It is a number of years since Facebook acquired mobile data compression firm Onavo, but in recent weeks concern mounted about how the social network's Onavo VPN tool collects user data.
The collection of user data while an app or service is being used is one thing, but a security researcher noticed that Onavo seemed to gather certain snippets of user data even when switched off.
Infosec researcher Will Strafach penned a blog post explaining his exploration into the tool's code. He discovered that information is collected and sent back to Facebook even when the Onavo VPN feature is not actively being used. He identifies a number of pieces of information that are collated, including location, usage data, and more, into a log file.
He goes on to say:
Onavo Protect will flush collected analytics information to log files from memory if there are greater than 49 "events" waiting in RAM or if it has been more than 2 minutes since the last flush.
The log files are then prepared for upload in a network request to Facebook. Analytics data is sent in a POST request to https://graph.facebook.com/v2.3/logging_client_events from the Packet Tunnel Provider process (The Packet Tunnel Provider process would be running at any time the VPN connection for Onavo is switched on, enabling periodic analytics data uploads to Facebook even if the Onavo Protect app is not open).
Strafach points out that analyzing the uploaded data is tricky, but asks a number of questions about why Facebook appears to be collecting the data it is:
How does Facebook use the "screen is on" and "screen is off" tracking data obtained by Onavo Protect?
How does Facebook use the "total Wi-Fi data usage" and "total cellular data usage" counts collected every day by Onavo Protect?
Does Facebook use the Device ID that Onavo Protect sends to graph.facebook.com in any way to associate the user’s Onavo Protect network traffic / browsing habits with their Facebook account?