A VPN Designed to Spy On You
February 14, 2018 4:43 PM   Subscribe

Facebook has begun promoting a new "Protect" feature in its mobile app, which will send you to the App Store to download a VPN service called Onavo. Gizmodo: "Millions of people use VPNs to enhance their privacy online. But that is not Onavo’s function....The company is actually collecting and analyzing the data of Onavo users. Doing so allows Facebook to monitor the online habits of people outside their use of the Facebook app itself. "

Marketing Onavo within Facebook itself could lead to a boost in users for the VPN app, which promises to warn users of malicious websites and keep information secure – like bank account and credit card numbers – as you browse. But Facebook didn’t buy Onavo for its security protections.

Instead, Onavo’s VPN allow Facebook to monitor user activity across apps, giving Facebook a big advantage in terms of spotting new trends across the larger mobile ecosystem. For example, Facebook gets an early heads up about apps that are becoming breakout hits; it can tell which are seeing slowing user growth; it sees which apps’ new features appear to be resonating with their users, and much more.
How-To Geek:
When you turn Onavo Protect on, however, you are routing all of your internet traffic through Facebook’s servers, where the information is decrypted for them to see. The Wall Street Journal published an article about this last year, but you don’t even need to dig that much to find this out—Onavo Protect tells you about it when you first open the app:

When you use our VPN, we collect all the info that is sent to, and received from, your mobile device. This includes info about: your device and its location, apps installed on your device and how often you use those apps, the websites you visit, and the amount of data you use.

This helps us improve and operate the Onavo service by analyzing your use of websites, apps and data. Because we’re part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value, and build better experiences.
Each of the links above note alternative VPN services that don't send all your activity to Facebook.
posted by Existential Dread (47 comments total) 22 users marked this as a favorite
They "trust me" — dumb fucks
posted by leotrotsky at 4:47 PM on February 14, 2018 [44 favorites]

Various less prominent VPNs claim to offer privacy, but there is no guarantee they aren't doing the exact same thing. Hell, I would imagine some of the VPNs branded to attract darkweb users are forwarding data to law enforcement.

A VPN that is compromised is probably worse than no VPN.
posted by andrewpcone at 4:47 PM on February 14, 2018 [10 favorites]

That might be a 'virtual network' but its missing the private part of a VPN.

You just know less savy users will get fooled.
posted by WaterAndPixels at 4:54 PM on February 14, 2018 [4 favorites]

Right in time for the midterms!
posted by gucci mane at 5:01 PM on February 14, 2018 [1 favorite]

Then they use the information collected to aid anyone with money. Including Rubles. They're spies for hire. America used to execute spies.
posted by adept256 at 5:15 PM on February 14, 2018 [6 favorites]

This is VERY COMMON and probably de rigueur for free VPN apps. They do protect you from eavesdropping, but on the other hand, they track everything you do on the Internet and sell your data.
posted by chrchr at 5:18 PM on February 14, 2018 [3 favorites]

And of course people will shrug at the new normal and accept this and any new abuse facebook imagines as the unspoken price for using it. Privacy dies with a whimper.
posted by adept256 at 5:19 PM on February 14, 2018 [3 favorites]

That is the opposite of protecting you from eavesdropping.
posted by adept256 at 5:21 PM on February 14, 2018 [6 favorites]

This is supervillain shit.
posted by schadenfrau at 5:31 PM on February 14, 2018 [9 favorites]

As with everything else on the internet, if you are not the customer you are the product.
Caveat Emptor
posted by hmolwitz at 5:33 PM on February 14, 2018 [2 favorites]

This is your aperiodic reminder that if you want a VPN and you have a genuine need, spin one up yourself. OpenVPN or Streisand will do the trick, and it's not hard.
posted by The Gaffer at 5:37 PM on February 14, 2018 [19 favorites]

Already been on FB hiatus since Jan 1. This is one more reason to download my shit and delete my account. Goddamn I really hate pretty much everything this company does, even if it does make it easier to stay in touch with family. Really thinking making that harder is worth leaving the palace of Zuck forever.
posted by lazaruslong at 6:08 PM on February 14, 2018 [1 favorite]

Messenger is also a clinging, invasive vine. I turned it back off and kicked it out of my phone. I have nevernsynched anything so it was easy to see the new, invasive tracking legislators allowed.
posted by Oyéah at 6:25 PM on February 14, 2018 [1 favorite]

Cue the obligatory round of excuses for people to keep using the piece of shit surveillance/thought control services from this piece of shit company.
posted by tobascodagama at 6:45 PM on February 14, 2018 [4 favorites]

Just wait until Fb turns on the javascript mining code.
posted by glonous keming at 6:56 PM on February 14, 2018 [2 favorites]

An even more up-to-date resource for VPN comparison is That One Privacy Site.
posted by glonous keming at 7:16 PM on February 14, 2018 [13 favorites]

Oh yeah, I forgot about that one. Tons of information there!
posted by Greg_Ace at 7:22 PM on February 14, 2018

Every few months I think, "maybe I should get a Facebook account. There are so many groups there that I can't participate in. And there's a few games I'd like to try. And there's that person I knew in junior high that I'd love to try reconnecting with..."

And I think about it for a couple of weeks, and sure enough, like clockwork, I run into some news article about "Facebook Finds New Ways to Be Vile to Its Users."
posted by ErisLordFreedom at 8:02 PM on February 14, 2018 [5 favorites]

This is why I run my own VPN. Costs about $2.50/mo, or you could run it for free off your home internet connection.
posted by ryanrs at 8:05 PM on February 14, 2018 [1 favorite]

Who says the "P" in "VPN" stands for "Private"? Why, it could stand for anything! Protected. Public. Police. Panda. Poop.

Virtual Panda Network.
posted by clawsoon at 8:20 PM on February 14, 2018 [2 favorites]

Vile Populist Neologism.
posted by I-Write-Essays at 9:08 PM on February 14, 2018 [1 favorite]

Virtual Private Newts. Which is also my new band name.
posted by Greg_Ace at 9:09 PM on February 14, 2018

Visibly Poopy Nanotech?

And people wondered I refused to install Messenger or WhatsApp.
posted by Samizdata at 9:52 PM on February 14, 2018

Facebook is so desperate for engagement, it's spamming users via their 2FA numbers

Google Ads did the same thing with 2FA numbers collected from users of Gmail and Google+ services. This activity was not widely reported by the press. Even when their numbers are blocked, they would robocall from different telephone numbers from different states, so as to cover their tracks. The calls would consist of an initial call to verify that the number was live, and a second robocall to verify that the number was live and then connect with a human being to initiate the sales pitch.
posted by a lungful of dragon at 10:16 PM on February 14, 2018 [1 favorite]

I'll just leave this here ...


According to his recounting of the meeting, she asked him if he had been in touch with Nuñez. He denied that he had been. Then she told him that she had their messages on Gchat, which Fearnow had assumed weren’t accessible to Facebook. He was fired. “Please shut your laptop and don’t reopen it,” she instructed him.
posted by Enturbulated at 10:32 PM on February 14, 2018 [9 favorites]

Thanks Enturbulated, interesting! From the article:
[During] Facebook’s Q3 earnings call [...] What the company really seeks is for users to find their experience to be “time well spent,” Zuckerberg said
Alex Hardiman, the head of Facebook news products and an alum of The New York Times, started to recognize that Facebook had long helped to create an economic system that rewarded publishers for sensationalism, not accuracy or depth. “If we just reward content based on raw clicks and engagement, we might actually see content that is increasingly sensationalist, clickbaity, polarizing, and divisive,” she says. A social network that rewards only clicks, not subscriptions, is like a dating service that encourages one-night stands but not marriages.
posted by Chuckles at 11:58 PM on February 14, 2018 [3 favorites]

Don't use VPN services, the only safe assumption is that every VPN provider logs everything.
posted by Lanark at 1:12 AM on February 15, 2018 [3 favorites]

I used to watch some BBC iPlayer shows with an OpenVPN setup on a $5/mo Linode VPS in their London datacenter. Requires some technical savvy, but not excessively, and there are plenty of guides out there for setting this up for the relative layman. It was a good experience and I'd definitely recommend it instead of any third-party service out there, if you can swing it.
posted by jklaiho at 1:46 AM on February 15, 2018

Facebook is now in the same league as those shady Shareware download sites from the early 00s that bundled toolbars and "PC optimisers" with everything and made your dad's PC look like this.
posted by parm at 2:02 AM on February 15, 2018 [8 favorites]

Interestingly enough, surveys show that Facebook's demographics are skewing older, as young people leave the platform for others and over-55s join. (Younger people are often going to other Facebook-owned platforms like Instagram and WhatsApp, allowing Facebook to monetise them whilst differentiating their platforms by demographic, further cementing Facebook's place as The Site For Old People.) Which does make one wonder whether, in realising that a significant proportion of their demographic are seniors, Facebook are deliberately moving into the scamming business.
posted by acb at 2:52 AM on February 15, 2018 [4 favorites]

Apparently, they even make you install a root certificate to decrypt TLS traffic. In contrast to Facebook's other privacy invasions, this is also a security nightmare.
posted by luk at 3:49 AM on February 15, 2018 [3 favorites]

Apparently, they even make you install a root certificate to decrypt TLS traffic.

Jesus mother of fuck. Surely, this.
posted by acb at 4:08 AM on February 15, 2018

Can someone point out more explicitly where in luk's link there's confirmation it installs a root certificate? I'm struggling to find where that is.
posted by edd at 4:31 AM on February 15, 2018

yeah I'm not seeing it either.
posted by Old Kentucky Shark at 4:42 AM on February 15, 2018

Apparently, they even make you install a root certificate to decrypt TLS traffic.

More of a VPMITM.
posted by jaduncan at 4:44 AM on February 15, 2018 [1 favorite]

A social network that rewards only clicks, not subscriptions, is like a dating service that encourages one-night stands but not marriages.

So... much like some of the most popular dating sites/apps today?
posted by Dysk at 4:46 AM on February 15, 2018

Their privacy policy is everything you'd imagine and more:
We may use the information we receive to provide, analyze, improve, and develop new and innovative services for users, Affiliates and third parties; to communicate with users; to support advertising and related activities; and to help protect ourselves or someone else. For example, Onavo may use your information to:

• Provide the Services, such as by compressing data and reducing your mobile data usage, monitoring active apps on your device, and encrypting data traffic;

• Communicate with you, including about products, services, and events; respond when you communicate with us; and send you information you request or that we think might interest you, such as App updates;

Analyze how you use applications and data. For example, we may combine the information, including personally identifying information, that you provide through your use of the Services with information about you we receive from our Affiliates or third parties for business, analytic, advertising, and other purposes; [my emphasis]

Provide market analytics and other services to Affiliates and other third parties;

• Maintain, improve or administer our Services; perform business analyses; provide advertising and related activities either independently or in connection with our Affiliates; or otherwise support our internal operations by activities such as troubleshooting, data analysis, testing, and research;

• Enforce our Terms of Service; prevent unlawful activities and misuse of the Services; protect the legal rights, property, safety, and security of Onavo, our Affiliates, and our users; and resolve disputes involving you relating to the Services; and

• Comply with applicable laws and assist law enforcement when we have a good-faith belief that such cooperation is reasonably necessary or meets the applicable legal standards.
So, let's see. That's data (including PII!) that they or third parties can use for marketing, behaviour analysis, research and ad targeting. Well.

If it looks like spyware and has the privacy policy of spyware, well, let's just call it spyware.
posted by jaduncan at 4:54 AM on February 15, 2018 [10 favorites]

If it looks like spyware and has the privacy policy of spyware

but it's new! and innovative! and a service!
posted by halation at 5:11 AM on February 15, 2018

As others have noted, it's a sure bet that **ANY** free VPN service is either selling your data to anyone and everyone, or run by some intelligent agency [1], or both.

As far as paid VPN's go... yeah you basically have to take their word for it and that's a disturbing thing. I think there's an opportunity there for some outside auditing and certifying entity, the EFF comes to mind as a possibility, to actually verify that the VPN is doing what it claims regarding logs and so on. Then, of course, you have to ask how far you trust whatever entity is doing the certifying, but I'd trust the EFF pretty far if they were doing it.

In general, with VPN's the same rule applies as it does to anything else: if you aren't paying for it then you're not the customer, you're the product.

[1] The persistent rumors are that China's MSS is behind a lot of them, but I'm a bit dubious, I'd assume the MSS is more worried about Chinese dissidents not random foreigners.
posted by sotonohito at 6:11 AM on February 15, 2018 [1 favorite]

I'd assume the MSS is more worried about Chinese dissidents not random foreigners.

Though data storage and computer power are cheap, and a wealth of behavioural intelligence on billions of random people around the world could be a useful resource, in case you need to find one individual whose combination of position, capabilities and manipulability make them useful. If you can punch in a query to find a list of people who may be varyingly useful, each with notes on how to incentivise them to coöperate, that could be a game-changer.

Not sure if the Chinese intelligence agencies are thinking that way, but I'm sure someone is. (The Facebook targeted propaganda during the US Presidential election and Brexit referendum, for one, are precedents, though using only Facebook demographic data at an arm's length.)
posted by acb at 6:40 AM on February 15, 2018 [2 favorites]

> Not sure if the Chinese intelligence agencies are thinking that way, but I'm sure someone is.

The question to ask yourself is: If you ran GCHQ, how many cookie cutter VPN companies, running on commercial cloud platforms, would you have spun up by now? And how loudly would your companies yell about being log-free?

Multiply that by the number of intelligence agencies in the world, and you'll have a feel for what proportion of VPN companies are trustworthy.
posted by Leon at 7:33 AM on February 15, 2018

So, if you're a subversive operating in Britain, make sure you use a VPN company run by the Chinese PLA or Belarussian KGB or someone, not a Five Eyes-affiliated one. Too many anarchist bombmakers got collared after inadvertently running their traffic through one run by the New Zealand GCSB or someone.

And if you're Five Eyes and running VPN honeypots to trap domestic troublemakers, you might do well to spread rumours about them being affiliated with the secret services of hostile foreign countries.
posted by acb at 8:20 AM on February 15, 2018

I just set up a StrongSwan vpn using algo which was easy on the server side but a bit annoying on the client side. It's on a $5 a month shard that I rent.

Which doesn't protect me from Five Eyes but I suspect they can profile me upstream as well at the Amazon/Google/FaceBook end. Mostly it's insurance from script kiddies hijacking public wifi and AT&T building a profile of my sex life, medical concerns, and disposable income.
posted by GenderNullPointerException at 9:27 AM on February 15, 2018

My VPN providers aren't in a monopoly position, so their ability to get away with bullshit is limited compared to most ISPs.
posted by jaduncan at 9:31 AM on February 15, 2018

FWIW, I consider iVPN to be a trustworthy VPN service. They have great privacy guides, and one of them contributes to Whonix, a security-oriented privacy networking framework. I wouldn't expect them to protect me from focused law-enforcement scrutiny, but at least I know I am a valued customer there, which is explicitly not the case with facebook's service. (They cost about $100/year.)
posted by Coventry at 3:52 PM on February 15, 2018 [1 favorite]

« Older Hurtigruten is the best Gruten   |   “It's all about the characters and their trials... Newer »

This thread has been archived and is closed to new comments