. He said: "their (instagram's) data is encrypted and we have no analytics about them" (seemingly implying that if their data wasn't encrypted, they would have data about it, because they would just spy on it). He then immediately proceeds to say they need to "get reliable analytics about them". He THEN immediately proceeds to clarify by saying that they might need to "write custom software" and that "you should figure out how to do this" (seems like a subtle hint that they should "figure out" his subtext here).
And then, what do you think happened? His underlings went rogue and developed iOS hacks that would allow them to decrypt traffic, and he didn't approve it or know about it? If this were court, that would probably be a good argument to achieve a not guilty verdict.
So while you're probably right that this doesn't qualify as a "smoking gun" in court, it should convince everyone who's capable of reading it.
1. regardless of whether zuckerberg was actually involved or not, the evidence presented so far isn't a "smoking gun".
2. they're apparently smart enough to not put it down on email, but apparently Ferrante (a Director of Data Science, according to a hardvard site) was too dumb and wrote a email that said "yep, we made an app that does MITM attacks on snapchat"?
Just keep in mind that Meta has not changed a bit since then.
This is from two months ago, when it was found that their Android app listens on a localhost port in order to send identifiers from webpages to their app via WebRTC so that they can still track users.
Covert web-to-app tracking via localhost on Android - https://news.ycombinator.com/item?id=44169115
Meta pauses mobile port tracking tech on Android after researchers cry foul - https://news.ycombinator.com/item?id=44175940
> This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.
I wonder how it feels to be an engineer at Meta. Do you leave your conscience at the door when you start the workday? Make no mistake, if this company pays your salary, you are an accomplice no matter if you personally did take part in it. How do you look yourself in the eyes?
The ones I've met thought they were doing the world a favor
Until you realise the whole operation is a Mossad and US intelligence front.
Don't run a VPN from a company whose entire business model is knowing everything about you and what you do online.
How is it not a criminal offence to impersonate a different company to decrypt customer data?
What is criminal depends on how much money you have.
It's more about only exploiting people who have less money than you do.
It is, but they bribe the people who police this
Quote:
A technical investigation into information uncovered in a class action lawsuit that Facebook had intercepted encrypted traffic from user's devices running the Onavo Protect app in order to gain competitive insights.
If this is true, why is this a civil lawsuit? Shouldn't the government prosecutors handle this "hacking" case and demand jail time, like they do for $random_kid playing around with security vulnerabilities?
I assume because there was no actual hacking. I'm guessing users consented to this. As a user I should be able to view all traffic from my device and also give other third parties permission to view all traffic on my device. If I can't do this, is it really my device? It's not too much different from what Nielsen was doing when they installed boxes in people's homes to record what TV shows they were watching.
>Shouldn't the government prosecutors handle this "hacking" case and demand jail time, like they do for $random_kid playing around with security vulnerabilities?
Because there's probably some clause buried in the ToS that gives them the right to do this, so it would not count as "exceeds authorized access" under the CFAA.
edit: it's not even buried. there's a screen that specifically says "facebook uses aggregated onavo data for market and business analytics"
So... Where was the negotiation step where there was the option to do VPN'ry without the surveillance? Take it or leave it license agreements in my opinion violate meeting-of-the-minds, and our legal system has just cut a pass for the last half a century to one sided take it or leave it levels of exploitative entering into contracts at scale. Not one company, in particular, tech companies, have a legal pipeline that can support redlining a contract or facilitating negotiation at scale which is the actual desired incarnation of contract law as a tool of mutual empowerment through agreements. We need to seriously hold our system to account for building only the accept as-is part of the pipeline, but not the negotiation side of the pipeline.
Make no mistake either, as that was an intentional decision to chase growth in the interests of becoming TBTF. We need to clamp down and make it clear, big mofos do not get to call unilateral shots and that it is not acceptable for terms to be dictated only in one direction. Yes, this complicates the hell out of business logic, but ya know what, the ones who have TBTF'd have drank of the waters of economies of scale to get the sweet draught, it's about damn time they got the bitters too.
>Take it or leave it license agreements in my opinion violate meeting-of-the-minds, and our legal system has just cut a pass for the last half a century to one sided take it or leave it levels of exploitative entering into contracts at scale.
I might be sympathetic to this if this was some essential service with strong network effects such that there's no alternative (eg. facebook or whatsapp), but that's not the case here. This is a separate "security" app, of which there's probably dozens of competitors that you can choose from if you don't like the ToS/privacy policy of this one, so the "one sided take it or leave it levels of exploitative entering into contracts at scale" aspect you're decrying really rings hollow.
>This is a separate "security" app, of which there's probably dozens of competitors that you can choose from if you don't like the ToS/privacy policy of this one, so the "one sided take it or leave it levels of exploitative entering into contracts at scale" aspect you're decrying really rings hollow.
You mean like a loud ass bell rings? Point out to me a single piece of software utilizing a EULA that supports individual redlining and renegotiation on a user by user basis, with a feedback loop tight enough to be reasonable. I'll wait. The point is there might be the illusion of user choice there, but when the overarching legal framework operates in unity in a take it or leave it fashion, with no escape hatch, every business model behaves the same. No one builds the business willing to charge for contractual dumb pipe, because everyone is just dumping anyone else who won't take the default terms. The entire architecture of our networked world has turned into building machines through which everyone gives up every right and civil protection through a goddamn click, nevermind the fact Third Party Doctrine in this age has completely dismantled the 4th Amendment by extension.
>Point out to me a single piece of software utilizing a EULA that supports individual redlining and renegotiation on a user by user basis, with a feedback loop tight enough to be reasonable. I'll wait.
If you want apps priced at $0.99 or even $99.99, standard form, take it or leave it contracts is the only game in town, for pure economic reasons. No company is going to bother getting legal involved to negotiate a bespoke contract for anything with less than 5 figures TCV.
And that's the problem. Contracts weren't meant to cover everything. We've taken a legal instrument, and based the entire bloody economy around it without bloody stopping to realize that, oh geez maybe having people click through a billion contracts they don't bloody read might cause deleterious effects in the civic macrocosm. The fact you're sitting here telling me it's a non starter just cements my point. The tech industry is predicated on predatory legalism, and click wrapped contracting. In point of fact, if you took the digital product away and tried to click wrapped literally anything else, the consumer would laugh at you. Only with digital products, whose terms can be changed at the will of the hosting company's legal department unilaterally, with no notice, and no recourse, other than termination of service is the root of the bloody problem. And we have an entire generation of business people who have been educated to think this behavior that results in massive exposure of clients personal data to outside firms and legal processes are 100% A-OK. If you think it'd be impossible to do business any other way, you are unironically one of the benefactors of the problen created and enabled by tech.
You can file a civil lawsuit. You may or may not be able to persuade the prosecutor to file a criminal case.
The video near the middle of the page shows fairly clearly what they did, with accurate and understandable descriptions of shady behaviour. I think a capable prosecutor might regard it as difficult to prove that behaviour illegal. Shady, sure, but in dubio pro so why even prosecute.
So that leaves a civil lawsuit. There's no need to persuade a prosecutor for a civil lawsuit, and the balance of evidence counts, there's no in dubio pro.
Just like AI companies are allowed to do the piracy that Aaron Schwartz was going to be jailed for, Facebook are too big to prosecute for hacking.
Because: $random_kid is not running an outsourced surveillance service for the security state.
Because Facebook is key to their online surveillance, so Facebook making itself better is making itself more effective to the state surveillance apparatus
> Onavo Protect Android app, which had over 10 million Android installations, contained code to prompt the user to install a CA (certificate authority) certificate issued by "Facebook Research" in the user trust store of the device. This certificate was required for Facebook to decrypt TLS traffic.
I mostly can't think of a legitimate reason to install your own root certificate for a VPN, so I'm inclined to buy that this is Facebook being Facebook. I would also run as fast as I can if I installed an app and it started prompting me to install a certificate, but 99% of people have absolutely zero idea how TLS and PKI work, so maybe this is taking advantage of their ignorance.
The stories I could tell you about Onavo. Ask anyone from the Facebook Growth Org. There's so much undisclosed dirt here it's insane...
I bet you could make some decent money by reaching out to the plaintiffs lawyers. Expert Witnesses can easily make $600+ / hr
That's a really cool idea. It's been traumatic carrying this bullshit, tbh. So many nasty secrets.
I saw this story linked from a twitter post, really interesting. It makes a lot of sense, make purchases based upon data / metrics
I don't see what the big deal is. SSL MITM is CloudFlare's whole business model.
Care to elaborate? How do they make money?
While OP is a bit hyperbolic here CloudFlare essentially is a Man In The Mittle. They serve your content via a CDN and cache it around the globe. If you use cloudflare, the SSL terminates at their servers, meaning that (theoretically) they could read al contents send via their network. While yes, you can put on you tinfoil hat and say that this is an central intelligences dream to have such a global man in the middle proxy there are no fact based reports that undermine cloudflare abusing their position.
They mostly make their money by selling you better services on their CDN such as image scaling etc.
There was a guy, Snowden or something, who got some first party reports. They stated that no magical quantum crypto breaking happened at global scale, keys were simply stolen, or backdoors were used to access clear text on sender or receiver.
Ephemeral keys (not stored for possible future leakage) quickly became the default, and assumptions about global data gathering changed. Then, all of a sudden, “free” service appears that makes all of TLS improvements, bug and small, practical and theoretical, useless. What a coincidence!
For some reason, you assume that people who have been stealing everything they can (because doing crime for the Big Guy is not a crime) consider this specific company untouchable. This is impossible. Every country in the world wants to have its spying capacity at maximum (following the shameless example), and to flex muscles at American services doing the same. The reason we only read about clashes over movie piracy and other petty stuff is because more serious matters have been discussed and dealt with.
Facebook offers “free” hosting and other services for individuals (social networks are poor walled versions of the Web). Cloudflare offers “free” CDN and other services for website owners. Actual business model is the same, lies are still lies.
Hyperbole is my middle name, but I just find it repulsive that CloudFlare breaks the chain of trust, and somehow everybody is just okay with that. I'm not saying it makes HTTPS pointless, but we've moved from end-to-end encryption to trust-me-bro. Is CloudFlare malicious? Probably not - at least not right now. But I think my browser should warn me that my connection is not E2E secure, because it's not.
All cloud services are in a similar position; they hold the private TLS keys and could reveal them in response to legal process, allowing active MITM (perfect forward secrecy prevents passive data theft without more intrusive realtime access to VM RAM).
Only a very specific configuration of "Confidential Computing" (based on AMD SEV or Intel TDX) where boot attestation is checked remotely before private keys are sent from an on-premise store (or a fully trusted hosted HSM) to the remote VM could prevent a cloud provider from intercepting private key material, and only then as far as boot attestation and SEV/TDX is trusted.
The one advantage for the little guy is that Cloudflare is a single surface attack vector.
If it comes to light they've been doing something actionable with your data, you have a target for revenge. (As in a lawsuit, not violence)
Is CloudFlare datamining that traffic to build intelligence profiles on its users and for anti-competitive business practices?
Is CloudFlare hiding that they are a terminating proxy and pretending to be a VPN for the purposes of spying on users?
The big deal isn't the technical aspect, it's what it was used for and how it was used.
Previously:
https://news.ycombinator.com/item?id=41090304
TFA is from 2024, so the title is wrong
Updated, thanks!
On a side, but related note; all our societies need to reevaluate the corporate protections from personal liability when the activities breach the articles of incorporation, the so called veil; barring demonstrated accident or mistake.
This "corporate veil" and protection is really the same basis as the legal fiction called "qualified immunity"... in the case of police officers, they can even quite literally murder you with impunity in far too many cases that is acceptable. Isn't it odd how a "citizen" who is supposed to actually be in control of the government through self-determination, has approaching zero power, bu the putrid agents of the despotic power of illegitimate government have literal immunity to commit murder.
This kind of activity is not just a corporate whoopsie, it's active, deliberate, criminal activity, and organized criminal activity at that; making in this case (but there are many other examples) Meta an organized criminal outfit.
Are you personally immune from prosecution if a "corporation" tells you to murder someone? Why would you then not be personally criminally liable for perpetrating other crimes because the "corporation" told you to do it; regardless of whether that is committing cybercrimes, committing financial fraud, or even just something as simple as breach of the peace if a manager is accosting an employee?
I'm for more personal liability, but corporate higher-ups are pretty good at communicating their illegal desires to subordinates without saying the illegal part out loud.
I think the corporate death penalty is underused. Being in leadership when a corporation is dissolved for committing crimes is probably bad for one's future employment prospects.
Except they keep failing upwards
I wonder if the RICO act could be applied...
It's never rico.
https://law.stackexchange.com/questions/60509/what-is-the-th...
Could it be that the problem is actually prosecutorial discretion?
In Sweden we have something called an absolute duty to prosecute, which means that for most crimes, if there's evidence and enough to get a conviction, the prosecutor has an actual absolutely duty to prosecute.
So if this had happened here, I could report this to the police as 'unapproved intelligence activity against a person' and the prosecutor would have to, provided that there's enough evidence, prosecute the person for this.
Prosecutors here do have a love of dismissing things due to lack of evidence though.
I don't think the "veil" is even relevant here. We have the smoking-gun proof that Mark Z. personally ordered people to illegally spy on other apps' data. And yet, he's walking free. Do we think he's reformed? Or is he probably going to do the same thing again as soon as he gets the chance, knowing that he got away with it once before?
>I don't think the "veil" is even relevant here. We have the smoking-gun proof that Mark Z. personally ordered people to illegally spy on other apps' data.
No, Zuckerberg said to "get reliable analytics" and that maybe they need to "do panels or write custom software". The subsequent emails of "hey I made an app that does MITM on snapchat" did not involve Zuckerberg.
If I were a lawyer trying to defend Zuckerberg, in a court where we take turns pontificating in front of a jury, and I wanted to do some lying by omission and hope that is the one thing that sticks in their minds, I'd probably say exactly what you just wrote.
But this is the court of public opinion, and people are going to read your post about 5 seconds before they read mine, so that won't work. I think online debate is a lot better at getting to the truth than courts of law, actually. So while Zuckerberg may be ruled innocent, we can put him in the same category as OJ Simpson and Donald Trump and carefully caveat our assertions that he's guilty with "in my opinion" to avoid a slander case.
Of course, what you said is false. He didn't just shoot off an email with "get reliable analytics!", as you put it, like some kind of whimsical silly CEO on a kid's cartoon. He said: "their (instagram's) data is encrypted and we have no analytics about them" (seemingly implying that if their data wasn't encrypted, they would have data about it, because they would just spy on it). He then immediately proceeds to say they need to "get reliable analytics about them". He THEN immediately proceeds to clarify by saying that they might need to "write custom software" and that "you should figure out how to do this" (seems like a subtle hint that they should "figure out" his subtext here).
And then, what do you think happened? His underlings went rogue and developed iOS hacks that would allow them to decrypt traffic, and he didn't approve it or know about it? If this were court, that would probably be a good argument to achieve a not guilty verdict.
So while you're probably right that this doesn't qualify as a "smoking gun" in court, it should convince everyone who's capable of reading it.
Or it did involve Zuckerberg and his team and him were smart enough not to put in email/chat.
1. regardless of whether zuckerberg was actually involved or not, the evidence presented so far isn't a "smoking gun".
2. they're apparently smart enough to not put it down on email, but apparently Ferrante (a Director of Data Science, according to a hardvard site) was too dumb and wrote a email that said "yep, we made an app that does MITM attacks on snapchat"?
"Will no one rid me of this troublesome data encryption?"