We’re used to getting internet services for free. But even if you’re happy to swap your data and advertising views for email, cloud storage or image optimisation, you might want to think again before picking a free Virtual Private Network or VPN service at random from the Play Store or App Store.
When you connect to a VPN, an encrypted tunnel is created between your computer and an endpoint server, giving you a new IP address – potentially in another country – and ensuring that your internet traffic can’t be deciphered by your ISP or the administrator of your local network. But many free VPNs don’t work as they’re supposed to, leaking data and even actively spying on their users.
“The three biggest threats when it comes to free VPN mobile apps are data harvesting; incomplete protection; and corner-cutting in development that potentially leads to vulnerabilities,” says Simon Migliano, head of research at Top10VPN.com.
While mainstream commercial VPN providers such as Windscribe, TunnelBear and ProtonVPN provide free tiers as a loss leader to promote their commercial services or even as a public good, they’re a long way from the ad-funded, mobile-focused services that most often crop up in reports of data harvesting and mishandling.
What could go wrong?
In short, a lot. In July 2020, UFO VPN, a provider based in Hong Kong which claims that it keeps no logs of user activity, was discovered by Comparitech researchers to be storing user logs, access records and plain-text passwords in an openly accessible database.
After it was initially secured, the database was re-exposed just days later. Following initial assurances from UFO VPN that it had been “fixed”, Comparitech editor Paul Bischoff says he hasn’t heard from the UFO VPN since, even after the re-exposure of user data.
UFO VPN – along with seven sibling firms identified by researcher at VPN Mentor, all linked to a company called Dreamfii HK Limited – offers both paid and free VPN services, but is best known for its advertising-funded free VPN services. It claims there are “no logs, no monitoring” of user activity – something the breach disproves. UFO VPN had not responded to a request for comment by the time of publication.
“We always advise readers against using free VPN services because they tend to have less robust security and privacy policies,” Comparitech’s Bischoff adds. “Many of them collect user data that can be used to drive advertising revenue, which defeats the purpose of using a VPN for privacy. UFO VPN just happened to accidentally expose its data.”
While it’s relatively rare for this kind of non-contractual storing and mishandling of data to be so dramatically revealed, many free mobile VPNs have poor or non-existent data handling policies, among a range of issues highlighted in 2019 analysis by Top10VPN.
And privacy with a free VPN isn’t a given, either. Migliano says that a misconfigured VPN can leak information about your online activities, even if it’s successfully changed your IP address: “When we first tested the 150 top Android VPNs last year, as many as 25 per cent suffered these leaks and while the situation has greatly improved, almost one in ten continued to leak in our follow-up tests.”
This includes Hola VPN, which has over 50 million installs on Android. “Given the very high turnover of VPN apps in the app stores,” Migliano says, “it’s a bit of a lottery as to whether your new VPN will actually keep your browsing activity private from your ISP.”
Top10VPN has also found that many free VPN apps use generic third-party components to implement common app features, but fail to remove intrusive permissions and functions, including those relating to a device’s camera, microphone and GPS tracking.
Logging and the law
Where your VPN is based is hugely important – as local laws dictate what data governments and law enforcement may be able to access. In June this year Top10VPN highlighted several free VPN providers with troubling privacy and security records based in China or Hong Kong, highlighting recent changes to Hong Kong’s security laws that require user activity logs to be retained by service providers.
Hong Kong previously had no data retention laws in place. However, Migliano and his team found that many Hong Kong based VPNs are – and were – owned by Chinese companies, which he says “raises questions about how these apps can continue to operate if they are not compromised in some way, such as by sharing their users’ browsing data with the authorities.”
It’s because of data retention laws in places such as Hong Kong, the UK, Russia and Ireland that many privacy-oriented VPN providers are legally headquartered in places such as Panama and the British Virgin Islands, which are also not part of international government surveillance and intelligence-sharing agreements, such as the ‘Fourteen Eyes’ alliance.
Data retention requirements in countries such as the UK have led to logs being handed over to law enforcement, but even for the most law-abiding VPN user, the very existence of logs leads to the possibility of having your activity data exposed, as we saw with UFO VPN.
It’s for this reason that VPN companies that have had servers seized, only to reveal no user activity logs, such as ExpressVPN and Perfect Privacy, are regarded as the best choices for privacy. Other privacy-focused provides maintain transparency reports logging law enforcement data requests, and third-party audits of logging, security and privacy policies are also increasingly popular in the sector.
Data harvesting
In some cases, the VPN service’s exploitative behaviour is the point, and you can’t necessarily trust the big names, either, particularly if VPNs or information security aren’t their usual areas of business.
Facebook – which has now discontinued its VPN offerings – was notorious for this, with its Onavo Protect VPN, closed in 2018, and Facebook Research VPN, shuttered in 2019. Both harvested data about their users and what they were looking at online.
Previously a privacy-oriented VPN, Onavo promised browsing protection while collecting mobile tracking, while Facebook Research VPN explicitly monitored activity, giving $20 a month to participants as young as 13.
Public exposure ended both services, but in March 2020, Android app analytics platform Sensor Tower was caught using free VPN apps to capture data about what apps users had installed on their phones.
They’re not the only examples. A 2014 TechCrunch report observed that rival analytics firm App Annie’s Smart Sense subsidiary produced a VPN app – the now-defunct VPN Defender – to carry out the same kind of inventory of users’ installed apps. The App Annie Basics software label, formerly Distmo, has been suggested by TechCrunch as another likely data harvesting vector. Its apps include the popular Astro File Manager, as well as Phone Guardian Mobile Security & VPN protection.
When smartphone users’ installed apps and habits are logged by intrusive apps, this valuable market data is then sold on to developers, publishers and others in the app publishing space.
What should you do?
If you’re using a VPN for security, then turning to an unknown service provider with no transparency policy as a purportedly more secure alternative to your usual ISP is a poor move. Remember that you’re effectively choosing a different company that’ll be able to see all your activities instead of whoever supplies your broadband.
Even if you just want to switch regions for a quick look at what US Netflix viewers get to see, it’s important to think first about exactly what other data about you, your phone and your activities you might be giving to whom.
While the gold standard for privacy is a correctly configured VPN endpoint that you control, that’s not practical for everyone, and non-exploitative commercial VPN services – even free ones – do exist.
Research is critical: we’re here to help, with the WIRED guide to the best VPNs, but if you have specific concerns, make sure your VPN provider addresses them. Check their transparency pages, logging policies and look at how they’ve handled legal actions and security issues in the past.
If you need a free VPN service in a hurry, Windscribe and ProtonVPN are our current recommendations, with solid track records for security and transparency, and will likely serve you better than a random selection from the Play Store’s most popular or promoted list.
This article was originally published by WIRED UK