How Facebook Built a Monopoly by Turning a Security Tool into Spying

Facebook and surveillance tech have almost become synonymous today. One of the key moves that set this trend in motion was Facebook’s 2013 acquisition of Onavo. Onavo was an Israeli startup that began as a data compression and analytics company. They were best known for their mobile VPN, Onavo Protect. While its main selling point was reducing data usage, Onavo Protect secretly tracked almost every action on a user’s phone once it was installed. It was a surveillance tool disguised as a security app. It tracked everything from usage patterns to app sessions, installs, and traffic routes. For Facebook, this data was worth 100 times more than the Library of Alexandria.

Once the acquisition closed, Facebook’s app started promoting Onavo Protect aggressively. As a result, millions of users installed it. From then on, every byte of data went through Onavo’s servers. This allowed Facebook to see which apps people opened, how long they stayed, how often they returned, and when a new app suddenly appeared on millions of devices. Onavo became a real-time surveillance system for market trends, and for Facebook, it was the perfect tool to spy on their competitors.

Facebook used Onavo’s data to build analytics dashboards. These dashboards showed how teenagers shifted from Facebook to Snapchat and Instagram, and how WhatsApp’s engagement exploded long before anyone else noticed. This became the driving factor in Facebook’s push to acquire all of these apps and become the monopolistic giant of social media.

Inside Facebook, not everyone was comfortable. Some employees questioned the ethics of marketing an app as security while using it as surveillance. But the value was too overwhelming for anyone to listen. By 2016 and 2017, Onavo’s data was the orchestrator of Facebook’s strategy, yet outside, nobody had any idea. Apple was the first major player to take note. In 2018, after reviewing how Onavo was handling data, Apple determined the app was violating its privacy guidelines and forced Facebook to remove Onavo Protect from the App Store.

Read more on it here.

Afterwards, Facebook had no guilt, they instead tried another workaround. The company launched Facebook Research, another VPN-like app, but this time distributed outside the App Store using enterprise certificates typically reserved for internal corporate apps. They paid teens and adults gift cards to install the app, an app that had even deeper access to phone activity than Onavo Protect did. After Apple discovered this whole scheme, they revoked Facebook’s enterprise certificates entirely, which temporarily broke all apps under the company and forced them to shut the program overnight.

By early 2019, Facebook announced it would remove Onavo Protect from Google Play, calling an end to the app forever. But by this time, enough damage had been done. Later in 2020, the Australian Competition and Consumer Commission (ACCC) filed a lawsuit, which resulted in an AUD $20 million fine for misleading users, a small amount for such a massive breach. The court found that Facebook had tried to disguise surveillance tech as a security app. In the US and UK, however, Facebook got off even cheaper. While it was cited in antitrust investigations as evidence, there were no standalone fines or other punishments.

The Onavo scandal did, however, reshape the industry. Competitors now avoid analytics VPN models, fearing public backlash. Apple’s later App Tracking Transparency rules were directly influenced by cases like Onavo. This fundamentally altered the ecosystem and the whole revenue model of companies like Facebook.

In the end, Facebook walked away with little to no scars. The company used this strategy to become the giant it is today, gaining years of insight into competitors while facing no meaningful consequences. The penalties were nothing compared to the value those acquisitions alone added for the company, and all we are left with is just another lesson on how ethics are thrown out the window as soon as winning becomes the only metric.