Facebook Protect VPN: Researcher Finds Privacy Service Collecting User Data

A new analysis of Facebook’s virtual private network (VPN) service Protect has revealed the social networking giant may be using the supposed privacy tool to collect more data from its user base.

Security researcher Will Strafach dove into the code behind the Protect VPN app for iPhone and discovered the service sends a significant amount of data back to Facebook that provides the company with insight into how users are making use of the application.

According to the security expert, Protect VPN—developed by Onavo, which was acquired by Facebook in 2013—uses a “Packet Tunnel Provider” app extension that runs as long as the VPN is connected. This packet tunnel is used to periodically send certain information about app usage to Facebook.

Among the information collected and provided to Facebook:

• When user’s device screen is turned on and turned off

• Total daily Wi-Fi data usage

• Total daily cellular data usage

• Periodic update indicating how long the VPN has been connected

The application also gathers information about the device it is running on and provides that to Facebook. That information includes cellular carrier name, mobile network code, mobile country code, location, language and version of the device’s operating system.

Perhaps most troubling about the data collection identified by Strafach is the fact that Protect VPN gathers some information even when the application itself is turned off.

The security researcher also noted in his research that it was initially difficult to determine what information Protect VPN was collecting and transmitting, as the data uploads appear to occur inside the VPN’s packet tunnel, meaning the data being sent to Facebook is encrypted.

While the data being sent to Facebook may not seem particularly intrusive, even small packets of data can contain revealing or potentially identifying information and especially when paired with some of the unique device identifiers also collected by the app.

The very practice of collecting that data also violates the principle of a VPN, which is designed to be a privacy tool used to send and receive information securely. When a VPN works properly, it establishes an encrypted connection between the user’s device and a remote server. Any information, from web activity to user information to passwords, is sent first through that secured connection.

By filtering information through the remote server, a VPN shields that data from anyone on the public network, including internet service providers. Because the information is encrypted, it is effectively unreadable to anyone who might come between the user and the remote server.

The iOS App Store description for Onavo’s Protect VPN reveals the app’s intentions rather explicitly.

"Onavo collects your mobile data traffic," the App Store description reads. "This helps us improve and operate the Onavo service by analyzing your use of websites, apps and data. Because we're part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value, and build better experiences."

Facebook’s decision to integrate Onavo’s Protect VPN into its platform initially drew skepticism from privacy-minded users who had their doubts about Facebook’s intentions. Technology and lifestyle magazine Wired warned readers not to trust the service, citing Facebook’s history of using Onavo products for data collection.

The Wall Street Journal reported in August that Facebook used data from Onavo to track the popularity of upcoming startups and potential competitors in order to inform acquisition decisions.