Once upon a time, the term “VPN” conjured up images of hooded hackers and corporate software – but things have changed. According to a Security.org report, 95% of Americans are familiar with VPN technology, with 46% actively using them. VPNs are, pretty much, a household staple.
Having left geek territory, VPNs are not fading back into relative obscurity. The dramatic increase in popularity VPNs have experienced can be explained by the demands of remote work, but with VPNs – it has not and will never be strictly about business.
People use VPNs for a variety of reasons, from work to entertainment. Privacy-conscious users take advantage of VPNs’ obfuscating features to stop their internet service providers (ISP) from tracking them. Some use VPNs to protect their data while connected to free Wi-Fi hotspots. With a VPN, one can break office and college firewalls, bypass geo-restrictions, and outmaneuver censors.
When it comes to choosing the best VPN services, however, the options are seemingly endless. There are scores of both paid and free products that claim to do exactly the same thing. So why pay more or, rather, pay at all?
What do VPN providers need money for?
Many ‘free’ products come with strings attached. As we know, free stuff often carries a hidden cost, and in the case of a ‘totally’ free VPN, users might end up paying dearly with their data.
Running a VPN often takes a lot of money and providers need to get it somewhere. But what do they need this money for exactly? Let’s break down the costs.
To function properly a VPN provider needs to rent multiple servers with a lot of bandwidth (usually from a colocation provider). Bandwidth is the maximum rate of data transfer over a specific connection in a given amount of time. The bandwidth itself does not come cheap if we take into account that a single VPN provider might need to cater to hundreds of thousands of users at a time.
Indeed, it is such a prized commodity that some passive income services allow people to sell their unused bandwidth, charging buyers as much as $1.00 a GB.
Free VPNs can cost users their data privacy
The server network needs to be maintained, scanned for vulnerabilities, and upgraded. This requires a dedicated development and support team, which, ideally, should work round-the-clock to address issues in real time and respond to clients in different time zones. That, in turn, leads to office expenses and staff salaries.
Most popular VPNs do not run only on one platform. To meet the expectations of those who use multiple devices with different operating systems (which is most of us), VPN providers need to customize their apps for different platforms. Thus, they need to invest money and effort in creating and updating VPN apps for Windows, macOS, iOS, and Android.
(Image credit: Shutterstock)
A VPN can offer excellent user support, great coverage, and unlimited bandwidth, but if nobody has ever heard about it, then its star is unlikely to rise on the privacy horizon. So, one has to factor in marketing and promotional expenses, including building a user-friendly website.
Some corners may be cut here and there, but not all and not everywhere. That begs the question: how can ‘free’ VPNs operate if they do not make money from subscriptions? And what are they actually making money from?
There are several possible answers to this question. But it ultimately boils down to this: VPNs either jeopardize their clients’ security or turn them into a commodity by sharing their data, or both.
What’s the product? You are!
It may be buried deep in their privacy policies, but some free VPNs openly admit that they may collect and keep their clients’ personal data, and disclose it to third parties.
Some free VPN apps, such as Psiphon, sustain themselves by partnering with advertisers. Psiphon says that it can share user data with partners, such as Facebook, who, in turn, can track users and target them with ads. The data collected this way is subject to advertisers’ own privacy policies.
(Image credit: Shutterstock)
It must also be said that while some free VPNs don’t make a secret of how they make money – one just has to have enough patience to comb through their privacy policies and ToS – others may not be so open about it. And there is a good reason why: for those who use a VPN for privacy and security the fact that it shares data with third parties might become a deal-breaker.
Suspicious permissions
The level of permissions that free VPN apps require is another thing worth paying attention to. VPN apps may request intrusive permissions to better advertise to users, or for more malicious purposes.
So if an app, for example, asks for full access to your phone, it should raise an immediate red flag. Once granted, it enables the developer to get access to the user’s current cellular network information, the status of any ongoing calls, and all phone accounts registered on the device. As such, it can reveal the user’s phone number and their device ID, which both could be leaked if a VPN logs data.
You should also be concerned if a VPN app has any in-built trackers. We explained in detail why a VPN app is no place for trackers and how you can check a VPN app for trackers yourself. In short: by building trackers into their apps, VPN providers give themselves loopholes to collect user data.
(Image credit: Shutterstock)
Secret log-keeping and lackluster security
This brings us to another problematic aspect of free VPNs – some of them keep logs (even if they say they don’t). And, since free services usually can’t hold a candle to today’s most secure VPNs, that means that the user’s personal information can be exposed in data leaks, and, potentially, de-anonymized.
Unfortunately, users of these free apps remain in the dark about the inherent risks to their privacy or learn about them from the media when it’s too late and their data has already been compromised.
Several years ago, seven different free ‘no-log’ VPNs – all linked to the same developer – were caught red-handed storing users’ personal data on an unsecured server. Interestingly, this group of VPNs claimed to offer military-grade security features. However, the researchers from VPN Mentor found the users’ email addresses along with their passwords, in clear text in a leaked database.
But, not only that: the VPNs also logged names, origin IP addresses, actual location, Internet Service Provider (ISP), device ID, and even the sites their customers visited. What’s more, the VPN providers ignored the researchers’ attempts to contact them, and the base continued to leak for almost two weeks before the server was secured.
The leak potentially exposed the sensitive data of up to 20 million users, including those who connected to VPN servers from the regions where using a VPN could land one in trouble with the law.
(Image credit: Image Library)
In another major incident, the personal data of more than 21 million users was put up for sale after it was stolen from three free VPN apps with over 100,000 million total installs.
The data contained detailed user credentials, such as full names, usernames, country names, email addresses, payment-related data, device serial numbers, and device IDs. The malefactor claimed that they were able to scrape publicly available databases because VPN providers had allegedly left “default database credentials in use”.
Most recently, a free VPN app catering predominantly to Chinese users was caught leaking personal data, including IP addresses, IDs, and domain names. In July 2022, researchers at Cybernews came across a database containing 626GB connection logs belonging to the VPN. The data leaked could be used to de-anonymize the users. Moreover, the VPN’s Android app was requesting access to the camera, audio recording, and contacts and could potentially function as “spyware,” according to the researchers.
The fact that a VPN is logging data may not be spelled out in its privacy policy. Moreover, even if a VPN claims that it has a strict no-log policy it does not mean that it follows it. Ultimately, it all comes down to whether a developer is trustworthy enough for you to believe its marketing pitch.
Malware and fakes
If you thought there were no more lows for unscrupulous apps to stoop to then, unfortunately, you’d be wrong. In addition to leaking logged data, some free VPN apps may potentially infect your smartphone with malware, or, even worse, squeeze you dry.
Several years ago, researchers discovered a fake VPN that could be downloaded through a spoof website designed to look exactly like the real deal. The app was a data-stealing malware that could steal user credentials and cryptocurrency, among other things.
Independent studies have also shown that threat actors can bypass moderation in trusted app stores and plant fake VPNs there. Researchers have recently discovered another fake VPN app that was available for download on the Google Play Store and was attributed to a known hacker group. The app was allegedly created for a phishing scam and was designed to resemble the legitimate app of the same name.
(Image credit: Shutterstock)
Safe free VPNs do exist
Reliable and reputable free VPNs do exist – and the developers behind popular paid options often offer free versions. However, they usually come with significant limits. Think fewer servers to choose from, less bandwidth, and stingy monthly data caps.
While this is a great way to test a VPN out, it’s hardly a long-term solution unless you use a VPN sporadically. For instance, you can use AdGuard VPN on 2 devices at the same time for free, but the speed limit will be set to 20 Mbps and the traffic will be capped at 3 GB a month.
Since the number of servers that are available for free is also usually strictly limited, they can be too crowded at any given time to accommodate everybody at a reasonable speed. Therefore, the connection may end up lagging.
How to make sure you’re on the safe side
If you are not ready to buy a subscription just yet, here are several rules to follow when choosing a free VPN:
Use a VPN app from a trusted developerRead a VPN’s privacy policy and Terms of Service (TOS) before downloading itRemember: a huge number of downloads and positive reviews do not necessarily mean that a particular VPN is safe. Most users have low expectations for free VPNs and are already satisfied if they allow them to access some geo-blocked content without throttling their internet connection too much. Moreover, some of the most popular free VPNs are known to have been sharing user data with third parties, which has done little to curb their popularityPay attention to the permissions required by the app. Normally, a VPN does not need access to your contacts, and if it does – then something may be phishy.Check a VPN app for trackers. They may be rather benign or not. You can follow the instructions in our previous article to check a VPN app for trackers on your own.