Facebook 'Security': A New VPN That's Spyware And Two-Factor Authentication That Spams You

Facebook's definition of protection isn't quite up to snuff. Last week, some Facebook users began seeing a new option in their settings simply labeled "Protect." Clicking on that link in the company's navigation bar will redirect Facebook users to the "Onavo Protect - VPN Security" app's listing on the App Store. There, they're informed that "Onavo Protect helps keep you and your data safe when you browse and share information on the web." You're also informed that the "app helps keep your details secure when you login to websites or enter personal information such as bank accounts and credit card numbers."

What you're not told is that Facebook acquired the company back in 2013, and is now using it as little more than glorified spyware, allowing Facebook to track and monetize your travels around the internet (especially time spent wandering around competing social media platforms). That is, understandably, upsetting some people who believe that security tools should, well, actually protect you from surveillance, not open up an entirely new avenue for it:

"Facebook, however, purchased Onavo from an Israeli firm in 2013 for an entirely different reason, as described in a Wall Street Journal report last summer. The company is actually collecting and analyzing the data of Onavo users. Doing so allows Facebook to monitor the online habits of people outside their use of the Facebook app itself. For instance, this gave the company insight into Snapchat's dwindling user base, even before the company announced a period of diminished growth last year."

Amusingly, as one Facebook team was busy pushing a VPN service that spies on you, other parts of the company have been busy pushing a new two-factor authentication system (good) that the company also thought should be co-opted for marketing purposes (not so good). Ideally, two-factor authentication should use your phone number exclusively to send you authentication codes via SMS. But Facebook apparently got the nifty idea to immediately take that number and spam customers in the hopes this would drive additional engagement at the website:

So I signed up for 2 factor auth on Facebook and they used it as an opportunity to spam me notifications. Then they posted my replies on my wall. "aTMi pic.twitter.com/Fy44b07wNg

- Gabriel Lewis (@Gabriel__Lewis) February 12, 2018

On a positive note, Facebook was quick to acknowledge that the SMS spam isn't intentional, and that it would be rolling out out a fix shortly (hopefully before too many people get disgusted by 2FA):

"It was not our intention to send non-security-related SMS notifications to these phone numbers, and I am sorry for any inconvenience these messages might have caused. We are working to ensure that people who sign up for two-factor authentication won't receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past. We expect to have the fixes in place in the coming days. To reiterate, this was not an intentional decision; this was a bug."

While Facebook was quick to own its 2FA problem, the company has been somewhat mute regarding the backlash to its "VPN" service offering. That effort likely began with good intentions among Facebook's security team, then got hijacked by company higher ups nervous about the fact Facebook's engagement and subscriber numbers have begun a precipitous dive. The solution to that problem is making Facebook better and more secure, not pushing security and privacy services whose real agenda is monetization and, apparently, annoyance.