Facebook has yanked its vampiric Onavo Protect service—which purports to be a privacy-enhancing Virtual Private Network (VPN) but is by all indications data-harvesting Facebook spyware—from Apple’s App Store. The Wall Street Journal reports that a source said Facebook was compelled to remove the app after Apple “ruled that the service violated its data-collection policies.”
VPNs work by encrypting users’ traffic and re-directing it through a private server to avoid third-party scrutiny, such as by an internet service provider. Good VPNs are run by companies that don’t spy on the traffic routed through those servers. But while Facebook bills Onavo as a way to “keep you and your data safe,” the app actually collects large amounts of data for the social media network’s own purposes. It is more or less spyware, and tens of millions of people have downloaded it.
Earlier this year, Apple updated its privacy guidelines to prohibit apps that collect data about “which other apps are installed on a user’s device for the purposes of analytics or advertising/marketing”—something that seemed like a direct response to services like Onavo. Per the Journal’s report, that ended up being exactly the case:
Earlier this month, Apple officials informed Facebook that the app violated new rules outlined in June designed to limit data collection by app developers, the person familiar with the situation said. Apple informed Facebook that Onavo also violated a part of its developer agreement that prevents apps from using data in ways that go beyond what is directly relevant to the app or to provide advertising, the person added.
The two sides discussed the issue in meetings last week, at least one of which took place at Apple’s headquarters. On Thursday, Apple officials suggested that Facebook voluntarily take down the Onavo app and Facebook agreed, said the person, who described the discussions as cordial.
Removing Onavo from the App Store won’t automatically delete it from phones that have already installed it, but Facebook can no longer update it, the Journal added. The source told the paper Facebook has no plans to yank the app from Google’s Play Store.
Apple told the Journal in a statement that the decision was part of overall efforts to “protect user privacy and data throughout the Apple ecosystem,” though a Facebook spokesperson insisted Onavo was up front about what data was being collected and the decision was purely about respecting Apple’s rules. However, as CNBC noted, in the past Facebook has been coy about letting users know that they own the Israeli-based service. Other reports have indicated the app continues to collect data on users even when VPN functionality is turned off.
Facebook has insisted it does not harvest data through Onavo for advertising purposes or tie it to individual users’ social media accounts. But it did tell members of Congress in June that it uses Onavo data for internal analytics on what apps are popular and how people are using them—a tactic that lent data to its decision to buy encrypted chat service WhatsApp in 2015 for $22 billion.
This is the latest in a series of major user privacy worries for Facebook, which have included everything from the Cambridge Analytica scandal to data-sharing arrangements with device manufacturers. Yet the company has been under pressure to find new sources of revenue as user growth has capped out, which means harvesting even more user data. In recent months, Facebook has been reported to be preparing a creepy in-network dating service and seeking ways to get users to volunteer sensitive banking and credit card data.