Facebook pulls its privacy-violating Onavo VPN from Apple’s App Store

Apple last week suggested that Facebook remove its Onavo security app from the App Store due to privacy rule violations. On Wednesday, Facebook complied.

Onavo, an Israel-based company that Facebook acquired in 2013, has been raising eyebrows for months. Facebook had been pushing people to download the virtual private network (VPN) app for “protection” without mentioning that it was phoning home to Facebook to deliver users’ app usage habits… even when the VPN was turned off.

Back in March, after he saw media coverage of the app’s behavior and decided to see for himself what it was up to, Sudo Security Group CEO Will Strafach published his findings about the data collected by Onavo Protect for iOS.

Strafach said that he found that Onavo Protect “uses a Packet Tunnel Provider app extension, which should consistently run for as long as the VPN is connected” …in order to periodically send this data to Facebook as the user goes about their day:

  • When user’s mobile device screen is turned on and turned off.
  • Total daily Wi-Fi data usage in bytes (Even when VPN is turned off).
  • Total daily cellular data usage in bytes (Even when VPN is turned off).
  • Periodic beacon containing an “uptime” to indicate how long the VPN has been connected.

As the Wall Street Journal reported last year, Facebook had used that data to track its competition and scope out new product categories.

Onavo Protect has been free for download on Apple’s app store for years, sailing through Apple’s app review board with regularly approved updates. In addition to warning users about malicious sites, it allows them to create a VPN that redirects their internet traffic to one of Facebook’s servers: what it bills as a way to “keep you and your data safe.”

But that process enabled Facebook to collect and analyze users’ activity to find out how people use their phones beyond Facebook’s mobile app. Tech Crunch gave a few examples of how much this might benefit Facebook: the insights enable Facebook to get an early peek into apps that are becoming big hits; enables it to spot apps that are seeing slower user uptake; and gives it feedback on which new features are appealing to users.

The snooping came to light after Apple added a “Protect” button in Facebook’s iOS app that took users to Onavo Protect in the App store.

Somebody familiar with the Onavo situation told the Wall Street Journal that earlier this month Apple told Facebook that the app violated new rules, put forth in June, that limited data collection.

Those new guidelines stipulated that apps that get users’ permission to access contact lists and photos can’t then use the information to build databases or sell it to third parties. The new rules also said that apps need consent when “recording, logging or making a record of a user’s activity” and that advertisements inside apps must allow users to see all the information used to target them.

The person said that Apple told Facebook that Onavo violated a part of its developer agreement that prevents apps from using data in ways that go beyond what’s directly relevant to the app or to provide advertising.

Apple officials reportedly told Facebook last week that Onavo violated the company’s rules on data collection by developers. On Thursday, they suggested that Facebook voluntarily remove the app.

An Apple spokesperson told CNBC that the company’s latest guidelines make it clear that Onavo’s behavior was out of line:

We work hard to protect user privacy and data security throughout the Apple ecosystem. With the latest update to our guidelines, we made it explicitly clear that apps should not collect information about which other apps are installed on a user’s device for the purposes of analytics or advertising/marketing and must make it clear what user data will be collected and how it will be used.

In June, in hundreds of pages of written responses to questions from Congress, Facebook said that it’s not using Onavo data “for Facebook product uses” or to collect information about individuals. However, it did admit that it uses Onavo to gather information about apps’ popularity and what people do with them – information it uses to improve its own products, without tying it to individual users.

Facebook sent media outlets a statement in which it said that it’s always been upfront about Onavo with users: the Onavo privacy policy makes it clear that users are being tracked, it said.

We’ve always been clear when people download Onavo about the information that is collected and how it is used. As a developer on Apple’s platform we follow the rules they’ve put in place.

Nonetheless, when Apple suggested last week that Facebook yank the app, Facebook agreed, and down it came.