In a case filed in December 2020, the ACCC alleged that while Onavo Protect did function as a VPN, as it advertised, it also “collected, aggregated and used significant amounts of users’ personal activity data for Facebook’s commercial benefit. This included details about Onavo Protect users’ internet and app activity, such as records of every app they accessed and the number of seconds each day they spent using those apps.”
The Federal Court judgment said Meta and Facebook Israel internal documents stated that “Onavo Protect was “a business intelligence tool” for Meta, which provided Meta with “a sample of users who we [Meta] are able to know nearly everything they are doing on their mobile device”.
“If an Australian user of Onavo Protect had a Facebook account, Meta was also able to combine that user’s Onavo Protect data with information that Meta maintained about the user’s Facebook account, using an algorithm,” the Federal Court judgment said.
“Through Onavo Protect, Facebook was collecting and using the very detailed and valuable personal activity data of thousands of Australian consumers for its own commercial purposes, which we believe is completely contrary to the promise of protection, secrecy and privacy that was central to Facebook’s promotion of this app,” the ACCC said. The regulator said this was in breach of Australia’s Competition and Consumer Act 2010.
The free Onavo Protect app was installed more than 270,000 times by Australian users between February 2016 and October 2017, according to the ACCC.
Facebook discontinued Onavo Protect in February 2019, but not before TechCrunch had labelled it “spyware”, and said Facebook was forced to remove Onavo from Apple’s AppStore by Apple, because it violated Apple’s beefed-up anti-tracking policy.
The Wall Street Journal reported that Facebook had used samples of data collected by Onavo to secretly keep tabs on rivals. The paper said that in 2016, Facebook learned, via Onavo, that Snapchat user growth had slowed before that trend was publically disclosed by its NYSE-listed owner, Snap.
Meta responds
“The Federal Court of Australia has approved the penalty Facebook Israel and Onavo Inc jointly proposed with the ACCC regarding disclosures by the app Onavo Protect in the Apple App Store and Google Play Store in 2016 and 2017,” Meta said in a statement to the Herald.
“The ACCC acknowledged in the joint filing that the Onavo Protect listings were not deliberately misleading and disclosures were made in the app’s Terms of Service and Privacy Policy. Furthermore, all user data was anonymised and aggregated before it was used by Meta.
“The Onavo Protect app did provide users with a free, useful VPN service and it did function properly as an online security tool. There was no allegation by the ACCC that the app did not function properly as an online security tool.
“Protecting the privacy and security of people’s data is fundamental to how Meta’s business works. Over the last several years, we have built tools to give people more transparency and control over how their data is used, and we design every new product and feature with privacy in mind.”
“We took this case knowing that many consumers are concerned about how their data is captured, stored and used by digital platforms,” ACCC chairwoman Cass-Gottlieb said.
“We believe Australian consumers should be able to make an informed choice about what happens to their data based on clear information that is not misleading.”
NZ regulators react
The Herald asked the Commerce Commission and the Office of the Privacy Commissioner if any enforcement action had been taken on this side of the Tasman in relation to Meta’s Onavo Protect.
In a combined response, the two regulators said: “We are aware of the recent Federal Court decision, the fine imposed and the Australian Consumer and Competition Commission’s wider Digital Platform Services inquiry.
“Neither the Commerce Commission or the Office of the Privacy Commissioner is currently investigating Onavo Inc and neither has received any complaints regarding it. As we understand it Onavo Protect ceased services in New Zealand in 2019 at about same time it withdrew its services in Australia. Given this, the elapsed time, and the lack of complaints we are unlikely to open an investigation at this stage.”
However, “The Meta Onavo Protect case is a great example of the strong connection between consumer rights and privacy/data protection rights,” the watchdogs said.
“If product information fails to adequately disclose how users’ data would be used it’s possible that misleading and/or false representations have been made. This is likely to raise concerns under both the Privacy Act and the Fair Trading Act.
“We would encourage anyone who believes they have been misled by a business about how their personal data is being used or technical experts who identify data protection issues that could affect consumers to contact the Office of the Privacy Commissioner (0800 803 909) and/or the Commerce Commission (0800 943 600).”
The ComCom and OPC have been asked if they know how many New Zealanders downloaded Onavo Protect.
Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.
