VIOLATED: Facebook’s very own VPN app under “Onavo Protect” keeps tracking users even when turned off

The internet used to be a relatively safe place. As long as you followed certain browsing guidelines, you could be fairly sure that your personal info was safe, and that you didn’t need to worry about shady individuals who were looking to steal it for their own personal gain.

And in case your own efforts to keep your data safe aren’t enough, there are specialized tools that you can use to help protect yourself online. But when the tools themselves are the ones doing the spying on you…well, that’s a different matter entirely. And a much more dangerous one, at that.

It may sound like a pretty scary yet unlikely scenario, but it seems like that’s the exactly the kind of thing that has happened with Facebook’s own VPN, the mobile app called Onavo Protect. This app was first acquired by the social media giant a few years back, but until now it has stayed pretty much under the radar. After a thorough investigation by one security researcher, the truth about it has finally been revealed.

According to Will Strafach, the Chief Executive Officer of the Sudo Security Group, he made the conscious decision to investigate the code used in the version of the app available for iPhones and iPads in order to determine “what types of data is collected in addition to the alleged per-app-MAU (monthly active users) tracking that happens” on the server side. He found that it uses certain app elements that allow it to run in the background and keep collecting data about users, particularly about their actions on their phones, even when the app itself has supposedly been turned off.

In revealing the details of his investigation, Strafach said that Onavo Protect periodically sends “the following data to Facebook ( as the user goes about their day:”

  • When user’s mobile device screen is turned on and turned off;
  • Total daily Wi-Fi data usage in bytes (even when VPN is turned off);
  • Total daily cellular data usage in bytes (even when VPN is turned off); and
  • Periodic beacon containing an “uptime” to indicate how long the VPN has been connected.

Strafach does a good job of summarizing the short history of Onavo Protect, from its early days as an independent third-party security app in 2011, to its multi-million dollar acquisition deal with Facebook where it became an add-on feature to the official Facebook app. “Onavo Protect collects device information, network analytics, and ‘fact of’ certain events occurring,” he explained, referring to details of the data collection it performs. It isn’t clear how exactly Facebook uses all this seemingly random and inconsequential data, but it’s being collected and sent to Facebook services, for sure.

Facebook is no stranger to doing morally questionable stuff within the confines of its sites and other properties. In 2016, it was discovered that it deliberately censors content on a number of topics, including immigration and vaccines. The mere fact that the service, as well as the company itself, has stayed up after all these years is indicative of a bigger problem.

Recently, Facebook found itself in hot water yet again when an investigative report showed how it was used to manipulate millions of Americans across the country, and even more people in other countries across the world. At this point, it’s quite clear that it could only be a matter of time before it gets taken down for good. If it keeps up all these shady and morally questionable practices, that will probably happen sooner rather than later. For now, your best move to avoid any problems that might happen because of Facebook is to simply stop using it.

Follow the latest updates on Facebook and its founder Mark Zuckerberg at or

Sources include:

comments powered by Disqus