A VPN is supposed to keep you safe online. But what if the VPN itself is compromised?
Free and bundled VPNs aren’t always all they’re cracked up to be. And even high-end VPN providers can present privacy issues of their own.
Why does it matter if your VPN spies on you?
A VPN that collects your data has to store that data somewhere. Even if it does nothing with it, that could well be sensitive business data that you now don’t have control over. It can be hacked, leaked, lost or sold as an asset if the company gets bought.
If you’re using a VPN to get privacy and security, you should expect to get privacy and security. Bottom line.
And if they’re collecting it, odds are they’re not just sitting on it. They’re probably breaking it up, collating it and selling it to advertisers and others, meaning your information is out there all over the web, in potentially shady hands and way beyond your control.
Let’s check it out.
When your VPN is free…
Everyone’s heard the old gambler’s saw: If after three hands you don’t know who the mark is, you’re the mark.
By the same token, if something is provided to you for free by a profit-making entity, you’re not the customer. You’re the product.
Free VPNs fit this model to a T.
Ryan O’Leary, vice president of the Threat Research Center at WhiteHat Security in Santa Clara, California, explains: ‘The lower the cost of the app, the greater the chance they have security problems. At best, they are using ads to earn income. At worst, they are selling your private information.’
A recent study from Restore Privacy bore out O’Leary’s remarks. The study found that 75% of free VPNs contained tracking code, and the data thus obtained was sold to advertisers.
One of the most famous examples is free VPN HotspotShield. Offered to its estimated 500 million users as a way to make public wifi secure, HotspotShield claims to deliver ‘complete anonymity.’
But in fact, according to a complaint filed to the Federal Trade Commission by privacy nonprofit the Center for Democracy and Technology, HotspotShield doesn’t just log; it injects code, tracks its users, and through third-party partnerships and in many other ways violates its users’ privacy.
When your VPN comes courtesy of a company with a massive privacy problem
Some businesses supply VPN solutions as part of their wider offerings, or trade on their brand recognition to retail you additional tools that you could get a better, cheaper version of elsewhere. Norton’s deceptively-named VPN is a good example of this.
But what about when the company itself has a terrible rep for privacy?
Facebook brought out a VPN add-on a few months ago. Called Onavo, you can find it under ‘protect’ in your Facebook drop-down.
If you’re thinking that’s a bit like Marlboro making cough syrup, you’re absolutely right. Worse, the app itself is a privacy nightmare.
As VPNAdviser’s James Roth points out, the only entity that can see your traffic when you use a VP is the VPN itself, which is fine if your VPN is reliable; but ‘if Facebook built it, it probably isn’t.’
In fact, as Apple’s John Gruber points out, ‘this is spyware. If you use Onavo, Facebook can and will track everywhere you go on the internet,’ including all your mobile usage data.
When your no-logs premium VPN keeps logs
Premium VPN services typically say they don’t keep logs. Dig into their privacy policies, though, and most keep some logs, while many keep a genuinely dangerous quantity of user data. There have even been cases of VPNs surrendering to law enforcement data that, according to their privacy statements, they could never have had in the first place.
With that in mind, it makes sense to look for a premium VPN that:
- Is located in a jurisdiction where it can’t be forced to keep logs or surrender them
- Has been and is likely to be, under the same ownership (it was when IPVanish was bought out in 2017 that it may have begun keeping logs)
- Is well-thought-of by privacy advocates.
Ultimately you have to shop around for yourself, and remember that free or bundled choices are almost always going to be unsatisfactory.