Last month, we warned users against downloading Facebook’s new VPN service, known as Onavo Protect. In addition to Facebook itself being a data vampire, the company has reportedly used the service to collecting users’ VPN usage logs. That means that once you install Onavo and turn the VPN on, Facebook can see every websites you’re visiting, in addition to what service you’re using and files you’ve downloaded.
New research into the functions of app itself, however, reveals that Facebook is also collecting data about users’ devices too, potentially even when the VPN is turned off.
According to security researcher Will Strafach, Onavo’s iOS app is collecting various types of device data separate from server-side connection and usage logs. Even when the VPN is turned off, the app continues to collect information about daily wi-fi usage and daily mobile data, Strafach says. And for whatever reason, the app is also detecting and notify Facebook whenever a user’s “device screen is turned on and off,” he wrote.
It’s unclear why Facebook is collecting this data. We’ve asked, and we’ll let you know if they respond.
Here’s a list of some of the data collected by the Onavo app discovered by Stafach:
- Phone network name
- Mobile network code
- iOS version
- Onavo app version
- Screen status (on/off)
- Daily mobile data usage
- Daily wi-fi data usage
Onavo’s terms-of-service explicitly state that Facebook intends to use the app to collect vast amounts of data related to users’ online activities, including: “Information about your mobile applications and data usage, including the applications installed on your device, your use of those applications, the websites you visit, and the amount of data you use.”
Facebook also spells out what it’s doing with this data—basically, anything it wants—including providing your “personally identifiable information” to affiliates, service providers, and law enforcement, among other entities, under myriad circumstances.
The company is advertising the Onava as means to “protect your personal info,” but that is, frankly, total bullshit. By using Facebook’s
spyware VPN, you’re only further spreading your personal information around—placing it in the hands of multi-billion corporation, which generates most of its revenue through advertising and freely admits it will share your data with essentially whomever it wants.
What’s more, if Facebook ever decides to sell Onavo to another company, the data it has collected on you may go with it, to the highest bidder, anywhere in the world.
While VPNs can be useful for concealing your online activities from internet service providers, and may help citizens in oppressive nations bypass online censorship, using one means that virtually everything you do online may be monitored by the VPN service you’ve chosen.
It’s imperative you do your own research before choosing a VPN service and never use a VPN service that’s free. It costs money to run a VPN service, and if it isn’t charging you something—like Facebook—it’s likely making money off your data instead.