Remember Onavo? The Israeli mobile market intelligence company that Meta (aka Facebook) bought back in 2013 and used to power a free VPN/data management app which claimed to users it would help protect their privacy but did the opposite by sharing usage data with Facebook for the latter’s own business intelligence purposes? The wheeze helped the tech giant figure out which rival apps were popular — feeding its acquisition strategy and enabling it to sew up its grip on the social web. (See, for e.g. Facebook’s 2014 purchase of WhatsApp.)
Meta hasn’t faced much legal blowback for using the misleading cover of a freebie VPN app that claimed it would keep people’s data “safe” to spy on users’ digital activity for its own commercial ends. But Australia’s consumer watchdog has now managed to extract an AUS$20 million (~$13.5 million) total penalty payment from two Meta-owned companies involved in the saga: Facebook Israel and Onavo Inc.
The Competition and Consumer Commission (ACCC) sued Meta over its use of Onavo back in December 2020. Today it said a federal court has ordered the two subsidiaries to each pay AUS$10M for engaging in conduct liable to mislead in breach of the Australian Consumer Law.
The subsidiaries, which were the developers and suppliers of the Onavo Protect VPN app, were found to be responsible for misleading descriptions of the app displayed in Google and Apple App Store listings.
The watchdog also found that the “Onavo Protect” VPN app was installed more than 270,000 times by Australian users between February 2016 and October 2017. Facebook shuttered the service in May 2019.
“In Google and Apple App Store listings, Onavo Protect was promoted as a product that would keep users’ data protected and safe, for example with language such as ‘Use a free, fast and secure VPN to protect personal information‘ and ‘Helps Keep You and Your Data Safe‘,” it wrote in a press release. “In fact, Onavo and Facebook Israel shared the personal activity data from users collected by the app in anonymised and aggregated form with parent company Meta (then known as Facebook Inc) for commercial benefit.”
“We took this case knowing that many consumers are concerned about how their data is captured, stored and used by digital platforms. We believe Australian consumers should be able to make an informed choice about what happens to their data based on clear information that is not misleading,” ACCC chair, Gina Cass-Gottlieb, added in a statement.
“In the case of the Onavo Protect app, we were concerned that consumers seeking to protect their privacy through a virtual private network were not clearly told that in downloading and using this app they were actually facilitating the use of their data for Meta’s commercial benefit.”
The ACCC’s original suit also targeted Meta, as the parent company of Facebook Israel and Onavo. However the watchdog said the case against Meta was dismissed by the Court after settlement negotiations between it and the remaining parties “based on information about Meta’s role in the conduct”.
Meta was contacted for comment on the penalty. At the time of writing it had not responded.
Update: Meta has now sent this statement:
The Federal Court of Australia has approved the penalty Facebook Israel and Onavo Inc jointly proposed with the ACCC regarding disclosures by the app Onavo Protect in the Apple App Store and Google Play Store in 2016 and 2017.
The ACCC acknowledged in the joint filing that the Onavo Protect listings were not deliberately misleading and disclosures were made in the app’s Terms of Service and Privacy Policy. Furthermore, all user data was anonymised and aggregated before it was used by Meta.
The Onavo Protect app did provide users with a free, useful VPN service and it did function properly as an online security tool. There was no allegation by the ACCC that the app did not function properly as an online security tool.
Protecting the privacy and security of people’s data is fundamental to how Meta’s business works. Over the last several years, we have built tools to give people more transparency and control over how their data is used, and we design every new product and feature with privacy in mind.