In case you ever doubted Facebook’s commitment to hoovering up as much information about you as it can, the company has come under fire for a change in the Facebook app for iOS in the United States. In the last few days, users have discovered a new option when you tap the hamburger button to access your pages, shortcuts, and settings. In that screen is a section called Explore that lets you get to a vast number of Facebook services, such as On This Day, Crisis Response, Live Videos, Find Wi-Fi, and Device Requests. There are so many, in fact, that the last one is Show More, and tapping that displays another 11, including the reassuringly named Protect.
However, tapping Protect takes you to the App Store and displays an app called Onavo Protect — VPN Security. It is indeed a VPN — a virtual private network — that securely tunnels all your traffic through Onavo’s servers. The problem is that, as you might expect from the link source, Onavo is owned by Facebook. If you were to stumble on Onavo Protect in the App Store, you’d have to tap More and read the full description to discover that. If you read all the way to the end, you’d learn that Onavo Protect “directs all of your network communications through Onavo’s servers,” and that, “as part of this process, Onavo collects your mobile data traffic.”
Clearly, that menu item in the Facebook app should be labeled “Collect” instead of “Protect.”
Even if Onavo Protect is nominally legitimate, albeit a massive privacy violation, quite a number of its reviews seem fake, which is also troubling. Since there are no iPhone viruses, I can only assume that these are paid-for reviews. (The alternative is to assume that there are a lot of users who think all the icons wiggling on the screen indicates a virus infection, not an errant finger press.)
Despite its recent appearance in the iOS Facebook app, Onavo Protect isn’t new, and was a source of controversy last year when the Wall Street Journal reported that Facebook used Onavo-sourced data to determine that usage of the competing Snapchat app was slowing months before Snap announced that fact. Plus, Facebook linked to the Onavo Protect app in the UK version of the Facebook app (on both iOS and Android) starting in 2016, though there was little reporting on that fact then. TechCrunch reports that about 62 percent of Onavo Protect’s 33 million installs come from Google Play (for Android), suggesting that about 12.5 million iOS users have installed Onavo Protect. The lower uptake rate in iOS might account for why Facebook is now promoting Onavo Protect in its iOS app in the United States — and possibly in other locations.
It’s bad enough when some unknown company provides a free VPN service in order to collect data about its users. It’s another thing when the company in question is part of Facebook, and that data can be combined with both any data you’ve allowed Facebook to have and any data about you that people you know have inadvertently provided to Facebook.
Our recommendation: If you use the Facebook app on your iPhone or iPad, don’t get suckered into installing Onavo Protect. And if you have installed Onavo Protect already for some reason, delete it unless you like revealing everything you do on your device to Facebook.