Facebook’s VPN Scandal: The Acquisition of Onavo Spied on Millions

In 2013, Facebook quietly acquired Onavo, an Israeli tech company specializing in mobile analytics. At the center of that acquisition was Onavo Protect, a virtual private network (VPN) app marketed as a way for users to browse safely and manage data usage. What most users didn’t realize was that Onavo Protect was collecting detailed information about their mobile habits and sending it directly to Facebook.

Over the years, more than 33 million users downloaded the app. Behind the scenes, it served as a window into how people used their phones—tracking which apps were being opened, how long they were used, and how much data they consumed. Facebook reportedly used this data to monitor market threats, including identifying the growing popularity of WhatsApp and Snapchat.

That intelligence shaped some major business moves. It helped justify Facebook’s $19 billion purchase of WhatsApp in 2014. Similarly, insights gathered from Onavo reportedly informed the rollout of Instagram Stories, which mimicked core features of Snapchat after it was flagged as a rising competitor.

Apple stepped in by 2018, concluding that Onavo Protect violated its App Store rules. The app was removed for collecting user data beyond what was necessary for its function. That takedown sparked wider scrutiny of Facebook’s use of surveillance tools disguised as consumer products. Soon after, Onavo Protect disappeared from the Google Play Store as well.

Still seeking user intelligence, Facebook launched a similar initiative under the name Facebook Research. This time, participants were paid—some as young as 13—to install an app that gave the company root-level access to virtually all data on their devices. Once this practice became public, Apple revoked Facebook’s enterprise developer certificates, causing internal apps at the company to stop functioning temporarily.

These incidents weren’t isolated. Facebook has faced repeated criticism and regulatory action over its handling of user data. In 2018, the Cambridge Analytica scandal revealed how a quiz app harvested personal information from millions of users without proper consent. That led to a record-setting $5 billion fine by the Federal Trade Commission in 2019.

Earlier, the company rolled out Beacon, an advertising tool that automatically shared users’ online purchases with their Facebook friends. That program ended after public backlash. Additional reports revealed that the platform continued to track users’ locations even after they had opted out through settings—relying on IP addresses and other signals.

This recurring pattern—collect first, apologize later—has drawn intense criticism. Facebook’s founder and CEO, Mark Zuckerberg, has testified before lawmakers multiple times, acknowledging mistakes and pledging reform. But critics say the business model remains largely unchanged: gather data aggressively, use it for strategic advantage, and deal with the consequences only when public or legal pressure forces action.

The Onavo saga also raised broader concerns about how some VPNs are being used as data collection tools. While VPNs are typically seen as privacy shields, Onavo Protect functioned in reverse, creating a pipeline of information feeding directly to a corporate parent. This wasn’t the first time an Israeli tech product in the privacy space drew attention for surveillance-related practices, and it likely won’t be the last.

Today, Onavo is gone, but its legacy remains. The data gathered during its operation was never publicly deleted, and many of the strategic advantages it offered—through covert competitive analysis—have already been leveraged. Facebook, now operating under the name Meta, continues to face investigations and legal challenges around the world related to privacy, antitrust, and misinformation.

The Onavo case serves as a reminder of how easy it is for corporations to overstep when the lines between innovation, surveillance, and exploitation are blurred. The company didn’t just cross those lines—it helped redraw them.