Facebook's VPN is Collecting User Data for Facebook, Researcher Finds

Onavo is doing the opposite of protecting privacy.

Unsplash / Tim Bennett

Facebook isn’t protecting users with its supposed privacy-protection app. In fact, the app is helping Facebook collect more of your data, including when your device screen is being turned on and off, and how much data you use each day.

Last month, TechCrunch reported that Facebook-owned Onavo Protect is being promoted in the social network’s official app. As of this writing, Facebook still has the “Protect” tab under settings taking users to the Onavo app’s page in the iOS App Store.

Onavo is an Israeli mobile analytics startup that Facebook acquired in 2013. Now Facebook is using Onavo’s technology to market it as a Virtual Private Network (VPN) client. The way the VPN works is that it connects a user’s device — in this case those that have downloaded Onovo — to a third-party server while browsing the internet. VPNs are used to enable users to send and receive data privately across the web.

But a study of the app posted on Medium Monday found that Onavo actually “collects device information, network related analytics, and ‘fact of’ certain events occurring.”

The study on Onavo, conducted by cyber security researcher Will Strafach, found that the app uses what’s called a “Packet Tunnel Provider” extension, which sends data recorded on the app’s VPN while it runs.

This process helps Onavo provide Facebook with the following info: a log of when a user’s device screen is being turned on or off, daily wifi usage, total daily cellular data usage in bytes, and a tick indicating how long the VPN has been connected to the user’s device.

Onavo is the option for "Protect" in the Facebook app.


Furthermore, even more detailed information is being collected from users choosing to download Onavo, according to Strafach. These include their device’s carrier name, mobile network code, country code, language, iOS version and what Onavo app version they’re using, among others.

Strafach goes on to explain that Onavo collects the aforementioned data by downloading a “Mobile Configuration” file that has the VPN settings connecting the device to the Onavo servers.

Facebook was forced to vaguely discuss Onavo’s data collection amid reports calling it “corporate spyware”.

“We recently began letting people in the U.S. access Onavo Protect from the Facebook app on their iOS devices,” the company told TechCrunch. “Like other VPNs, it acts as a secure connection to protect people from potentially harmful sites. The app may collect your mobile data traffic to help us recognize tactics that bad actors use. Over time, this helps the tool work better for you and others. We let people know about this activity and other ways that Onavo uses and analyses data before they download it.”

While Facebook originally claimed to have acquired Onavo to collect data on the competition’s social media users, it turns out they’ve been using it on their own customers. The app has already helped the world’s biggest social network compare Snapchat’s user numbers with Instagram, which it owns, as The Wall Street Journal reported.

It’s unclear how Facebook plans to use the Onavo data collected from its own users who are just looking for more protection while using Facebook, Strafach’s study concludes.

If their previous use of users’ data is any indication, Facebook will most likely sell this data to their advertisers.

Related Tags