Don't Trust the VPN Facebook Wants You to Use

The "Protect" menu item in Facebook's mobile apps refers users to the company's Onavo Protect VPN, but the tool falls short of basic privacy standards.
This image may contain Machine
Facebook/HOTLITTLEPOTATO

This week, reports have percolated that Facebook is testing a new menu item, called "Protect," in its iOS app. The feature sports a blue shield icon, and tapping it redirects you to the App Store listing for Facebook-owned VPN app Onavo Protect. But while Onavo does claim to offer some tools that make the web safer, in practice it falls far short of the privacy protections that VPN users reasonably expect.

Onavo itself isn't new; Facebook acquired it in 2013, and has nudged users to it through the Protect prompt on Android since 2016. Like all VPNs, it's a private platform that acts as a portal to connect you to the larger internet, tunneling your data through an encrypted path to reduce the risk of eavesdropping. Onavo's Android VPN touts this type of data protection, but also offers what it calls a second VPN for keeping track of which apps are using the most data.

The iOS version of the VPN focuses more on browsing protections, warning users when they visit sites that might be malicious and offering other standard VPN protections. But on both platforms, Onavo is more pervasive than standard VPNs, and attempts to be on all the time instead of just when you want a little extra protection. This seems like a way for the app, and by extension Facebook, to track your browsing all the time, not just when you're on the social network.

Similarly, the data usage and malicious-site warning features are both built on extensive data-monitoring and tracking. "Onavo collects your mobile data traffic," reads the App Store description. "This helps us improve and operate the Onavo service by analyzing your use of websites, apps and data. Because we're part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value, and build better experiences." If you're looking for the privacy benefits of a VPN, this is not what you want to hear.

All VPNs, by definition, have access to all of your browsing data. VPNs that prioritize privacy, though, reassure users that they will never log or store any browsing information. Some have even proven in practice that they delete all logs, after subpoenas for records during law enforcement investigations turn up nothing.

Onavo, on the other hand, expressly combs through, analyzes, and tracks user data over time, feeding it directly to Facebook. The service also states that it may retain users' data for as long as they have an account and beyond. And Facebook does leverage that data for its own purposes; the Wall Street Journal reported in August that the company used data from Onavo to track the popularity of competitive startups and other user preferences, and to inform acquisition decisions.

"Guess what, if you're not paying for the product, you and your data are the product," says the privacy researcher known as That One Privacy Guy, who has analyzed VPN trustworthiness for years and maintains a detailed comparison chart of the services. "I've read too many VPN company privacy policies and I can pick out the nonsense a mile away." He describes the Onavo policy as "very obtuse."

In many ways, Facebook is at least transparent about Onavo's data-collection goals. The VPN's privacy policy states, "We may use the information we receive to provide, analyze, improve, and develop new and innovative services for users, Affiliates and third parties." It also reserves the right to use customer information to "Comply with applicable laws and assist law enforcement." Privacy-focused VPNs may comply with law enforcement requests, but if they don't keep logs, they're unable to do so helpfully.

Facebook maintains that its data-tracking benefits users also. The Onavo VPN "acts as a secure connection to protect people from potentially harmful sites," product manager Erez Naveh says. "The app may collect your mobile data traffic to help us recognize tactics that bad actors use. Over time, this helps the tool work better for you and others. We let people know about this activity and other ways that Onavo uses and analyses data before they download it."

The problem, though, is that while Facebook promotes Onavo to its massive user base as a tool for protection, it provides significantly less emphasis on the service's intrusive features. And many users likely wouldn't realize that other VPNs approach privacy differently, and offer much more extensive protections.

"Unlike other providers, Onavo Protect tries to keep the VPN connected all the time, and channel all internet traffic," says Ankur Banerjee, a security researcher who focuses on digital infrastructure. "Even turning the VPN off is buried deep inside the settings of the app rather than making it front-and-center on the app home page. They could spin this as saying they're trying to keep the customer protected all the time, but the obvious thing they are perhaps trying to do here is ensure that the user forgets Onavo even exists." The more the VPN is on, the more user data it can capture and analyze.

Though Facebook's Android app has recommended the Onavo VPN for some time, its inclusion in the iOS app generated more notice, and has provoked pushback from the technical community. "Of course Facebook would try to spin their VPN spyware as a way to 'protect' users. Disgusting," David Heinemeier Hansson, creator of the Ruby on Rails web development framework, wrote on Twitter on Wednesday.

Even in small ways, Onavo doesn't seem to prioritize user privacy protection. The company's website, for example, currently doesn't have an active SSL certificate, meaning no HTTPS encryption for users browsing the site. "I just don't get how a service being essentially repackaged by a multibillion dollar tech company could be overlooked like this," That One Privacy Guy said, noticing the site's lack of SSL. But then he added, "Of course I'm being facetious, Onavo is obviously not there to fulfill the stated role."

Facebooks, VPNs, and Facebook VPNs