collection of user data while an app or service is being used is one
thing, but a security researcher noticed that Onavo seemed to gather
certain snippets of user data even when switched off.
researcher Will Strafach penned a blog
explaining his exploration into the tool's
code. He discovered that information is collected and sent back to
Facebook even when the Onavo VPN feature is not actively being used. He
identifies a number of pieces of information that are collated,
including location, usage data, and more, into a log file.
goes on to say:
Protect will flush collected analytics information to log files from
memory if there are greater than 49 "events" waiting in RAM or if it
has been more than 2 minutes since the last flush.
log files are then prepared for upload in a network request to
Facebook. Analytics data is sent in a POST request to
https://graph.facebook.com/v2.3/logging_client_events from the Packet
Tunnel Provider process (The Packet Tunnel Provider process would be
running at any time the VPN connection for Onavo is switched on,
enabling periodic analytics data uploads to Facebook even if the Onavo
Protect app is not open).
points out that analyzing the uploaded data is tricky, but asks a number
of questions about why Facebook appears to be collecting the data it is:
does Facebook use the "screen is on" and "screen is off" tracking data
obtained by Onavo Protect?
does Facebook use the "total Wi-Fi data usage" and "total cellular
data usage" counts collected every day by Onavo Protect?
Facebook use the Device ID that Onavo Protect sends to
graph.facebook.com in any way to associate the user’s Onavo Protect
network traffic / browsing habits with their Facebook account?