What if the app promising to protect your privacy was actually the biggest threat to it?
That’s exactly what millions of Facebook users unknowingly walked into when they tapped that friendly little “Protect” button in 2018.
In 2013, Facebook quietly acquired an Israeli startup called Onavo and repackaged its VPN product as Onavo Protect — a free tool marketed as a shield for your personal data. But behind the scenes, it was something far more sinister. Once installed, the app prompted users to accept a root certificate, essentially handing Facebook a skeleton key to their entire device. Every app, every message, every encrypted connection — all of it was open to Facebook’s eyes.
This wasn’t a bug. It was the plan.
Internally codenamed Project Ghostbusters, Facebook used Onavo data to intercept and decrypt traffic from rival apps like Snapchat, gaining real-time intelligence on competitor features and user behavior. It was corporate espionage dressed up as a privacy tool. And it worked — Facebook used those insights to copy features, neutralize threats, and dominate the market.
But it didn’t stop there. Facebook also secretly ran Project Atlas, paying users, including teenagers as young as 13, up to $20 a month to install a similar app that harvested their private messages, photos, and location data. All without meaningful consent.
When the truth finally surfaced, Apple pulled the plug, US senators demanded answers, and Australian regulators handed down a $13 million fine — pocket change for a company pulling in over $50 billion in annual profit.
The story of Onavo isn’t just a privacy scandal. It’s a masterclass in how trust can be weaponized.
Watch the full investigation here and decide for yourself how much you really trust the apps protecting you:












