Back in 2013, Facebook (META 0.94%) acquired Israel-based Onavo, a small mobile analytics company that offered a virtual private network (VPN) app called Onavo Protect. In general, VPN apps seek to give users greater privacy and control around their data by routing traffic through a secure network. In this case, Onavo Protect started sending all that user data back to the Facebook mothership.

The purchase price was estimated at around $120 million. Regulatory filings show that Facebook spent $131 million on business acquisitions (net of cash acquired) during the fourth quarter of 2013; the only two known acquisitions during that quarter were Onavo and SportStream.

A broken padlock on top of a circuit board

Image source: Getty Images.

In its ongoing quest to protect user privacy, Apple (AAPL 0.41%) just told Facebook to pull Onavo Protect from its App Store.

Onavo Protect does not protect you from Facebook

The Wall Street Journal reports that Apple has decided the VPN app violates its App Store policies around data collection. The Mac maker rolled out new rules in June that included new provisions around data use and sharing. Some of the legalese even sounds like it is directed squarely at some of Facebook's data collection practices, such as saying apps cannot "surreptitiously build a user profile based on collected data." That sounds an awful lot like the "shadow profiles" that Facebook builds about non-Facebook users.

The specific provision that Onavo Protect likely violates is this one: "Data collected from apps may only be shared with third parties to improve the app or serve advertising (in compliance with the Apple Developer Program License Agreement.)." Facebook has long used Onavo Protect as a way to spy on what its users are doing, a use of the data that is well beyond the scope of what a mere VPN is intended for.

It's worth noting that in the app's description, Onavo is up-front about sending user data to Facebook (emphasis added): "Because we're part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value, and build better experiences." But many users probably brush past that seemingly innocuous disclaimer, believing that they are adding a layer of security to their data privacy when in fact they're sending information to a parent company that is continuously plagued by data privacy scandals.

What took so long?

The shocking thing about this news is not that it's happening, but that it's taken so long. It's been nearly five years since Facebook acquired Onavo, and there was a high-profile story a year ago about how Facebook leveraged data collected via Onavo Protect to get early insight into Snap's slowing user growth -- before the Snapchat parent ever filed its S-1 Registration Statement with the SEC ahead of going public last year. Users that had Onavo Protect installed on their devices that also used Snapchat were funneling usage data to Facebook about its upstart competitor.

Facebook may be losing one of its more furtive avenues of data collection on one of the world's largest mobile platforms, but it has plenty of other ways to vacuum up as much user data as it can get its hands on.