How Facebook Turned a VPN Into a Surveillance Engine: The Truth Behind Onavo
A VPN That Did the Opposite of Privacy
When most people download a VPN, they’re seeking privacy, right? But what if that very tool turned out to be the engine of Facebook VPN surveillance—silently tracking your every move under the guise of protection?
That’s exactly what happened with Onavo Protect, a Facebook-acquired VPN app that marketed itself as a privacy tool—while it silently acted as a surveillance system. This deceptive strategy powered Facebook’s internal projects like Project Ghostbusters, allowing the tech giant to monitor and analyze data from rival apps like Snapchat, YouTube, and Amazon.
In this article, you’ll discover:
- How Facebook turned a “privacy” app into a data goldmine.
- What Project Ghostbusters was and how it worked.
- The ethical and legal fallout from this covert surveillance.
- What this means for you—and what you can do to protect your data today.
Let’s pull back the curtain.
What Was Onavo Protect and Why Did Facebook Buy It?
The Origins of Onavo
Onavo was an Israeli startup focused on data analytics and mobile app usage tracking. In 2013, Facebook acquired it for around $120 million, integrating its VPN app, Onavo Protect, into its ecosystem.
The VPN was marketed to users as a way to “secure your data and reduce mobile data usage.” It was downloaded over 33 million times worldwide.
But behind the scenes, Onavo was far from a standard VPN.
Why Facebook Wanted Onavo
The real value for Facebook wasn’t privacy—it was visibility. Onavo provided:
- Real-time app usage data across Android and iOS.
- Insights into competitor apps’ performance, features, and engagement.
- The ability to see how quickly new apps were gaining traction (e.g., Snapchat, TikTok, Telegram).
This data allowed Facebook to:
- Clone popular features (e.g., Stories from Snapchat).
- Acquire rising competitors early (e.g., WhatsApp).
- Crush competition before they scaled.
Project Ghostbusters: How Facebook Spied on Snapchat and Others
What Was Project Ghostbusters?
Launched in 2016, Project Ghostbusters aimed to intercept encrypted traffic from Snapchat, which had recently started using SSL encryption, making it harder for Facebook to spy on their usage.
Facebook’s engineers devised a method to bypass that encryption using Onavo’s deep access to mobile systems.
The Surveillance Method: SSL Interception
Here’s how it worked:
- Users installed Onavo Protect, granting it VPN-level access.
- Facebook installed root certificates on the device via Onavo.
- These certificates allowed Facebook to perform Man-in-the-Middle (MITM) attacks.
- Even encrypted data from Snapchat and YouTube was decrypted, analyzed, then re-encrypted before being sent to its final destination.
This allowed Facebook to:
- Track user engagement inside competitor apps.
- Monitor performance metrics (like time spent, usage frequency).
- Identify emerging threats early.
Facebook internally referred to the intercepted data as “hostile traffic.”
The Ethical Dilemma: Privacy Violations in Disguise
Misleading Users
Onavo Protect’s app description promised “privacy” and “security,” yet it did the opposite. Most users had no idea their data was being rerouted, decrypted, and analyzed by Facebook.
This was a clear violation of:
- User trust
- Platform policies (especially Apple’s strict app guidelines)
- Potential privacy laws and wiretap regulations
Facebook’s Response (Or Lack Thereof)
In 2019, Apple banned Onavo from the App Store for violating its data collection policies. Google followed by removing it from the Play Store.
But instead of backing down, Facebook launched a similar research app called Project Atlas, targeting teenagers with $20 gift cards in exchange for full access to their phone data.
The FTC later launched investigations, and multiple lawsuits followed.
How Facebook Used the Data Strategically
Real-Time Market Intel
Through Onavo, Facebook knew:
- When Snapchat was gaining momentum
- That WhatsApp was being rapidly adopted in specific countries
- That TikTok had explosive early user engagement
This insider view gave Facebook unfair advantages:
- Preemptively cloning features
- Acquiring or undercutting competitors
- Influencing investor narratives with internal data
A Real-World Example: WhatsApp Acquisition
In 2014, Facebook acquired WhatsApp for $19 billion. Onavo played a role by showing:
- WhatsApp’s daily user activity was outpacing Messenger
- Global reach was exploding
With that data, Facebook justified the massive acquisition cost—and neutralized a key threat.
What Are the Legal and Regulatory Consequences?
Court Cases and Investigations
In 2024, unsealed documents in a class-action lawsuit revealed detailed strategies and communications about Project Ghostbusters. The case highlighted Facebook’s:
- Deliberate efforts to mislead users
- Willful interception of encrypted traffic
- Use of deceptive consent frameworks
Key accusations:
- Violation of the Wiretap Act
- Unfair competition
- Consumer fraud
Policy Reactions
Governments and regulators across the globe responded:
- FTC investigations in the U.S.
- GDPR audits in the EU
- Bans and sanctions from app stores
Facebook’s response? Deny wrongdoing and settle cases quietly without admitting liability.
What This Means for You: Lessons and Action Steps
1. Not All VPNs Are Private
If it’s free, you are the product. Onavo Protect is a textbook case of how some VPNs prioritize data collection over security.
Always choose VPNs that are:
- Transparent about logging policies
- Independently audited
- Clear about their revenue model
2. Think Twice Before Installing “Research” or “Security” Apps
Apps that request root-level access, install certificates, or run in the background with unlimited permissions can be potential privacy risks.
Read the permissions. Understand the risks.
3. Push for Accountability
Users, professionals, and regulators must:
- Demand data transparency
- Support open-source privacy tools
- Advocate for stronger consent laws and enforcement
Statistics & Case Summary Table
| Category | Details |
| App Name | Onavo Protect |
| Users Impacted | 33+ million |
| Year of Facebook Acquisition | 2013 |
| Key Surveillance Project | Project Ghostbusters |
| Targeted Apps | Snapchat, YouTube, Amazon, WhatsApp |
| App Store Bans | Apple (2019), Google (2019) |
| Legal Actions | Multiple lawsuits, FTC probe, GDPR review |
What Reddit and Quora Users Are Saying
Reddit (r/Privacy, r/technology)
“I used Onavo for a year thinking it was a normal VPN. Now I feel like I got totally played.”
“This is why I stick to ProtonVPN and Mullvad.”
Quora Insights
Q: Was Facebook spying on Snapchat through Onavo?
A: Absolutely. Internal documents and court filings have confirmed this. It was a deliberate strategy wrapped in a ‘privacy’ product.
Conclusion: Facebook VPN Surveillance Isn’t Just History—It’s a Warning
The Onavo saga shows how even privacy-focused tools can be exploited for corporate surveillance. Facebook’s use of a VPN app to intercept encrypted traffic wasn’t just sneaky—it was calculated.
We’re living in an era where data is currency—and tech giants will do anything to get more of it.
Protect your data. Stay skeptical. Choose privacy consciously.
Key Takeaways
- Onavo Protect posed as a VPN while enabling Facebook to spy on competitors.
- Project Ghostbusters decrypted SSL traffic from Snapchat and others.
- The surveillance fueled Facebook’s competitive strategies.
- Legal cases are still ongoing, but accountability remains limited.
