Tuesday, February 13, 2018

Do not use Facebook's virtual private network Onavo: it is designed to spy on you


You may have seen a new button in Facebook’s mobile app lately: under the Settings menu, a “Protect” option leads you to download an app called Onavo Protect. Don’t do it.

If you head to Facebook’s settings and scroll down—you may need to click “More” to view more options—you’ll see this button. (On Android, you’ll need to go into “Mobile Data” first.)


Press it, and you’ll be taken to your phone’s respective app store to download Onavo Protect. This has been in both the iOS App Store and Android’s Google Play for a while, but the button within Facebook appears to be new. This app may seem like a good option for a free, security-focused app, but it isn’t. It’s a way for Facebook to spy on you…you know, more than they already are.

How VPNs Work

Onavo Protect is a Virtual Private Network, or VPN. We have a full rundown on what VPNs do here, but put simply: a VPN encrypts all your internet traffic and routes it through a server somewhere else.


Using a VPN has a few advantages. It can make you look like you’re in a different location, so you can watch the BBC’s coverage of the Olympics instead of NBC’s (lame) version. It can help you access your home or work network while traveling. And, since it encrypts all your traffic, a VPN can help thwart people who try to snoop your traffic while you’re using public Wi-Fi.

Onavo promises to do all of this, and for free. But, as with all things free, there’s a big catch.

What Onavo Protect Does
Onavo Protect was purchased by Facebook in 2013, for the express purpose of…you guessed it: mining your data.


See, Facebook can track a lot of what you do on the web, but it can’t track what you do in other apps on your phone. When you turn Onavo Protect on, however, you are routing all of your internet traffic through Facebook’s servers, where the information is decrypted for them to see. The Wall Street Journal published an article about this last year, but you don’t even need to dig that much to find this out—Onavo Protect tells you about it when you first open the app:

When you use our VPN, we collect all the info that is sent to, and received from, your mobile device. This includes info about: your device and its location, apps installed on your device and how often you use those apps, the websites you visit, and the amount of data you use.

This helps us improve and operate the Onavo service by analyzing your use of websites, apps and data. Because we’re part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value, and build better experiences.

According to the Journal, Facebook uses the data it gathers from Onavo Protect to know which apps its users open, when they do so, and where they do so, in order to gain an edge on its competitors. But Facebook can see a lot—if that app doesn’t encrypt its own traffic, in fact, they can see nearly everything you do in that app. (Thankfully, a lot of apps do encrypt their traffic separately from Onavo, which Onvao can’t see.)


You may be fine with Facebook collecting data on you—you are using Facebook, after all—but giving them access to everything you do online is a much bigger step, especially since many VPN users are doing so for increased security and privacy. This…is not that.

What You Should Use Instead
Finding a trustworthy VPN is hard. You have to trust the company that runs the VPN, as well as the company that provides internet on the other end of that VPN. But in general, we recommend staying away from free options—as always, if you aren’t paying for the product, you are the product.

Thankfully, if you’re worried about snooping on public Wi-Fi networks, just make sure the website you’re connecting to uses HTTPS—or that the app you’re using encrypts your connection. Many should, and that should be enough to keep your sensitive info out of the hands of most snoopers. Safari also warns you about fradulent, phishing websites by default as well.

On Android Onavo also monitors your data usage, but there are better ways to do that as well.

If you want to use a VPN, you have a few options. We have a guide to finding the best VPN service for your needs here, and that should give you some insight, depending on what you want to do (shift your location, encrypt your traffic, and so on). You won’t find many that are free, though if you’re dead set against paying, TunnelBear is a decent option that does have a free tier limited to 500MB per month—which should be enough for the occasional coffee shop browsing on your phone. They make their money on the unlimited paid accounts, which cost $7.99 per month. SurfEasy and StrongVPN are also good options, though both are paid. Disconnect Pro is a VPN that also blocks tracking and malware, so it may be a good alternative to Onavo Protect if that’s what you’re looking for.


At the end of the day, we won’t say that using Onavo Protect is the worst thing you could do. But if your goal is to be private and secure online—which is the entire point of a VPN—why would you ever use one that lets Facebook track your every move?


EmoticonEmoticon