[irpapakons]

It's ethically dubious that the advertised function of the app is a VPN to "keep you and your data safe", while the reason it exists is so that all phone traffic goes to Facebook.

This is not clear from the app description -- there is only a generic message about monitored app use, to which users are so used as to not pay any attention.

> "The app's privacy policy says it may share information with "affiliates" that include its owner, Facebook. "As part of this process, Onavo receives and analyzes information about your mobile data and app use"

> A Facebook spokesman said it is clear when people download Onavo what information it collects and how it is used. "Websites and apps have used market-research services for years," the spokesman said, noting that the company also uses outside services to help it understand the market and improve services.

Then Facebook can attack the competition by seeing in real time how usage of competitive apps varies in response to new features and inform acquisition decisions.

> Onavo's data paved the way for the purchase of WhatsApp for $22 billion. Onavo showed the messaging app was installed on 99% of all Android phones in Spain -- showing WhatsApp was changing how an entire country communicated, the people said.

[teej]

I once sat in on a pitch from an antivirus software company who was selling the ability to look at the full browsing history of people who had visited your website. You could see all of their searches, if they visited competitors, and more. Most of the time I get annoyed of the FUD of "they're selling my data!" but this was different. It was true and it was scary.

[afandian]

Why not name them?

[brudgers]

If I had to guess, it's all of them. By "them" I mean all the anti-virus packages that are targeted at consumers and small business. That seems to have been part of the business model starting over a decade ago. My guess is that the negative effects of anti-virus is what prompted Microsoft to first build free products and then eventually roll anti-virus into Windows.

I'd put it this way. My first inkling that something was wrong was when Norton Anti-Virus shifted to a subscription model and charged me full retail for a renewal back around 2006. What does disabling virus updates for ordinary users with the explicit intent of leaving them vulnerable says about a company's attitude in regard to long term trust?

I left Norton for Kaspersky and paid it protection money for a few years. It seemed refreshing at first. One day, a few years later, I learned how to look at my LAN traffic and saw how often I was sending data to its servers. It was more often than seemed reasonable. That's about the time Microsoft started providing its own free anti-virus and I started switching machines...the Windows XP Professional x64 box stayed on Kaspersky despite my misgivings until I upgraded it to Windows 7 because Microsoft did not port its anti-virus to that platform.

Spyware is often the basis for free software. Adobe Reader and Google Chrome and the Ask toolbar that shipped with Java are pretty obvious examples.

[flipp3r]

If I could take a guess I'd say its likely to be Avast, which has multiple browser extensions that send all your browsing activity to them, while simultaneously offering a service to remove other browser extensions.

They'll even set their own search engine as your default homepage.

[devrandomguy]

That would identify the GP to within a small group (the meeting). They probably worked under an NDA.

It would be great if an unrelated leak were to happen, though.

[teej]

I'm not anonymous. You can identify me by going to my profile if you'd like.

To be completely honest, I don't remember. It was 2 years ago and I sit on lots of these pitches. I remember pushing back on them about the methodology, hearing how the sausage was made, and noping right out.

I want my team to be able to spend marketing dollars efficiently but I would never compromise my ethics to do so. Luckily I work somewhere that I can give a justified 'no' and keep my job.

[javajosh]

> Luckily I work somewhere that I can give a justified 'no' and keep my job.

That is lucky! Where do you work?

[softawre]

> You can identify me by going to my profile if you'd like.

[OJFord]

> > [I'm not anonymous. You can identify me by going to my profile if you'd like. ...] Luckily I work somewhere that I can give a justified 'no' and keep my job.

> That is lucky! Where do you work?

[yuhong]

I wonder if it was AVG.

[gaius]

Google can do this for anyone using 8.8.8.8 for DNS. You don't think they run it out of pure altruism do you?

[simonw]

Running a DNS service doesn't give you the ability to see which pages someone visited when they navigated a website - just that they resolved that website's host name for some reason.

[gaius]

Many individual things Google does aren't too bad by themselves; the problem is that they are all integrated.

[smokeyj]

Google isn't misrepresenting what a DNS service does. Zuck is kind of a slimy weasel.

[gaius]

I don't think most users fully appreciate that it exists purely to log your activity on sites that Google doesn't directly track through ads

[ballenf]

True this. I think it was on Ars Technica that I was downvoted to oblivion for raising the privacy implications of Google's DNS service.

There is a huge segment of the semi-tech literate crowd that feel wise for using it. I think it's because it's the only time they get to type in an IP address and it makes them feel l33t.

[cookiecaper]

To be fair, Google DNS is more trustworthy than ISP DNS, and if you're using Chrome, you're not exposing anything that Google isn't reading anyway. DNS requests are much less informative than full browsing history.

It is probably better to use OpenDNS, but they used to do the same spammy redirect on NXDOMAINs that ISPs do (I think I heard they stopped that). To be honest, the real reason I don't use them much anymore is that their IPs are harder to remember. It's easier to do 8.8.8.8 or 8.8.4.4.

[fenwick67]

The internet isn't just the web. Setting your DNS to Google's will also tell them what other applications you use and what you connect them to.

[gfodor]

This reminds me of people who would re-sell search query data via aggregation of google referrals across a network (usually ad based.) In general, if there's a way to get that kind of data (search data is gold due to the ability to mine it for adwords niches), you can presume there are people out there who are going to skirt right up to the line of acceptable ethical behavior to try to aggregate it to sell it.

[tim333]

Yeah antivirus is kind of scary. I guess they could access all your files too if they wanted.

[thinkMOAR]

"ethically dubious", i consider it criminal; though they probably got some (lawyer written) fine print to say it is not so.

[jondubois]

Yes, it sounds like malware. Had any other company done this, it would have caused outrage but for some reason Facebook just seems to get away with everything.

I remember how big a deal the News International phone hacking scandal was; this actually seems much worse.

[willstrafach]

Companies which track app download and engagement metrics also do this via VPN apps. That is how they are able to obtain such data. Not new, but also not discussed much.

[daenney]

I would be interested to hear from people with knowledge of EU and US law how shady this is in their respective jurisdictions.

I'm having a hard time imagining what they did is OK, but I'm probably wrong.

[WhiteSource1]

If you can identify personal data (which if they can tie it to the user's Facebook account, that's pretty easy to do) it's likely (note: not a lawyer) a violation of the EU GDPR regulations (http://www.eugdpr.org/)

[daenney]

Unfortunately GDPR enforcement is about 9 months away. I don't think it applies retroactively.

[hammock]

>seeing in real time how usage of competitive apps varies in response to new features and inform acquisition decisions.

They could also ping you with a fb notification as soon as they see you reach for Snapchat, to get you back on their platform

[killedbydeath]

For crypto/security people on this thread, what encryption could app developers use to wrap their API call so that the least amount of information is leaked to this kind of man-in-the-middle services? I.e, is it possible to: 1) hide which apps are installed on iOS/Android; 2) hide or obfuscate how frequently the app is used; 3) hide specific API calls

I assume at least #3 should be achievable with additional encryption.

[conanbatt]

This really should be anti-trust, this is not a responsible or accountable way to use this information.

Shady af.