The Facebook “Onavo Scandal” Redux – What You Need To Know

If you’re not already concerned about data privacy, you will be after reading this: Meta – as shown by unsealed court documents – has no respect for privacy or, apparently, ethical practices

And if you haven’t already got the memo: Big Tech isn’t your good buddy. It wants and craves your data, and it’ll go to extraordinary lengths to acquire it. That’s why it is now more important than ever to bolster your online data and privacy

With this in mind, I figured it was a good idea to do something of a redux on the Facebook x Onavo scandal from a few years ago. Most people I speak to have no idea about this case, its outcome, and what Meta, then called Facebook, actually did.

If you are one of those people, you’re in for a wild ride because this story has it all: spying, Man-in-the-Middle Attacks, lies, and a regulatory system that doesn’t seem to care what Big Tech gets up to.

How Meta Used Onavo VPN App as Spyware

The Facebook "Onavo Scandal" Redux – What You Need To KnowPin

Unsealed documents from a class action lawsuit against Facebook (now Meta) revealed the company had been intercepting and decrypting users’ encrypted web traffic to competitors’ sites like Snapchat, YouTube and Amazon.

The spying was enabled through a VPN app called Onavo that Facebook acquired in 2013.

While Onavo was originally marketed as a data compression and security tool, the lawsuit documents show Facebook transformed it into spyware after the acquisition.

In 2018, Facebook began promoting Onavo to iOS users under the banner “Protect” directly within the Facebook app. Users who clicked through were promised encryption and data compression, but in reality the app allowed Facebook to spy on traffic from any app on the user’s phone.

Back then, mobile data wasn’t as cheap as it was now. Users were always on the look out for ways to reduce the cost of their data. Facebook knew this and used Onavo to not only reduce their monthly data usage but also “protect” their privacy online.

The app was closed down in 2019, following a TechCrunch investigation.

Without Onavo, Facebook loses a powerful method of market research, and its future initiatives here will come at a higher price. Facebook has run tons of focus groups, surveys and other user feedback programs over the past decade to learn where it could improve or what innovations it could co-opt. And with more apps recently turning on encryption, Onavo likely started learning less about their usage. But given how cloning plus acquisitions like WhatsApp and Instagram have been vital to Facebook’s success, it’s likely worth paying out more gift cards and more tightly monitoring its research practices. Otherwise Facebook could miss the next big thing that might disrupt it.


Man-in-the-Middle Attack Decrypts Private Traffic

Facebook used this capability, internally dubbed “Project Ghostbuster”, to analyze how over 33 million Onavo users interacted with competitors’ apps.

The spying involved performing a “man-in-the-middle” attack, a technique where an attacker secretly relays and potentially alters communication between two parties who believe they are directly communicating with each other.

In this case, Facebook installed root certificates on users’ devices to impersonate the encryption of sites like Snapchat and YouTube. This allowed them to decrypt the traffic, analyze it, and re-encrypt it before passing it on to the intended destination servers.

This practice is likely in violation of wiretapping laws and “potentially criminal.” Facebook’s secret program likely violated the Wiretap Act, because it prohibits intentionally intercepting electronic communications with no applicable exception and the use of such intercepted communications.


Facebook was able to view data the users believed was private and securely encrypted. Internal emails show Facebook was aware of the unethical nature of this activity.

How Facebook Used the Stolen Data

How Facebook “Suggested Friends” worksPin

Competition in business is always stiff, brands and companies spend billions attempting to out-do one another. But corporate espionage – or, just plain old spying – isn’t something you tend to hear about all too often.

Beyond illegally tracking and surveilling millions of people, Meta had another goal: it wanted to use the data to analyse areas where it was losing out to its competitors like Snapchat (hence the name of the project internally, Project Ghostbuster).

The intercepted data was used for purposes like cloning Snapchat’s popular Stories feature in Instagram.

Facebook also spied on the anonymous teen app tbh to gain insider knowledge prior to acquiring it in 2018 before it could become a competitive threat. The company even discussed having third-party research firms redistribute Onavo to conceal Facebook’s involvement.

The Outcome?

facebook onavo vpn (1)Pin

While Facebook paid a relatively small fine ($20 million) to settle the lawsuit, critics argue the lack of criminal charges fails to hold the company accountable or deter future abuses.

Facebook’s willingness to resort to illegal surveillance, the fact that it was premeditated and even had a codename, isn’t just scary, it is something everybody should have firmly in the front of their minds when using Meta-owned products.

Here’s what one ex-employee said about Facebook’s approach to its users’ data in the wake of the Cambridge Analytica scandal:

Parakilas said he “always assumed there was something of a black market” for Facebook data that had been passed to external developers. However, he said that when he told other executives the company should proactively “audit developers directly and see what’s going on with the data” he was discouraged from the approach.

He said one Facebook executive advised him against looking too deeply at how the data was being used, warning him: “Do you really want to see what you’ll find?” Parakilas said he interpreted the comment to mean that “Facebook was in a stronger legal position if it didn’t know about the abuse that was happening”.

The Guardian

What can users do to protect themselves from things like this? It’s becoming increasingly harder to secure your data online. A good start would be to simply not use Meta products. Delete them from your phones and your accounts.

Big Tech is everywhere. It is ingrained into our lives, follows us wherever we go. You can swap out Gmail for a more privacy-focussed email like Proton Mail, switch your browser from Chrome to Brave and use DuckDuckGo. But if you’re still using Meta products, your data is always going to be Meta’s – not yours. That’s part of the deal you sign up for when you use its “free” products.

Richard Goodwin

Richard Goodwin is a leading UK technology journalist with a focus on consumer tech trends and data security. Renowned for his insightful analysis, Richard has contributed to Sky News, BBC Radio 4, BBC Radio 2, and CNBC, making complex tech issues accessible to a broad audience.

Notify of
Inline Feedbacks
View all comments
Scroll to Top