I know exactly how this software works because I have analyzed it deeply. Every packet that goes through the Onavo VPN is analyzed. Using API's available to a normal sandboxed app, the source port is mapped with the process ID, then mapped to the package identifier, and then Facebook knows how much data is being used by which apps. Until SSL was mandatory for apps, they could also analyze the data itself, but that was stopped a couple years ago on iOS.
Once Facebook has all the packets, they can do various analyses and machine learning to even learn which features are most popular within a competitor's app. It is quite sophisticated.
> Using API's available to a normal sandboxed app, the source port is mapped with the process ID, then mapped to the package identifier, and then Facebook knows how much data is being used by which apps.
This is just not true at all. Where are you getting this information?
They do not do any sort of analysis on the device side as that is not possible. They connect your device to a VPN server (All analysis is conducted there). The APIs you describe can not be accessed from within the App Store sandbox, I believe as of iOS 8 that became no longer possible.
Here are technical details on the local functions of the app:
The app you link shows very general services, it’s a ‘vpn’ client so it gets all network traffic. It isn’t hard to show you’re using Facebook or twitter, but there is a firm limit on granularity.
Apps don’t even get a list of all apps you have installed, much less information on how much data another app is using. The system collects that data though, you can see it in the settings app.
Eh, I dunno. My Data Manager [1] (owned by Mobidia / App Annie) is still going strong. It along with other VPN-based apps are a major source of user-level app usage and engagement data being sold to large corporations and investors. In-app analytics libraries are another source (which are heavily fragmented since they only can track apps they're packaged with) but it's going to be a lot more difficult for Apple to regulate those.
Until Apple starts banning all of these types of apps and libraries (which their recently updated policies indicate they just might [2]), I view this as more of a strategic play against Facebook as opposed to in the best interest of users.
FYI, it was a smaller company doing this in the first place. Facebook didn't change what the app was fundamentally doing after they acquired the company.
For the data. It was like their own private App Annie, only available to themselves, with different strengths and weaknesses compared to App Annie data. And pretty much the same individual privacy implications as App Annie.
"Malware: software that is intended to damage or disable computers and computer systems."
It's hardly malware. Users should have the right to trade access to their data for free data compression, whether you personally think that's a good idea or not.
Even if it is clear in the app description that it is collecting data from users, I don't believe that the extent or consequences of such data collection would be considered or understood by the majority of its users.
It's a spyware product, wrapped up as a VPN, relying upon lack of attention from users to succeed.
> Users should have the right to trade access to their data for free data compression, whether you personally think that's a good idea or not.
This is utter nonsense. How many users are making an informed decision here? How many understand what their data may be used for or how it may affect their insurance, employment, or housing prospects in the future?
There's a reason some contracts are not legal/enforceable (slavery for example).
Merriam-Webster says "software designed to interfere with a computer's normal functioning". Wiktionary: "Software which has been designed to operate in a malicious, undesirable manner". Etymologically, it means software that is malevolent.
This app collects data in a malevolent/undesirable way. It clearly tries to interfere with the personal data of the user and hence the intended functioning of the computer. Hence a malware.
The first problem with this claim is that no users exercised any right to trade access to their data for free compression. This was a trojan horse. That's malware.
It sends anonymized data of every website on the internet, when you access it, and it also monitors the apps you use (probably because it intercepts their web traffic.) So basically Facebook knows what you do.
In all seriousness, that's not malware though. Facebook is a big company competing directly with Google: it makes sense that they want a similar level of access to market insights as their competitor has.
Google collects a lot of data [3], including app and website usage [2] too. They have full access all the analytics a phone OS can provide, after all.
I'm not saying this is ok, but if we claim this is malware then Android is malware too. I rather reserve the malware label to software that is directly designed to harm.
PS: Apple collects app usage too [1], but IMO they're at least more clear about it.
I agree with this sentiment. This is no more harmful than a web mail client that collections personal information for targeted ads, or a mobile operating system by an ads company. The best thing Google has is their marketing department.
If I've mistaken your question for pedantry, please forgive me.
You can narrowly define malware by a quick dictionary definition[1]:
> software that is intended to damage or disable computers and computer systems.
However, malware also has a much looser definition[2] if we don't restrict ourselves to a one sentence Google result:
> Programs officially supplied by companies can be considered malware if they secretly act against the interests of the computer user. For example, Sony sold the Sony rootkit, which contained a Trojan horse embedded into CDs that silently installed and concealed itself on purchasers' computers with the intention of preventing illicit copying. It also reported on users' listening habits, and unintentionally created vulnerabilities that were then exploited by unrelated malware.
It's shocking how far the overton window on privacy has shifted in just 10 years. Bonzi Buddy and it's ilk were generally considered malware and frequently chided on the internet at the time.
Now people defend almost the same practices (in a nicer package) on Hacker News.
Shocking right ? that the world always changing. I personally welcome this change. This one is different than pop up ads in the past where it actually annoy me.
I understand people say things like this because they're the edgy, hot take - but the Onavo VPN software is absolutely not malware. It's a performant, free VPN that people use in exchange for some anonymized data. There have been no known leaks or breaches.
It's obviously in exchange for data, but I'm skeptical of how anonymised it is, given that FB has made a business of tracking everyone on the web as much as possible.
> 2.5.14 Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity. This includes any use of the device camera, microphone, or other user inputs.
So did Onavo "provide a clear visual indication" whenever collecting data? Somehow I doubt that, because it would have been a constant warning.
There is a constantly visible indicator that you're using a vpn on everything but the iPhone X. It's a stretch admittedly, but there's an argument to be made.
The data is not anonymized, they say they may share anonymized data with partners. Malware is too strong but if you read the product description and FAQ, it's deliberately deceptive. Lieware? Slimeware?
I really hope Apple pulls through with a thorough research of other free VPN apps on the App Store and cracks down on other sketchy ones too. I doubt that Onavo users will be inclined to pay for a VPN, and I suspect they instead will look for other free alternatives.
Onavo didn't have to make money because it was owned by Facebook and it was known to collect data for its parent company's market research. Much less is known about how other VPN apps remain sustainable-- I wouldn't doubt some might be running on sketchy business models.
Calling this a ‘data security app’ is like calling a Snickers bar a diet meal replacement.
This app literally gives facebook the ability to track every app you runs and every website you visit, for how long, when, and what network you do it from.
It is literally the kind of data collection that people use VPNs to avoid!
> It is literally the kind of data collection that people use VPNs to avoid!
I have a feeling that a majority of VPN app users use them with the intent of preventing a specific party from collecting that data (e.g. an employer or a government).
I get why people would use a VPN to thwart censorship but I never really understood this line of reasoning. It seems that instead of giving a few minutes' browsing history to an unknown wireless provider, users are giving their entire history to an unknown VPN provider. Am I missing something?
Censorship and privacy concerns have ironically created a market for malware-laden and snooping VPNs to prey on unsuspecting users. the cure is worse than the disease
This isn't what I'd call "the cure", though. This is the "privacy" equivalent of those bullshit cancer "cures" that prey on poorly informed or desperate people.
On the one hand, there's a clear value proposition here: instead of paying a few bucks a month for a VPN, you can instead pay by giving a giant megacompany your private data.
The problem is we as a culture don't have a good consent model for educating people about what this actually means. In a world where everyone who used Onavo knew exactly what data Facebook was getting from them, and what that meant, what number of users would willingly use it?
Calling it "malware" or "spyware" doesn't feel accurate, since they're not outright lying about what the value prop is, but they're still being deceitful by omission and are preying on people's ignorance.
A lot of the bundled type of spyware I've seen relies on users clicking "I Agree" on an EULA. The problem is nobody reads the EULA, they just want whatever software it's attached to as quickly as possible.
I suppose my point being that just because users "agreed" to something doesn't necessarily mean they knew what they were agreeing to at the time.
What happened?
You've requested a page on a website (archive.is) that is on the Cloudflare network. Cloudflare is currently unable to resolve your requested domain (archive.is)."
I just googled and found plenty of threads stretching back months. It seems to have to do with Archive.is returning wrong IP addresses to Cloudflare's DNS queries. They are apparently telling folks to use Google DNS but the configuration of which IP address to return is entirely in their hands. I'm still quite confused by the situation, to be honest.
My ISP / telecom provider (in my case they're the same company) is a legitimate corporation registered in my home country, against whom I can seek legal recourse if my data is misused. That's more than I can say about most VPN providers.
Why are there a million VPN apps and protocols with pointless variations? Why isn’t the VPN software included in my operating system enough? e.g. Settings/General/VPN on iOS. macOS and Windows have something similar.
EDIT: This was an honest question. If anyone has any insights to share, I would really appreciate it. Over the years, I have dealt with some truly questionable third-party VPN software from the usual big name networking equipment vendors and plenty of other so called “security” vendors.
Because VPN is a service, not a piece of software.
You're paying third parties for the service, and those third parties use the money to maintain the infrastructure powerful enough for each user to have high speed VPN service (nobody's gonna use a VPN that throttles the speed by 90%) across different geographical regions.
If Microsoft and Apple wanted to offer a VPN as a first-party service out of the box, they would be forced to maintain a pretty complex infrastructure across multiple regions and somehow be able to support way more traffic than any third party VPN provider (because of their name). So, where's the money for the infrastructure going to come from?
In Facebook's case, form mining the data. I would argue that Apple isn't stupid enough to attempt something like that, and as for Google, they already do have a first-party VPN integrated into Android[0].
I would argue that the reason that third-party VPNs are shady is because they need a large infrastructure in place before they can offer the service. Once they do have the infrastructure in place, they're not making profit, but covering their losses, while at the same time being forced to scale even further.
You are confusing service with software. All major operating systems have built-in VPN support. Check the network settings on your phone or computer. There will be a section for VPN settings.
I suggest you read up on how VPNs actually work. You're just tunnelling traffic through someone else's connection. A VPN app included in your OS would relay all of your internet traffic through whoever wrote the OS (unless they partnered up with another provider, I guess).
I'll give Apple the benefit of the doubt but I'm not sure I'd be keen on this kind of setup in the case of Google or Microsoft. Then again, they have access to all of your browsing data anyway via the OS so what's to lose?
Why would OS built in support go through the OS vendor's servers? It's exactly like every other network service built into the OS. Android and Windows at least both have built in VPN support and you just type in the server details of whoever your VPN provider is.
"Onavo, which began as an Israeli analytics startup focused on helping users monitor their data usage, was acquired by Facebook in 2013. Its VPN provider then became a data collection tool for Facebook to monitor smartphone users’ behavior outside its core apps, helping inform Facebook’s live video strategy, competition from other social apps, and its decision to acquire companies including WhatsApp."
Geez, man. That is evil. Especially since most users don't know the difference between "security" and "privacy", and probably assume that it would have the exact opposite effect.
"As part of providing these features, Onavo may collect your mobile data traffic. This helps us improve and operate the Onavo service by analyzing your use of websites, apps and data. Because we're part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value, and build better experiences."
Running a VPN isn't particularly cheap. I'd assume that any free VPN is one of:
1. criminals collecting and monetizing your information
2. state actors collecting and ?????????? your information
3. companies collecting and monetizing your information
4. too small to need to do one of (1)-(3)
There ought to be civil and criminal penalties for stuff like this. I mean, this is basically malware.
Edit: Just how is this distinguishable from the Sony or HB Gary hacks? Not as much data was taken, it's true. But there were far more victims. And I doubt that there was adequate disclosure.
Edit: OK, spyware. And people have been prosecuted over spyware.
The next step is to ban third party frameworks in apps for "analytics" or serving ads. That should be something intermediated and provided by Apple itself.
I would love that! Finally I could reject the marketing department’s requests to integrate “tracking framework n+1” without my manager threatening to fire me.
Apple won't even warn you which apps are adware, which Google Play has transparently done for years, so there is room for improvement by everyone involved. Previous submission (which got zero interest): https://news.ycombinator.com/item?id=17489987
This might be kind of ironic (you'll see what I mean) but to get to full wsj.com articles just put the word "full" before wsj, keeping the rest of the URL the same.
Once Facebook has all the packets, they can do various analyses and machine learning to even learn which features are most popular within a competitor's app. It is quite sophisticated.