Facebook & Onavo, Privacy & Security
Facebook’s VPN product Onavo might be secure, but it’s not private. For some people, that’s ok. Let’s understand the difference between privacy and security.
TechCrunch recently published an article detailing Facebook’s promotion of its VPN product Onavo VPN. VPNs are ostensibly security and privacy products. But any product owned by Facebook is hard to take seriously as a “privacy” product. I’ve had friends asking me about this article and I think it is a great example of differentiating between privacy and security.
Now, the difference between privacy and security doesn’t just apply to Facebook’s VPN product. This applies to any product that is being sold to “make you more secure”. It’s important to see through the sales jargon and understand if a given product is making you more secure, increasing your privacy, or forcing a tradeoff between the two. Once you understand the difference, you can make better decisions about what you actually need.
I often get questions such as “is using Facebook secure?” My response is usually “for the most part yes”. Then, “but they know everything about you.” And they do. However, this is an issue of privacy, not security.
Privacy and Security — Related but Different
Privacy and security are related to one another and influence each other, but they are not the same thing. Let’s look at formal definitions and then some practical applications of privacy and security. Privacy is defined as
the state or condition of being free from being observed or disturbed by other people — OED
Security is defined as
the state of being free from danger or threat — OED
To understand privacy and security on a practical level, let’s look at a house. To decide if your privacy or security is compromised you first have to define your desired outcome. For example you might say: “I do not want family heirlooms stolen” and at the same time “I do not care if people see me naked”. Once you’ve established your desired outcome, you can define your privacy and security concerns. We’ll use these example desired outcomes to discuss privacy and security ramifications of our theoretical house.
Practically speaking, privacy is keeping private information private. If someone can see into your house and you don’t want them to, some of your privacy is compromised. But if you’ve decided that “I do not care if people see me naked” your privacy is not compromised. In either scenario, if a stranger can see you naked or not, your desire of “I don’t want family heirlooms stolen” is not at risk.
To talk about security, we need to talk about risk. Security is about managing risk. Risk is the potential of an undesirable outcome from the intersection of a threat and a vulnerability. In a short equation, risk = threat * vulnerability. The severity of a given risk is risk severity = likelihood * impact. Let’s say that the locks on your house don’t work: you have a vulnerability. But if no one wants to steal your family heirlooms, there are no threats, so there is no risk. If you buy better locks, you have not actually increased the security of your house. Conversely, if someone wants to steal your family heirlooms, but there are no vulnerabilities in the locks, windows, walls, etc. then there is no risk. If there is no risk, there is no security concern.
Now that we understand privacy and security, let’s discuss how they can affect one another. If other people or systems are protecting us, we often have to give up some privacy so that they have the information necessary to keep us safe. A good example is using bodyguards. Bodyguards are privy to private aspects of your life, aspects that you might prefer that no one knows. But if your physical security concerns can only be solved by body guards, then you give up some privacy. If you have bodyguards and you ask them to stay outside of a building while you have a sensitive rendezvous, you are decreasing your security while increasing your privacy.
What about Onavo?
This blog post was inspired by the TechCrunch article on Onavo VPN, Facebook’s VPN product. I won’t go into depth explaining VPNs here, but what you need to know is that a VPN creates a secure channel to a server on the Internet. It tunnels your traffic through this channel so that anyone along the way cannot read or tamper with your data. VPNs are great if you work in co-working spaces, coffee shops, or at home with roommates that you don’t trust.
Some use VPNs for security in order to protect their bank transactions, their remote access to company resources, etc. Others use it for privacy to hide their internet activity from authoritarian governments or their internet service providers. In other words, some use VPNs for security, some for privacy, and some for both. The TechCrunch article accurately points out that
Onavo’s VPN allow Facebook to monitor user activity across apps
So if you don’t want external entities to monitor your Internet activity, Onavo isn’t the VPN for you because Facebook is likely harvesting as much data as possible from your internet browsing.
At the beginning of this post I said that “for the most part yes” Facebook is “secure”. I stand by this. Facebook’s existence depends on their ability to monetize your information. If others gain access to this information, it decreases the value of Facebook’s monopoly on your personal data. So, it’s in their best interest to make sure that your information is protected from threats that want to steal, tamper or delete this data. This is security. The fact that they have this data means that you’ve traded personal information for the value that Facebook brings to your life. This is privacy, or the lack thereof.
