Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook's VPN Service Onavo Protect Collects Personal Data -- Even When It's Switched Off (medium.com)

Posted by msmash on from the privacy-woes dept.

Security researcher Will Strafach took a look at Onavo Protect, a newly released VPN service from Facebook: I found that Onavo Protect uses a Packet Tunnel Provider app extension, which should consistently run for as long as the VPN is connected, in order to periodically send the following data to Facebook (graph.facebook.com) as the user goes about their day:
When user's mobile device screen is turned on and turned off.
Total daily Wi-Fi data usage in bytes (Even when VPN is turned off).
Total daily cellular data usage in bytes (Even when VPN is turned off).
Periodic beacon containing an "uptime" to indicate how long the VPN has been connected.

9 of 67 comments (clear)

  1. Farcebook by Anonymous Coward · · Score: 2, Interesting

    It gets worse by the day

  2. Is this supposed to be a joke? by DontBeAMoran · · Score: 4, Insightful

    VPN from Facebook? Of course they're going to collect data!

    I'd go as far as calling it a VFN instead, there's probably nothing private about it.

    --
    #DeleteFacebook
    1. Re:Is this supposed to be a joke? by gnick · · Score: 2

      You've GOTTA trust your VPN. What choice is there? That said, pick a VPN you can trust. It might be worth that $40/yr not to pipe shit through FB.

      --
      He's getting rather old, but he's a good mouse.
  3. Re: Clueless by Maelwryth · · Score: 4, Insightful

    Even with 100% open source people wouldn't read it all. People don't even read privacy policies or EULA's. What we need is either ethics in business or laws to deal with it. I prefer laws.

    --
    I reserve the write to mangle english.
  4. NEWSFLASH! by Qbertino · · Score: 2

    Facebook does Facebook things!

    Film at eleven.

    --
    We suffer more in our imagination than in reality. - Seneca
  5. Switched off != Powered off by Rosco+P.+Coltrane · · Score: 2

    That sort of shenanigan (and the desire to lower my electricity bill) is why I have a physical switch to remove the power to the devices I don't trust. That include PCs with wake-on-lan and shady BIOS code from Intel and whatnot.

    With the power off, the only way for a device to phone home is to have its own battery and an internal 3G modem. Not impossible but not very likely, since sneaky manufacturers probably rely on people pushing the fake power-off button.

    As for cellphones, since it's getting hard to find devices with removable batteries, I transport mine in a metal lunchbox. Yes I'm paranoid, but I'm proven right more and more everyday...

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  6. Re: Clueless by Chris+Mattern · · Score: 3, Insightful

    With 100% open source, most people won't read it all. But a few will. That makes it tough to keep any dirty work under wraps. Look at this article. Facebook's VPN is closed source, but the packets it sends can't be hidden from a determined user. Does the average user packet sniff what it does? Of course not. But somebody does, and the cat's out of the bag.

  7. Shocking! by grasshoppa · · Score: 2

    Facebook, known paragon of personal privacy, tracking you in a vpn?

    Seriously, what dumbass was shocked by this? I would expect the only reason to use a facebook branded VPN would be so your information is collected.

    --
    Mod me down with all of your hatred and your journey towards the dark side will be complete!
  8. Re:Of course it does by ctilsie242 · · Score: 3, Insightful

    What it boils down to is who is the paying customer. With FB, users are the product. Same with Google. This is why one uses a decent VPN, that you pay for, and where the VPN provider's reputation matters.

    VPNs are a must have, just because ISPs and local endpoints do so many shenanigans.