This week, reports have percolated that Facebook is testing a new menu item, called "Protect," in its iOS app. The feature sports a blue shield icon, and tapping it redirects you to the App Store listing for Facebook-owned VPN app Onavo Protect. But while Onavo does claim to offer some tools that make the web safer, in practice it falls far short of the privacy protections that VPN users reasonably expect.

Onavo itself isn't new; Facebook acquired it in 2013, and has nudged users to it through the Protect prompt on Android since 2016. Like all VPNs, it's a private platform that acts as a portal to connect you to the larger internet, tunneling your data through an encrypted path to reduce the risk of eavesdropping. Onavo's Android VPN touts this type of data protection, but also offers what it calls a second VPN for keeping track of which apps are using the most data.

The iOS version of the VPN focuses more on browsing protections, warning users when they visit sites that might be malicious and offering other standard VPN protections. But on both platforms, Onavo is more pervasive than standard VPNs, and attempts to be on all the time instead of just when you want a little extra protection. This seems like a way for the app, and by extension Facebook, to track your browsing all the time, not just when you're on the social network.

'I've read too many VPN company privacy policies and I can pick out the nonsense a mile away.' That One Privacy Guy

Similarly, the data usage and malicious-site warning features are both built on extensive data-monitoring and tracking. "Onavo collects your mobile data traffic," reads the App Store description. "This helps us improve and operate the Onavo service by analyzing your use of websites, apps and data. Because we're part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value, and build better experiences." If you're looking for the privacy benefits of a VPN, this is not what you want to hear.

All VPNs, by definition, have access to all of your browsing data. VPNs that prioritize privacy, though, reassure users that they will never log or store any browsing information. Some have even proven in practice that they delete all logs, after subpoenas for records during law enforcement investigations turn up nothing.

Onavo, on the other hand, expressly combs through, analyzes, and tracks user data over time, feeding it directly to Facebook. The service also states that it may retain users' data for as long as they have an account and beyond. And Facebook does leverage that data for its own purposes; the Wall Street Journal reported in August that the company used data from Onavo to track the popularity of competitive startups and other user preferences, and to inform acquisition decisions.

"Guess what, if you're not paying for the product, you and your data are the product," says the privacy researcher known as That One Privacy Guy, who has analyzed VPN trustworthiness for years and maintains a detailed comparison chart of the services. "I've read too many VPN company privacy policies and I can pick out the nonsense a mile away." He describes the Onavo policy as "very obtuse."

In many ways, Facebook is at least transparent about Onavo's data-collection goals. The VPN's privacy policy states, "We may use the information we receive to provide, analyze, improve, and develop new and innovative services for users, Affiliates and third parties." It also reserves the right to use customer information to "Comply with applicable laws and assist law enforcement." Privacy-focused VPNs may comply with law enforcement requests, but if they don't keep logs, they're unable to do so helpfully.

'The obvious thing they are perhaps trying to do here is ensure that the user forgets Onavo even exists.' Ankur Banerjee, Accenture

Facebook maintains that its data-tracking benefits users also. The Onavo VPN "acts as a secure connection to protect people from potentially harmful sites," product manager Erez Naveh says. "The app may collect your mobile data traffic to help us recognize tactics that bad actors use. Over time, this helps the tool work better for you and others. We let people know about this activity and other ways that Onavo uses and analyses data before they download it."