Not even a scandal will stop Facebook from harvesting your data

Facebook may be under fire for the data it gives to third-party groups, but that hasn’t stopped it from finding new and more sinister ways of collecting your data.
Privacy news
8 mins
Thumbs down icon from Facebook

Editor’s note: This post was originally published on March 20, 2018. Onavo has since been shut down. 

News of Facebook’s role in Cambridge Analytica’s collection of millions of user profiles leading up to the 2016 US general elections paints a worrisome picture of how information can be used to target individuals.

Amid the outrage, Facebook’s data collection efforts have been brought into the spotlight once again, and as the cynical reader might expect, it turns out they’ve found even more ways to extract data from you.

Facebook’s ever-encroaching data collection

The amount of data which Facebook collects is already worrying enough—from every interaction you’ve had on the network to every photo you’ve ever uploaded (and even deleted). But their methods have recently taken a more disquieting turn, using the facade of security and privacy to push apps and features that undermine the very things they are built to protect.

In an almost anticipatory move to the recent outcry, Facebook published its first Privacy Principles in January. The principles outline the control that users have over their information and Facebook have since started pushing out features and apps to promote this idea, like more secure photo tagging and even its own VPN.

These efforts to convince people that Facebook protects their users’ privacy and security have flopped spectacularly, but that hasn’t stopped Facebook from sticking with most of them.

In this blog, ExpressVPN breaks down three new apps and features that Facebook say will keep your data secure and private but, in fact, collect even more information about you.

1. Facebook-owned Onavo apps collect your data even when you’re not using Facebook

Onavo was acquired by Facebook in 2013, for their software which optimizes mobile data consumption and provides analytics services for mobile apps. Both of their apps claim security for your phone but do no such thing. Instead, the apps send all the data that goes through them to Facebook.

Onavo Protect – VPN Security

In February, Facebook users saw a new menu item on their apps called “Protect,” which when pressed would redirect you to an app: Onavo Protect – VPN Security. The app promises to “keep your data safe when you browse and share information on the web,” by securing your connection to the internet.
When you use Onavo Protect, the data that goes through it—like your Wi-Fi and mobile data usage, your app usage, and even when your screen is on or off—is tracked, logged, and sent back to Onavo, and by extension, Facebook.

Their Privacy Policy states:

“We may use the information we receive to provide, analyze, improve, and develop new and innovative services for users, Affiliates and third parties.”

And that:

“We may share personally identifying information with third parties and “Affiliates” (businesses that are or become legally part of the same group of companies that Onavo is part of, including but not limited to Facebook, Inc.).”

In short, when you use Onavo Protect, all your online activity is recorded and collected by and for Facebook, even if you don’t use Facebook.

Bolt App Lock

A month later, Onavo quietly released another app, Bolt App Lock, which allows you to add security measures like PIN codes and fingerprint recognition to your apps.

By downloading and using this app (which claims to boost your security), you inadvertently send your user data and network information to Facebook.

Just like with Protect, Bolt will send this information to Facebook who can use it to figure out, for instance, what’s taking your attention away from Facebook and its products, Instagram and Whatsapp.

Bolt’s Privacy Policy is very clear about who it collects and analyzes your information for:

Screenshot of Bolt App Lock's Privacy Policy
A screencap of Bolt App Lock’s Privacy Policy before they removed it from the App Store. Source: TechCrunch

The App Store removed Bolt App Lock just days after its release due to outrage over Onavo’s attempts to obtain even more information from mobile phone users for Facebook. A Facebook spokesperson reportedly told TechCrunch that the app’s release was a “small, brief test.”

The fact remains—Onavo’s apps will record your activity and send it to Facebook to do who knows what with.

2. Facebook facial recognition system may have added you without your knowledge

In early March, Facebook users were met with an alert in their News Feed introducing them to its improved Facial Recognition software, which would identify them in all photos.

The software also claims to protect your photos from being used by strangers (think catfishing) and help people with visual impairments know who’s in your pics. Facebook sent two variants of the message: one stated you could opt in, the other said you were already in and had to opt out if you wanted.

This software isn’t new—it was first implemented in 2013 when Facebook started suggesting tags in as yet untagged photos from either you or your friends’.

Underneath the new facade of more secure and considerate photo tagging is Facebook’s deeply concerning biometric capabilities, as Alvaro Bedoya, executive director of the Center on Privacy and Technology at Georgetown University, explained to Slate:

“Facebook would scan photos posted by close friends to see if they included you. Now they’re scanning every single photo posted to Facebook to find you. What that shows is that the system has become even more sophisticated.”

There are clearly concerns as to what Facebook plans to do with all of this biometric data. Its facial recognition software can recognize human faces with 98% accuracy, and identify a person from 800 million others within 5 seconds.

Could Facebook ID you in a complete stranger’s photo? Could they sell that biometric data to companies to use, or even give that data to governments to identify you?

Thankfully, some privacy groups are fighting Facebook over these powers. The collection of biometric information is currently being fought in a class-action case in Illinois, where biometric information is protected under the Biometric Information Privacy Act. If the group wins, this could mean new restrictions on Facebook’s biometric data collection.

For now, however, if you want to opt out of Facebook’s face recognition go to Settings on your phone > Privacy Shortcuts > More Settings > Face Recognition and then select No.

On the website, click the down arrow in the top-right corner and then go into Settings > Face Recognition > Edit and then select No.

Note that these options aren’t available in places like Canada and Europe, and appear as an option only if you’re at least 18 years-old.

3. Facebook uses 2FA to send you notifications

Two-factor authentication (2FA) as a security step can be useful to secure your accounts, but Facebook has taken its 2FA a step too far by using it to spam Facebook users with notifications.

As San Francisco-based engineer Gabriel Lewis found out:

Others have also run into some rather awkward situations when replying to the 2FA texts.

And with Facebook-owned Instagram too:

In making their 2FA texts double as notifications, Facebook has twisted a security measure into an additional notification tool to coax users back to the social network. In doing so, Facebook is undermining a critical security measure, which has turned users off their 2FA measure entirely, making their Facebook accounts less secure.

While it was supposedly a bug and will be fixed, Facebook’s Chief Security made a statement saying, “For years, before the ubiquity of smartphones, we supported posting to Facebook via text message, but this feature is less useful these days.”

Critics are not convinced with Facebook’s explanation, pointing to the company’s attempts to improve engagement on its site, which has dropped in recent months.

If you still want an extra step in your Facebook security but don’t want to hand over your phone number, you can use their code generator or a security key.

Want to know what Facebook has on you? Now you can!

If you don’t want to delete your Facebook just yet, you can take a look at all the data Facebook has on you by simply downloading the archive of all your interactions on Facebook.

Just follow these three steps outlined on their site, and they’ll notify you once they finish archiving all your data.

From this archive, you’ll be able to see all your interactions with Facebook from when you first signed up including:

  • All communications with friends (and unfriended friends)
  • All your photo metadata
  • Log-in and session data points
  • Hundreds of images used for facial recognition
  • Your contact list

The sheer size of the archive from Facebook on yourself is enough to make you think twice about how you interact with the social network.

The bigger picture: why we should all be worried about Facebook’s rampant data collection tactics

What is perhaps most disturbing about seeing Facebook’s tendrils grasping at all the data on our phones is the abuse of that data. Though the ramifications of the Cambridge Analytica scandal are yet to be fully known, it’s clear that with this data Facebook holds an awful lot of cards in influencing the world in ways that are troubling to both witness and experience.

Facebook may say that they take your privacy seriously, but there are currently no genuine signs that the social behemoth is interested in anything other than data collection for reasons they have yet to be fully upfront about.

While your use of Facebook may be innocent enough—from uploading pictures to staying in touch with friends—it is more apparent than ever that Facebook’s use of your data is anything but.

Ceinwen focused on digital privacy, censorship, and surveillance, and has interviewed leading figures in tech.