Facebook often gets flack from the public about its almost insatiable appetite for user information. Whether it’s a Messenger app for kids, or serving up creepily relevant ads, the company has earned a reputation that should make everyone question their motivations when it comes to handling data. It’s in their financial interest to overreach to a certain extant.
With all that said, I have to defend Facebook against the most recent public outcry (yes my skin crawled as I wrote that). On their iOS app, the company recently added a “Protect” option in the hamburger menu. This takes the user to an App Store listing for Onavo Protect, a VPN service acquired by Facebook back in 2013. The issue is that this service collects “your use of websites, apps, and data.” People are decrying this as a bait and switch by Facebook, allowing them unprecedented access to all your mobile information for their benefit. It’s “spyware on iPhone”.
But are we really that upset or surprised by this? First off, the fact that this is now baked into the iOS app is completely overblown, at least at this point. The “Protect” option is buried in a menu that’s never really used. For me it was wedged between “Find Wi-Fi” and “City Guides”, features I just discovered Facebook offered when looking for Protect. It would be one thing if Facebook popped up an option to use Protect whenever you were on unencrypted Wi-Fi. But right now this is clearly something you have to seek out.
While I may disagree with Facebook’s motivation for offering the service, they are at least doing it with a degree of responsibility. It’s not only an opt-in feature, but it requires the installation of a completely new app. If Facebook really wanted to exploit this maliciously, they’d roll it in natively to the app and just sneak it into the update notes. Instead, you’re taken completely out of their app, into the App Store for Onavo Protect. On top of that, in the plain English description of the app, it tells you what you’re going to be sending to Facebook. Again, if the company wanted to obfuscate this, they could have hidden it in the “device permissions” or something else that the general public doesn’t read. I mean, Facebook could make the app flash bright red when you press “Protect” and audibly scream “we’re taking all your data”. I supposed that would be more responsible disclosure. But I can’t complain that Facebook makes this an opt-in.
Finally, I think most of the coverage around this ignores one very important point. Most people aren’t going to pay for a VPN. They should, but they won’t. Most people are also going to use unprotected or poorly secured Wi-Fi on a semi-regular basis. They shouldn’t, but they will. For everyone decrying Facebook’s motives here, are they seriously making the argument that an unsecured internet connection is preferable to using a VPN? In a vacuum, having no one snoop on my traffic is better than giving Facebook access to my data. But on scale of trustability, I do trust Facebook more than someone doing a MITM attack at my local coffee shop. Facebook’s VPN is self-interested, but not actively malicious. In fact, the criticism of Facebook’s VPN should equally be leveled at any free VPN. These services are all problematic for privacy, not just Facebook’s iteration.
To be clear, I think it’s a far better idea to simply pay for a VPN service (or even better use your own), than to use Facebook or any other free service. Of course Facebook is using Onavo Protect to eat as much information as possible. As the old maxim goes, if you’re not paying for something, you are the product. Should you keep Onavo on your phone all the time? No, definitely not. Could you install and use it in a pinch when on some sketchy Wi-Fi? I don’t think that’s the end of the world. I would uninstall it when you’re done, but a VPN to Facebook is still more trustworthy than an open network.