Of Astrophotography and Cyber Security
Previous Post
Next Post
Feb 04
2017 in Cyber Security, Privacy 0 Comments
Moophz's picture

There are no such things as free VPNs and not all VPNs are private

TL;DR - VPNs are pursued by privacy-seekers to circumvent surveillance, but not all VPNs are created equal and few of them are really private. As an example, "Onavo Protect" is a Free, popular and a very handy VPN, no privacy seeker is advised to use it because it leaks some data about its users and it enables tracking them.

Prelude

In October 2013 Facebook acquired the Tel Aviv based company Onavo, a prominent company in the mobile analytics field, marking Facebook's first office in the region. It was first believed that Onavo will take part of the Internet.org project that plans to bring affordable internet access to less developed countries. Facebook integrated 'Onavo Protect' at later stages as a VPN extension to their mobile app. But is this VPN really private?
This post documents why "Onavo Protect" is not recommended for privacy seekers. The same applies to all the tools out there that collect all your data and promise you privacy-like services in return.

There is no such thing as a Free VPN, VPN infrastructure costs a lot:

  • VPN costs servers
  • VPN costs bandwidth
  • VPN costs IT and Security management
  • VPN costs monitoring
  • VPN costs management
  • VPN costs server rooms and power to cool them down

When an entity provides all these services for free, know that you are paying something/somehow in return.

Regarding 'Onavo Protect'

The good

  • This VPN evades state-level surveillance and private network monitoring
  • Blocks potentially harmful websites (which currently most browsers do)
  • Notifies users when submitting credentials in clear text (also implemented by almost all browsers), espeically on shared Wi-Fi

The bad

  • It takes all your data for analysis/analytics purposes
  • Combination of useful services bound to marketing add-tracking (a smart way to trick people into sending them their data)
  • They can read your credentials submitted on non-HTTPS websites (just like state-level surveillance)

The ugly 

  • The application submits sensitive information about its users and devices in use that privacy seekers avoid submitting (while many apps do this, none of them apps have access to all your data such as "Onavo Protect")
  • Facebook will have a detailed profile about you, your contacts, your interests, meta data, DNS queries and IP addresses
  • Eveything is covered in their Privacy Policy (they are not taking your data without your consent, you are giving them your data)

Data analytics business

Facebook is a data-hungry company, while its privacy policy solely covers your access to Facebook data (along with contact book, photos, metadata, etc..), Onavo Protect's privacy policy covers all your data since everything is passed to the internet through them, literally all your data transiting inwards and towards your phone. As a result, they will profile you, sharpen your Electronic Tattoo and share your non-Facebook data along with your Facebook data with their advertisers. Of course, nothing happens without your approval on the Privacy Policy (Privacy policy and data retention terms are the hidden in  the privacy policy), their privacy policy is pretty clear about this. Below is a part of 'Onavo Protect's Privacy Policy. You can read the rest at:
http://www.onavo.com/privacy_policy/#InformationCollection

How does 'Onavo Protect' work?

'Onavo Protect' is a [free] VPN service that works on data plans and Wi-Fi. It encapsulates all internet-transiting data inside a channel unreadable by your ISPs, Data Providers and Governments, but readable by 'Onavo Protect' servers. 'Onavo Protect' servers extract those (meta-)data, analyzes users' behavior along with applications usage, types of websites they visit and applications they use, profile them based on the Mobile Advertising ID (IDFA or AAID) in combination with other triangulation techniques.

Onavo's first request to the internet:

The Mobile Advertising ID (IDFA for iOS, AAID for Android) was first conceived to discourage developers form tracking users with their real Mobile ID (UDID) to deliver adds. The Advertising ID is unique, not bound to users' name leaving them some privacy space to breath. 'Onavo Protect' along with Facebook abolished this concept.

Below is the first request initiated by 'Onavo Protect' to the internet requesting a Configuration Profile, it contains too much information about your device for easier tracking. Data includes: IDFA, Carrier Name, MCC, MNC, Platform and Version. No privacy seeker is advised to submit those information online, this is not privacy this is exposure. (they are also pretty clear about this in their privacy policy).

Mobile Country Codes (MCC) are used in wireless telephone networks (GSM, CDMA, UMTS, etc.) in order to identify the country which a mobile subscriber belongs to. In order to uniquely identify a mobile subscribers network the MCC is combined with a Mobile Network Code (MNC). The combination of MCC and MNC is called HNI (Home network identity) and is the combination of both in one string (e.g. MCC= 262 and MNC = 01 results in an HNI of 26201). If you combine the HNI with the MSIN (Mobile Subscriber Identification Number) the result is the so called IMSI (integrated mobile subscriber identity). 
Source: http://mcc-mnc.com/

Right after the 1st request, a Configuration Profile is installed on your device. Configuration Profiles change high privilege settings and require user intervention, this is the configuration that route your data through their servers, it's impossible to do it elseways. 

Note: never ever install a configuration profile from untrusted sources! It might be your game-over!

Wrapping it up

Would you trust an Analytics company to assure your Privacy? This is a conflict of interest at the business level. It's either Privacy or Analytics - it cannot be both.

Disregarding the irony this post will be shared on Facebook, it is not against 'Onavo Protect' in particular but just an awareness about all the apps that are thought to be private ending up monitoring you. Those services are useful under certain circumstances, leaving you with the sad truth about the future of privacy that everybody wants your data: the sad choice between the big brother and another big one, chose your enemy wisely, be diligent. 

Share this:
981
Moophz's picture
About the Author:
I fix things that are not broken, I create things that do not exist, I break perfectly working unbreakable stuff

Leave a comment!

More information about text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.

Social Media

 

Astronomy Picture of the Day

IC 348 and Barnard 3
IC 348 and Barnard 3