Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Facebook Privacy Social Networks Your Rights Online

Facebook's VPN Service Onavo Protect Collects Personal Data -- Even When It's Switched Off (medium.com) 67

Security researcher Will Strafach took a look at Onavo Protect, a newly released VPN service from Facebook: I found that Onavo Protect uses a Packet Tunnel Provider app extension, which should consistently run for as long as the VPN is connected, in order to periodically send the following data to Facebook (graph.facebook.com) as the user goes about their day:
When user's mobile device screen is turned on and turned off.
Total daily Wi-Fi data usage in bytes (Even when VPN is turned off).
Total daily cellular data usage in bytes (Even when VPN is turned off).
Periodic beacon containing an "uptime" to indicate how long the VPN has been connected.

This discussion has been archived. No new comments can be posted.

Facebook's VPN Service Onavo Protect Collects Personal Data -- Even When It's Switched Off

Comments Filter:
  • Farcebook (Score:2, Interesting)

    by Anonymous Coward
    It gets worse by the day
  • by DontBeAMoran ( 4843879 ) on Wednesday March 07, 2018 @10:09AM (#56221381)

    VPN from Facebook? Of course they're going to collect data!

    I'd go as far as calling it a VFN instead, there's probably nothing private about it.

    • by gnick ( 1211984 )

      You've GOTTA trust your VPN. What choice is there? That said, pick a VPN you can trust. It might be worth that $40/yr not to pipe shit through FB.

    • by Anonymous Coward

      Well consumer affairs should get involved. There is no P in private, if they get a tracable data back. Do not use the word private. use Shared (VSN) Group(VGN) or Compromised (VCN).
      Pulling this trick is just as bad as VW - reality is not the same as advertised.

      In the meantime can some clever soul modify the outgoing packets to say you have been conencted 56 hours in the past 4 hours and other bad numbers to thorougly mess up their reporting.

      • by gnick ( 1211984 )

        reality is not the same as advertised

        That's a lesson I'm learning over and over again. Pretty sure this isn't the life I signed up for, but it looks like I'll be sticking with it. I was told there would be cake.

    • A couple things to consider. Not that I'm trying to defend facebook, i'm not. But:

      1) No one should ever think that their VPN can't see their traffic. They can. But they can prevent outside observers from seeing your traffic. I can use a VPN to prevent comcast from keeping logs on me, or when at the coffee shop on their crappy open wifi so that the rest of the patrons can't see what I'm doing.

      2) Even though we're thinking that this app is only for those of us in the West, their VPN COULD (and, I repeat, coul

      • 1) I believe that a *reputable* VPN service would encrypt everything over their network so that while they can tell where you are browsing to, even they can't tell what you're doing once there. With current state of the art, only onion routing gives any real measure of privacy and even then, only if you stay in the network. As far as I know, given control of enough exit nodes and the ability to capture traffic at the ISP you can tie exiting traffic to specific users/machines.

        2) Facebook, like any other com

  • This is, after all, a company based on selling users meta-data in various forms. VPN's were a threat to that collection.
  • People are clueless. They don't get it: unless you have the applications source code you have NO IDEA what the software is doing. It could be sending your credit card number to hackers. It could be sending your photos to the FBI. It could be doing nothing at all. Stop using closed source software and you won't have these issues.
    • Re: Clueless (Score:5, Insightful)

      by Maelwryth ( 982896 ) on Wednesday March 07, 2018 @10:24AM (#56221443) Homepage
      Even with 100% open source people wouldn't read it all. People don't even read privacy policies or EULA's. What we need is either ethics in business or laws to deal with it. I prefer laws.
      • Re: Clueless (Score:4, Insightful)

        by Chris Mattern ( 191822 ) on Wednesday March 07, 2018 @10:49AM (#56221533)

        With 100% open source, most people won't read it all. But a few will. That makes it tough to keep any dirty work under wraps. Look at this article. Facebook's VPN is closed source, but the packets it sends can't be hidden from a determined user. Does the average user packet sniff what it does? Of course not. But somebody does, and the cat's out of the bag.

        • But a few will.

          No they won't. That has been proven time and time again. Long standing bugs have survived in critical projects for long periods of time. Major work was done to audit the code of something as important as encryption software and that software released 2 additional versions ceased existing and then forked by the time the first audit was done making the exercise futile.

          You DON'T know what's in your software period. Even if the source code is available. People not only don't read it but there's no practical way

          • I would submit that there's a difference between subtle bugs (which the few people who read the source might not catch) and blatant Trojan behavior (which would stick out like a sore thumb).

            • Then you would be very wrong. There have been many documented cases of trojan behavior being very much identical to a subtle bug.

              Do you not remember when this line got submitted to the Linux Kernel as a patch:

              if ((options == (__WCLONE|__WALL)) && (current->uid = 0))

              An = is all that separates a bug from a confirmed and purposeful back door to elevate user access.

    • People are clueless.

      "“No one ever went broke underestimating the intelligence of the American public.” -- H. L. Mencken

      It could be sending your photos to the FBI. It could be doing nothing at all.

      The former head of the FBI ran a private FBI within the FBI to collect dirt on folks he wanted to . . . "influence".

      By the time of his death Hoover’s scandalous private and personal files numbered in the thousands, including 883 senators, 722 congressmen, 12 Supreme Court judges and hundreds of celebrities.

      When Zuckerberg becomes President of US, he won't need the help of the FBI . . . he will have all he needs from Facebook and their pals in privacy crime.

      Stop using closed source software and you won't have these issues.

      Try explaining that to people who are clueless . . . I gave up a long time ago. When I did try to explain that Facebook's business

    • They don't get it: unless you have the applications source code you have NO IDEA what the software is doing.

      That's not true. For instance, Alexa has a "stop listening" button. I have no access to the source. However, I can trivially see if Alexa is sending any data to the mothership while that setting is on. Now, it could cache the data to send, but IIRC, the amount of audio it can store is asserted to be under a minute. And that should be checkable by examining how much memory it has.

  • if you thought a VPN from Facebook would be a good idea, what were they expecting? And who the heck would want to ever use this? FB employees?
  • by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Wednesday March 07, 2018 @10:33AM (#56221471)

    Facebook does Facebook things!

    Film at eleven.

  • by Anonymous Coward

    Tell me, who the hell is surprised by any of this?

    Facebook exists to collect your data and monetize it. This was always about giving them as much information about you as possible.

    Fuck Facebook, and fuck anybody who works for Facebook .. these people deserve the same treatment .. publish the name, address, banking information, name of children and spouses.

    Let's see how these assholes like the surveillance society.

    Facebook is a company of assholes.

  • by Rosco P. Coltrane ( 209368 ) on Wednesday March 07, 2018 @10:48AM (#56221523)

    That sort of shenanigan (and the desire to lower my electricity bill) is why I have a physical switch to remove the power to the devices I don't trust. That include PCs with wake-on-lan and shady BIOS code from Intel and whatnot.

    With the power off, the only way for a device to phone home is to have its own battery and an internal 3G modem. Not impossible but not very likely, since sneaky manufacturers probably rely on people pushing the fake power-off button.

    As for cellphones, since it's getting hard to find devices with removable batteries, I transport mine in a metal lunchbox. Yes I'm paranoid, but I'm proven right more and more everyday...

  • I quit FB a year ago, and never looked back. Not just stopped using it, I actually closed the account out. "Deleted", but technically more like suspended in the FB database someplace. In any case, it's gone, and out of public view including off the radar of my Friends list.

    I still keep in touch IRL with a few of them, but do yourself, and humanity a favor, GET RID OF THE ACCOUNT!

  • by grasshoppa ( 657393 ) <skennedy@tpno-co.oLISPrg minus language> on Wednesday March 07, 2018 @11:09AM (#56221619) Homepage

    Facebook, known paragon of personal privacy, tracking you in a vpn?

    Seriously, what dumbass was shocked by this? I would expect the only reason to use a facebook branded VPN would be so your information is collected.

  • THE business model of FB is to sell "your information" (just like every other social media site and search engine). No one with more than 2 firing neurons should expect anything less than every single keystroke tracked, recorded, monitored, analyzed and monetized.
    It's a business, a business to make profit, off you....
    So, go ahead and put that Amazon echo, Google Home or Nest in your house and feel complete secure nobody is listening to background sounds and determining what your doing and what can be so
  • Sounds like perfectly normal metrics for a VPN software vendor to want to know about their device:

    How long it gets used, If it is used in the background or foreground, and what percentage of user data travels via a metered connection. I'm really struggling to get upset about this even in the slightest.

  • I live in Venezuela, and deployed this so called VPN a few days ago.

    With it enabled, I can use sites/apps prohibited by the government (www.dolartoday.com) as well as sites/apps that became colateral damage of the censorship (Formula Live24 2018).

    I dot use a VPN to access geo-restricted content, or to hide shaddy practices online. I use it just to access restricted sites from an oppresive regime, and to be safer when using public/free wifi in airports and coffee shops...

    Facebook already knows a lot about me

  • I must admit that this is not shocking! After all, it is a Facebook product and Facebook makes its money by harvesting data and re-selling it. I have a bridge to sell anyone who is surprised at this. It's cherry, only lightly used.
  • Even if you don't have an account, that effing "F" on your stock Android smartphone is scanning through your contact list etc, and sending info back to the mothership.

    To re-purpose an old meme... only crAPPy crAPPy crAPPs crAPP on your privacy.

Competence, like truth, beauty, and contact lenses, is in the eye of the beholder. -- Dr. Laurence J. Peter