[theptip]

The claim in the OP is that they might have been MiTM’ing arbitrary users, I believe the previously reported claims were that they only MiTM’d paid research participants. (Please share some links if you have evidence to the contrary, I’d love to get to the bottom of this.)

[oefrha]

Onavo isn’t paid, it’s just a “free” VPN app. There’s no paid participation, you just download it.

https://www.bitdefender.com/blog/hotforsecurity/facebook-pul...

https://www.wsj.com/articles/facebook-to-remove-data-securit...

Edit: Typo.

[valicord]

That doesn't mean that the MITM traffic interception would be enabled for regular users that have downloaded the app from the store. As stated both in the article and in the comments here, both "free" VPN and "paid market research" VPN used the same codebase. Is there any evidence (other than "facebook bad") that the MITM part was enabled for anyone other than consenting/getting paid participants?