.png){kind=logo}
In a smart move disguised as a privacy service, Facebook once transformed a trusted VPN into a powerful surveillance engine. The tech giant acquired Israeli startup Onavo in 2013 for $120 million, positioning the app as a data-saving and privacy-focused tool. But behind the clean marketing, the true goal was user surveillance at a scale only a few imagined.
By installing Onavo, millions unknowingly granted Facebook full access to their digital activity. App usage, browsing habits, and precise timestamps were silently collected. Facebook VPN didn’t just observe its own users - it tracked behavior across rival platforms like YouTube, Amazon, and Snapchat.
The focus sharpened on Snapchat. Its growing popularity in 2016 raised red flags at Facebook, but Snapchat’s encrypted traffic kept prying eyes out. That led to the launch of a secret operation inside Facebook called Project Ghostbusters.
Engineers exploited Onavo’s infrastructure to install a root certificate on phones, masking Snapchat’s servers to decrypt user activity. This allowed Facebook to closely monitor Snapchat’s engagement trends without user awareness.
When an acquisition attempt failed, Facebook switched gears. Instead of owning Snapchat, it mimicked its most successful feature. Instagram Stories, released shortly after, was a clear clone. This was not a one-time strategy but a model - track competition, learn fast, and launch before rivals gained ground.
Apple later cracked down. In 2018, the App Store removed Onavo for breaching privacy rules. Yet Facebook rebranded its efforts through a new program named Facebook Research, internally known as Project Atlas. Users, some as young as 13, were paid for access to the same deep-level tracking. This sparked outrage, and Apple responded by revoking Facebook’s enterprise certificates, causing internal apps to go dark.
Regulators eventually stepped in. In 2020, the Australian Competition and Consumer Commission (ACCC) filed a case over deceptive practices. In 2023, Meta subsidiaries faced AUD 20 million in fines. Despite this, the story of Facebook VPN highlights how far a tech company can go to maintain control through hidden data channels.
The legacy of Onavo is a reminder. A VPN meant for privacy can become a tool for surveillance when placed in the wrong hands. The Facebook VPN story shows that surveillance wasn’t a byproduct - it was the strategy.
Also Read – Meta Faces Lawsuit Over Alleged Hiring Bias Toward Foreign Workers
