Free VPNs aren't "free". You often end up paying for them with the private data many use them to protect in the first place. Facebook is just the latest case in point. Or, at least it was.
From the Wall Street Journal:
Apple's decision widens the schism between the two tech giants over privacy and is a blow to Facebook, which has used data gathered through the app to track rivals and scope out new product categories. The app, called Onavo Protect, has been available free download through Apple's app store for years, with updates regularly approved by Apple's app-review board.
Onavo allows users to create a virtual private network that redirects internet traffic to a private server managed by Facebook. The app, which bills itself as a way to "keep you and your data safe," also alerts users when they visit potentially malicious sites. Facebook is able to collect and analyze Onavo users' activity to get a picture of how people use their phones beyond Facebook's apps.
Good on Apple, though pity it wasn't much, much sooner. I don't know if Facebook though it was being clever or was simply being shameless. IOS isn't the platform for undisclosed data snooping.
Update: Here's how Onavo/Facebook itself described the activity:
As part of this process, Onavo collects your mobile data traffic. This helps us improve and operate the Onavo service by analyzing your use of websites, apps and data. Because we're part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value, and build better experiences.
Since there's no permission for users to grant or deny — iOS doesn't allow this activity directly so Facebook used the VPN to circumvent the built-in privacy protection — unless you read the fine print, it's unlikely you even knew you were being spied on.