Facebook's VPN Service Onavo Protect Collects Personal Data -- Even When It's Switched Off

Security researcher Will Strafach took a look at Onavo Protect, a newly released VPN service from Facebook: I found that Onavo Protect uses a Packet Tunnel Provider app extension, which should consistently run for as long as the VPN is connected, in order to periodically send the following data to Facebook (graph.facebook.com) as the user goes about their day:
When user's mobile device screen is turned on and turned off.
Total daily Wi-Fi data usage in bytes (Even when VPN is turned off).
Total daily cellular data usage in bytes (Even when VPN is turned off).
Periodic beacon containing an "uptime" to indicate how long the VPN has been connected.

Farcebook

It gets worse by the day

Re:Farcebook

[Z00L00K]

After 25 May 2018 this would be "interesting" in the EU.

Re:Farcebook

I know you are all pretty smart, so please give me advice.

First mistake.

Slashdot isn't facebook.

Second mistake.

Re: Farcebook

Oh yessss

Re:Farcebook

[Maritz]

It gets worse by the day

Facebook needs to die. ASAP.

Re:Farcebook

[Maritz]

This is really hilarious. You're a very funny person. Ha, ha, ha.

Is this supposed to be a joke?

[DontBeAMoran]

VPN from Facebook? Of course they're going to collect data!

I'd go as far as calling it a VFN instead, there's probably nothing private about it.

Re:Is this supposed to be a joke?

Onaho project?

Re:Is this supposed to be a joke?

[gnick]

You've GOTTA trust your VPN. What choice is there? That said, pick a VPN you can trust. It might be worth that $40/yr not to pipe shit through FB.

Re:Is this supposed to be a joke?

VPN from Facebook? Of course they're going to collect data!

I'd go as far as calling it a VFN instead, there's probably nothing private about it.

Makes me wonder why anybody with a sane mind would trust a FB VPN...

Re:Is this supposed to be a joke?

Well consumer affairs should get involved. There is no P in private, if they get a tracable data back. Do not use the word private. use Shared (VSN) Group(VGN) or Compromised (VCN).
Pulling this trick is just as bad as VW - reality is not the same as advertised.

In the meantime can some clever soul modify the outgoing packets to say you have been conencted 56 hours in the past 4 hours and other bad numbers to thorougly mess up their reporting.

Re:Is this supposed to be a joke?

[gnick]

reality is not the same as advertised

That's a lesson I'm learning over and over again. Pretty sure this isn't the life I signed up for, but it looks like I'll be sticking with it. I was told there would be cake.

Re:Is this supposed to be a joke?

[um...+Lucas]

A couple things to consider. Not that I'm trying to defend facebook, i'm not. But:

1) No one should ever think that their VPN can't see their traffic. They can. But they can prevent outside observers from seeing your traffic. I can use a VPN to prevent comcast from keeping logs on me, or when at the coffee shop on their crappy open wifi so that the rest of the patrons can't see what I'm doing.

2) Even though we're thinking that this app is only for those of us in the West, their VPN COULD (and, I repeat, could - not will) provide a way for people in more locked down countries to access the rest of the web. But that's only if Facebook actually keeps their VPN logs from the authorities.

Whether they would say "Hey, we're Facebook China, you can't demand that we provide logs from Onavo Protect, which is governed by the laws of California" - that's a different story.

But anyone in the Europe, their VPN is a downgrade. Anyone in the US, it's probably negligible. But people in more locked down countries could see benefit, but only if FB is offering it to provide them a benefit and not just try to vacuum up even more info.

Re:Is this supposed to be a joke?

[DontBeAMoran]

I was told there would be cake.

Oh man, stay away from the game Portal.

Re: Is this supposed to be a joke?

No kidding, I only the the CIA VPN service

Re:Is this supposed to be a joke?

[morethanapapercert]

Maybe we can all start referring to it as the onnahole service? (we the users being the thing that gets fucked, rather than the person doing the fucking) It seems pretty obvious that this, like pretty much everything Facebook does, is designed from the ground up as a privacy raping source of ad revenue.

Re:Is this supposed to be a joke?

[morethanapapercert]

1) I believe that a *reputable* VPN service would encrypt everything over their network so that while they can tell where you are browsing to, even they can't tell what you're doing once there. With current state of the art, only onion routing gives any real measure of privacy and even then, only if you stay in the network. As far as I know, given control of enough exit nodes and the ability to capture traffic at the ISP you can tie exiting traffic to specific users/machines.

2) Facebook, like any other company, must and will turn over logs when required to by legal authorities. Where they operate in locked down countries, like China, failure to do so would only result in that application getting red-flagged in the great firewalls those countries filter all traffic through. In addition, the nation can and would seize any assets held in that country. How can a VPN like Facebooks "onnahole" operate if all connections are blocked at the national firewall, any one attempting to use it are automatically flagged for investigation and any and all Chinese Facebook assets are confiscated? Of greater concern would be when Facebook is pro-actively sharing traffic of interest with the relevant authorities. We've all seen the news stories about various major players on the Internet including backdoors and secret access to user traffic without even the flimsy excuse of a national security letter. Cooperating with authorities in a legal investigation is one thing, actively acting as a informer in advance of any investigation is another.

The only way I can someone to maintain browsing privacy would be to use an onion/garlic routing service like Tor or I2P and even then, only as long as the exit node (which the user can't choose) isn't in his or own country. But that leads to the problems of a) Such traffic is easy to detect at the ISP level, leading to possible investigation by authorities and b) such services are closely associated with straight up criminal behaviour like drugs, guns, stolen credit cards and child porn. That association with criminal activities means someone would have to hide possession of the application even from friends and family, lest they be branded a paedophile or drug dealer.

Re: Is this supposed to be a joke?

All of my browsing is done with tor, both in my phone and computers. Except for banking and a couple of other sites. No complaints at all.
Ah and YouTube, because of speed.

Highly recommend it.

Of course it does

Why would anyone in their right mind ever assume anything from Facebook would protect you from Facebook itself? Ditto Google et.al. The only way to get away from their insidiousness is to get the hell away from them. If you must use it, get a good VPN, load up on browser extensions or privacy apps, and clear your web data after every single session. Never, ever trust Facebook or similar (yes, Google, Instagram, SnapChat and the rest, too) to have your best interests in mind. Ever.

Re:Of course it does

[ctilsie242]

What it boils down to is who is the paying customer. With FB, users are the product. Same with Google. This is why one uses a decent VPN, that you pay for, and where the VPN provider's reputation matters.

VPNs are a must have, just because ISPs and local endpoints do so many shenanigans.

Re:Of course it does

[gnick]

VPNs are a must have, just because ISPs and local endpoints do so many shenanigans.

I agree. I'm sometimes accused of overusing mine. Unless I'm downloading something big (that I don't need to hide), I pipe everything on my home PC through Private Internet Access. Music streams fine; porn streams fine; no noticeable lag in normal browsing. Netflix & Youtube work fine with the VPN up, but if I'm using one of those I'm probably using my phone & Chromecast which avoids PIA. It just boils down to me trusting my VPN more than my ISP and suffering no consequences for gimping my connection for normal use.

And what did we expect it to do?

[Maelwryth]

This is, after all, a company based on selling users meta-data in various forms. VPN's were a threat to that collection.

Clueless

[110010001000]

People are clueless. They don't get it: unless you have the applications source code you have NO IDEA what the software is doing. It could be sending your credit card number to hackers. It could be sending your photos to the FBI. It could be doing nothing at all. Stop using closed source software and you won't have these issues.

Re: Clueless

[Maelwryth]

Even with 100% open source people wouldn't read it all. People don't even read privacy policies or EULA's. What we need is either ethics in business or laws to deal with it. I prefer laws.

Re: Clueless

You are such a worthless human. How hollow and pathetic is your life?

Re: Clueless

[Chris+Mattern]

With 100% open source, most people won't read it all. But a few will. That makes it tough to keep any dirty work under wraps. Look at this article. Facebook's VPN is closed source, but the packets it sends can't be hidden from a determined user. Does the average user packet sniff what it does? Of course not. But somebody does, and the cat's out of the bag.

Re:Clueless

[PolygamousRanchKid+]

People are clueless.

"“No one ever went broke underestimating the intelligence of the American public.” -- H. L. Mencken

It could be sending your photos to the FBI. It could be doing nothing at all.

The former head of the FBI ran a private FBI within the FBI to collect dirt on folks he wanted to . . . "influence".

By the time of his death Hoover’s scandalous private and personal files numbered in the thousands, including 883 senators, 722 congressmen, 12 Supreme Court judges and hundreds of celebrities.

When Zuckerberg becomes President of US, he won't need the help of the FBI . . . he will have all he needs from Facebook and their pals in privacy crime.

Stop using closed source software and you won't have these issues.

Try explaining that to people who are clueless . . . I gave up a long time ago. When I did try to explain that Facebook's business model was selling their data . . . I got the answer, "Oh, look! Facebook! Ponies!"

Re: Clueless

Even with 100% open source people wouldn't read it all. People don't even read privacy policies or EULA's. What we need is either ethics in business or laws to deal with it. I prefer laws.

There is no money in ethical behavior anymore. Just release a press release denouncing a scapegoat and business goes on as usual.

Re: Clueless

[thegarbz]

But a few will.

No they won't. That has been proven time and time again. Long standing bugs have survived in critical projects for long periods of time. Major work was done to audit the code of something as important as encryption software and that software released 2 additional versions ceased existing and then forked by the time the first audit was done making the exercise futile.

You DON'T know what's in your software period. Even if the source code is available. People not only don't read it but there's no practical way of verifying distributed binaries are even related to the published source.

Re: Clueless

[Chris+Mattern]

I would submit that there's a difference between subtle bugs (which the few people who read the source might not catch) and blatant Trojan behavior (which would stick out like a sore thumb).

Re: Clueless

[thegarbz]

Then you would be very wrong. There have been many documented cases of trojan behavior being very much identical to a subtle bug.

Do you not remember when this line got submitted to the Linux Kernel as a patch:

if ((options == (__WCLONE|__WALL)) && (current->uid = 0))

An = is all that separates a bug from a confirmed and purposeful back door to elevate user access.

Re: Clueless

it got submitted, but did it make it thru the review process? that's the questions you didn't answer or pose.

Re: Clueless

But without the source you are almost guaranteed that the people behind it are screwing you in some way.

Re:Clueless

[Actually,+I+do+RTFA]

They don't get it: unless you have the applications source code you have NO IDEA what the software is doing.

That's not true. For instance, Alexa has a "stop listening" button. I have no access to the source. However, I can trivially see if Alexa is sending any data to the mothership while that setting is on. Now, it could cache the data to send, but IIRC, the amount of audio it can store is asserted to be under a minute. And that should be checkable by examining how much memory it has.

update stalking laws

so when do we update the laws regarding stalking to include all the shady shit the corps and other app creators pull to track everything they can about everyone's personal lives?

can we at least get restraining orders to force them to stop this shit?

too much to hope for that we'd thrown them in jail too and leave them to rot I suppose.

Raise your hand,

[ReneR]

if you thought a VPN from Facebook would be a good idea, what were they expecting? And who the heck would want to ever use this? FB employees?

NEWSFLASH!

[Qbertino]

Facebook does Facebook things!

Film at eleven.

Are you surprised?

Tell me, who the hell is surprised by any of this?

Facebook exists to collect your data and monetize it. This was always about giving them as much information about you as possible.

Fuck Facebook, and fuck anybody who works for Facebook .. these people deserve the same treatment .. publish the name, address, banking information, name of children and spouses.

Let's see how these assholes like the surveillance society.

Facebook is a company of assholes.

GEN. CHAOS SUING TRUMP!!!!

For theft of trademark.

Wait. What? Stormy Daniels?

https://assets.documentcloud.o...

28 pages.

My GAWD what will Trump do this time? "Nuculer War is Good"?

Switched off != Powered off

[Rosco+P.+Coltrane]

That sort of shenanigan (and the desire to lower my electricity bill) is why I have a physical switch to remove the power to the devices I don't trust. That include PCs with wake-on-lan and shady BIOS code from Intel and whatnot.

With the power off, the only way for a device to phone home is to have its own battery and an internal 3G modem. Not impossible but not very likely, since sneaky manufacturers probably rely on people pushing the fake power-off button.

As for cellphones, since it's getting hard to find devices with removable batteries, I transport mine in a metal lunchbox. Yes I'm paranoid, but I'm proven right more and more everyday...

Re:Switched off != Powered off

When a hacker simultaneously stealth updates all devices having a particular application or operating system through the airwaves and bricks then all, at least possibly one will survive...

I don't believe these companies controlling our hardware understand the vulnerability they are unleashing.

Re:Switched off != Powered off

I transport mine in a metal lunchbox.

Is it the UFO television show one: http://www.greatestcollectibles.com/wp-content/uploads/2012/05/73-UFO.jpg

Re:Switched off != Powered off

Some wifi enabled devices will search for an open internet connection, even if you block them on your router/firewall.

How's the security next door?

Re:Switched off != Powered off

..., but I'm proven right more and more everyday.

Uh, what you actually meant to say there was every day, not everyday.

Note that "everyday" is an adjective, e.g., an everyday occurrence. "Every day" means "each day."

Why?

Why would anyone want to use a VPN that spies on them?

Re:Why?

How can you find one you can be certain does not?

Re: Why?

Build my own image, host the image in EC2, change machines

Quit FB

[DigiShaman]

I quit FB a year ago, and never looked back. Not just stopped using it, I actually closed the account out. "Deleted", but technically more like suspended in the FB database someplace. In any case, it's gone, and out of public view including off the radar of my Friends list.

I still keep in touch IRL with a few of them, but do yourself, and humanity a favor, GET RID OF THE ACCOUNT!

Re:Quit FB

People are often shocked when I mention I have never had one. Especially given that I write software. The assumption is that all people involved in technical fields must have Facebook. I prefer making friends the old fashioned way.

Re:Quit FB

I quit FB a year ago, and never looked back. Not just stopped using it, I actually closed the account out. "Deleted", but technically more like suspended in the FB database someplace. In any case, it's gone, and out of public view including off the radar of my Friends list.

You need to go a lot further ... you need to block facebook.com and facebook.net from your browsers entirely, or they WILL follow you around the internet. An abysmal amount of sites cross link to Facebook, so they still track you and see you even if you've closed your account.

Grab an extension like HTTP SwitchBoard on Chrome, or uMatrix on Firefox and you can start telling your browser to simply block domains, or scripts, or various other things.

Honestly, I think Facebook is reaching the point where it needs to be regulated, along with all of the other parasites on the internet. No, I do not consent to Facebook tracking me ... no, I do not consent to every asshole ad and analytic company tracking me.

I'm pretty much of the opinion that if you work for these companies, than doxxing, hacking and pretty much anything else is fair game.

Way too many entities have given themselves permission to track us, and Facebook is the worst of the bunch. It's time we started doing something about it. The problem is idiot lawmakers would never do anything to curtail what corporations do in seek of profit.

At this point, Zuckerfuck is pretty much the enemy of personal privacy, because everything his company does is pretty much built for that. As such, he and anybody who works at Facebook should be vigorous targets .. fuck 'em, show them what they're doing to the rest of us. The fact that you're now a billionaire douchebag doesn't mean you get privacy while we don't, and that includes his family.

Fifth branch of government

I actually think we need to have a new elected branch of government that has sole control over forming rules and authorising data surveillance. Technology is making this sort of data collection inevitable (and trivial) and no politicians is ever going to risk having to explain why they weren't mass surveying all the 'bad people' when confronted by the rabid 'think of the children' brigades. In the same way we have an independent central banking system (to allow hard economic medicine to be administered), we need an independent branch of government that is elected in the narrow context of a debate about privacy vs security.

At the very least, if sufficiently independent, it would make it that little bit harder for the next dictator to circumvent the democratic process.

Shocking!

[grasshoppa]

Facebook, known paragon of personal privacy, tracking you in a vpn?

Seriously, what dumbass was shocked by this? I would expect the only reason to use a facebook branded VPN would be so your information is collected.

Re:Shocking!

I'm shocked--shocked!

Well not that shocked.

Facebook VPN

You have to be the dumbest a44 on earth to use facebook vpn...

SlashFarce

Log in is Busted.

Are is still fucked for some people? Worked yesterday.

Surprise!

A VPN from a company that has as business model to sell ad impressions targeted using data collected without regards to means steals information is not really news, it is to be expected. Really as surprising as a dog who likes meat.

Your Info Their Profit

[sdinfoserv]

THE business model of FB is to sell "your information" (just like every other social media site and search engine). No one with more than 2 firing neurons should expect anything less than every single keystroke tracked, recorded, monitored, analyzed and monetized.
It's a business, a business to make profit, off you....
So, go ahead and put that Amazon echo, Google Home or Nest in your house and feel complete secure nobody is listening to background sounds and determining what your doing and what can be sold to you. (or what can be subpoena.. later....)

And?

[thegarbz]

Sounds like perfectly normal metrics for a VPN software vendor to want to know about their device:

How long it gets used, If it is used in the background or foreground, and what percentage of user data travels via a metered connection. I'm really struggling to get upset about this even in the slightest.

Better Zuckerberg than Maduro

[williamyf]

I live in Venezuela, and deployed this so called VPN a few days ago.

With it enabled, I can use sites/apps prohibited by the government (www.dolartoday.com) as well as sites/apps that became colateral damage of the censorship (Formula Live24 2018).

I dot use a VPN to access geo-restricted content, or to hide shaddy practices online. I use it just to access restricted sites from an oppresive regime, and to be safer when using public/free wifi in airports and coffee shops...

Facebook already knows a lot about me, because I told them, willingly (my only complaint is that they do not use that info wisely).

If they get to know a little bit more about me, so be it. In the mean time, this VPN is free, it lets me do what I need, is well mantained and, when the time comes, I can move to a stronger solution... What's not to like?

Privacy is dead, get over it!

https://www.youtube.com/watch?...

Re:Better Zuckerberg than Maduro

If privacy is dead then you should upload naked pictures of yourself to facebook, you know, because what have you got to hide?

Re:Better Zuckerberg than Maduro

[williamyf]

If privacy is dead then you should upload naked pictures of yourself to facebook, you know, because what have you got to hide?

I would, but those are banned, so I pose with Speedos during my scuba diving trips. ;-)

Having said that, "Privacy is dead. Get over it!" is the name of a now famous talk, linked at the end of my post.

PS: I use speedos while scubadiving, because it makes it easier to get in/out of the wetsuit. The picture opportunities are an added bonus... ;-)

Well

[DaMattster]

I must admit that this is not shocking! After all, it is a Facebook product and Facebook makes its money by harvesting data and re-selling it. I have a bridge to sell anyone who is surprised at this. It's cherry, only lightly used.

And the WhatsApp people

will still be thinking its private and encrypted communication because for some damn reason none of them will admit how much control Facefarm has over it. They own it. Wake up. Move on.

Color me not surprised

LOL of course it does. People who actually downloaded Onavo, do yourself a favor and get ExpressVPN instead.

Facebook app collects data from non-users

[knorthern+knight]

Even if you don't have an account, that effing "F" on your stock Android smartphone is scanning through your contact list etc, and sending info back to the mothership.

To re-purpose an old meme... only crAPPy crAPPy crAPPs crAPP on your privacy.