Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customise your settings, hit “Customise Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences

  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.
Sign in

Facebook Onavo Protect doesn't protect against Facebook

VPN app collects all sorts of details

Thomas Claburn in San Francisco Wed 7 Mar 2018 // 20:35 UTC

Facebook's mobile VPN app, Onavo Protect, has been pushed as a way to protect personal information over public networks. But the app, which the social media giant acquired in 2013, sends users' data back to Facebook, even when the app is turned off.

In a blog post on Monday, Will Strafach, CEO of the Sudo Security Group, published his findings about the data collected by Onavo Protect for iOS.

The app, says Strafach, uses a Packet Tunnel Provider app extension – part of Apple's iOS SDK – to handle the VPN's network traffic routing. He claims the following data is being sent to Facebook:

  • When a mobile is turned on and off
  • Daily Wi-Fi data usage (even when the app off)
  • Daily cellular data usage (even when off)
  • Amount of time the VPN connection is used

So while the VPN may be protecting against eavesdropping on traffic traveling over an untrusted wireless network, it's simultaneously reporting details about its user to Facebook.

Strafach, in an email to The Register, said it's not clear what Facebook is doing.

"I cannot figure out why they collect the information that I am seeing," he said. "The screen thing does not seem relevant to VPN usage, it just tells them (I guess) how long you are actively on your phone during the day if I understand correctly."

Strafach said data usage tracking could make sense if Facebook were looking to identify those using too much data on its VPN.

"But the weird part is that the APIs called would tell them total usage even when not connected to the VPN, and additionally they could account for VPN usage on the server side if they wanted to," he said.

The Onavo privacy policy – more accurately described as a data use policy –explains that by using the app, "you choose to route all of your mobile data traffic through, or to, Onavo’s servers." And the app says it may use collected data to "provide, analyze, improve, and develop new and innovative services for users."

So on some level, anyone using the app, much less Facebook's other services, should be aware that they've surrendered their data, despite Facebook's assertion that Onavo "helps keep you and your data safe when you go online, by blocking potentially harmful websites and securing your personal information."

Facebook did not immediately respond to a request for comment.

Strafach argues that Facebook should be clearer about what it's doing with the data.

"They can easily clear things up by explaining more precisely why they collect certain data and what they do with it, so I don’t understand why they are so vague about it," he said. "I do hope they are being respectful of user privacy and it would be very nice if they clarified that I think." ®

19 Comments

Similar topics

Broader topics

Narrower topics

Other stories you might like

Biting the hand that feeds IT © 1998–2022

Your Consent Options Cookies Privacy Ts&Cs