FACEBOOK'S ONAVO VPN has been found to be snooping on user data when it's meant to be protecting their privacy. Cue the irony klaxon.
Following the news that Onavo Protect for iOS effectively installed spyware on iPhones and iPads, security researcher Will Strafach dug deeper into the issue and found that it was using the Packet Tunnel Provider app extension to syphon data back to Facebook even when the VPN wasn't being used.
"Onavo Protect will flush collected analytics information to log files from memory if there are greater than 49 "events" waiting in RAM or if it has been more than 2 minutes since the last flush," explained Strafach.
"The log files are then prepared for upload in a network request to Facebook. Analytics data is sent in a POST request to https://graph.facebook.com/v2.3/logging_client_events from the Packet Tunnel Provider process (The Packet Tunnel Provider process would be running at any time the VPN connection for Onavo is switched on, enabling periodic analytics data uploads to Facebook even if the Onavo Protect app is not open)."
According to Strafach, the data collected included details such as when an iPhone is turned on and off, daily WiFi and cellular data usage, and the expected collection of VPN connection usage.
While VPN services do sometimes collect data in aggregate form to improve and maintain their services, the data collected by Onavo Protect doesn't seem to be relevant to VPN performance. This promotes questions about why Onavo is collecting this data and what's being done with it once it reaches Facebook.
"When people download Onavo Protect to help secure their connection, we are clear about the information we collect and how it is used. Like other VPNs, Protect acts as a secure connection including when people are on public Wi-Fi. As part of this process, Onavo receives their mobile data traffic. This helps us improve and operate the Onavo service," said Erez Naveh, product manager at Onavo, in a statement sent to INQ.
"Because we're part of Facebook, we also use this information to improve Facebook products and services. We let people know about this activity and other ways that Onavo uses, analyses, and shares data before they download it. We also regularly review our apps and make updates based on feedback from people."
So it would seem that this is a case of customers knowing what they signed up for and if they don't like it they can go swivel.
At the same time, the data collection could simply inform Facebook on how to better deliver add-on services as opposed to snooping on what we're browsing or harvesting data on what we post to lookatmytrendybrunch.nom.net. µ
Put a Ring-Con on it
We know. We're as surprised as you are
It's available across all major UK networks