Welcome to WIRED UK. This site uses cookies to improve your experience and deliver personalised advertising. You can opt out at any time or find out more by reading our cookie policy.

If you buy something using links in our stories, we may earn a commission. Learn more.

Downloading any old free VPN from Android’s Play Store or the App Store can be problematic. Data harvesting, leaks and logging are just the start

K.G Orphanides

We’re using to get internet services for free. But even if you’re happy to swap your data and advertising views for email, cloud storage or image optimisation, you might want to think again before picking a free Virtual Private Network (VPN) service at random from the Play Store or App Store.

When you connect to a VPN, an encrypted tunnel is created between your computer and an endpoint server, giving you a new IP address – potentially in another country – and ensuring that your internet traffic can’t be deciphered by your ISP or the administrator of your local network. But many free VPNs don’t work as they’re supposed to, leaking data and even actively spying on their users.

“The three biggest threats when it comes to free VPN mobile apps are data harvesting; incomplete protection; and corner-cutting in development that potentially leads to vulnerabilities,” says Simon Migliano, head of research at Top10VPN.com.

While mainstream commercial VPN providers such as Windscribe, TunnelBear and ProtonVPN provide free tiers as a loss leader to promote their commercial services or even as a public good, they’re a long way from the ad-funded, mobile-focused services that most often crop up in reports of data harvesting and mishandling.

Matt Burgess

In short, a lot. In July 2020, UFO VPN, a provider based in Hong Kong which claims that it keeps no logs of user activity, was discovered by Comparitech researchers to be storing user logs, access records and plain-text passwords in an openly accessible database.

After it was initially secured, the database was re-exposed just days later. Following initial assurances from UFO VPN that it had been “fixed”, Comparitech editor Paul Bischoff says he hasn’t heard from the UFO VPN since, even after the re-exposure of user data.

UFO VPN – along with seven sibling firms identified by researcher at VPN Mentor, all linked to a company called Dreamfii HK Limited – offers both paid and free VPN services, but is best known for its advertising-funded free VPN services. It claims there are “no logs, no monitoring” of user activity – something the breach disproves. UFO VPN had not responded to a request for comment by the time of publication.

“We always advise readers against using free VPN services because they tend to have less robust security and privacy policies,” Comparitech’s Bischoff adds. “Many of them collect user data that can be used to drive advertising revenue, which defeats the purpose of using a VPN for privacy. UFO VPN just happened to accidentally expose its data.”

While it’s relatively rare for this kind of non-contractual storing and mishandling of data to be so dramatically revealed, many free mobile VPNs have poor or non-existent data handling policies, among a range of issues highlighted in 2019 analysis by Top10VPN.

Matt Burgess

And privacy with a free VPN isn’t a given, either. Migliano says that a misconfigured VPN can leak information about your online activities, even if it’s successfully changed your IP address: “When we first tested the 150 top Android VPNs last year, as many as 25 per cent suffered these leaks and while the situation has greatly improved, almost one in ten continued to leak in our follow-up tests.”

This includes Hola VPN, which has over 50 million installs on Android. “Given the very high turnover of VPN apps in the app stores,” Migliano says, “it’s a bit of a lottery as to whether your new VPN will actually keep your browsing activity private from your ISP.”

Top10VPN has also found that many free VPN apps use generic third-party components to implement common app features, but fail to remove intrusive permissions and functions, including those relating to a device’s camera, microphone and GPS tracking.

Where your VPN is based is hugely important – as local laws dictate what data governments and law enforcement may be able to access. In June this year Top10VPN highlighted several free VPN providers with troubling privacy and security records based in China or Hong Kong, highlighting recent changes to Hong Kong’s security laws that require user activity logs to be retained by service providers.

Hong Kong previously had no data retention laws in place. However, Migliano and his team found that many Hong Kong based VPNs are – and were – owned by Chinese companies, which he says “raises questions about how these apps can continue to operate if they are not compromised in some way, such as by sharing their users’ browsing data with the authorities.”

Matt Burgess

It’s because of data retention laws in places such as Hong Kong, the UK, Russia and Ireland that many privacy-oriented VPN providers are legally headquartered in places such as Panama and the British Virgin Islands, which are also not part of international government surveillance and intelligence-sharing agreements, such as the ‘Fourteen Eyes’ alliance.

Data retention requirements in countries such as the UK have led to logs being handed over to law enforcement, but even for the most law-abiding VPN user, the very existence of logs leads to the possibility of having your activity data exposed, as we saw with UFO VPN.

It’s for this reason that VPN companies that have had servers seized, only to reveal no user activity logs, such as ExpressVPN and Perfect Privacy, are regarded as the best choices for privacy. Other privacy-focused provides maintain transparency reports logging law enforcement data requests, and third-party audits of logging, security and privacy policies are also increasingly popular in the sector.

In some cases, the VPN service’s exploitative behaviour is the point, and you can’t necessarily trust the big names, either, particularly if VPNs or information security aren’t their usual areas of business.

Facebook – which has now discontinued its VPN offerings – was notorious for this, with its Onavo Protect VPN, closed in 2018, and Facebook Research VPN, shuttered in 2019. Both harvested data about their users and what they were looking at online.

Matt Burgess

Previously a privacy-oriented VPN, Onavo promised browsing protection while collecting mobile tracking, while Facebook Research VPN explicitly monitored activity, giving $20 a month to participants as young as 13.

Public exposure ended both services, but in March 2020, Android app analytics platform Sensor Tower was caught using free VPN apps to capture data about what apps users had installed on their phones.

They’re not the only examples either. A 2014 TechCrunch report observed that rival analytics firm App Annie’s Smart Sense subsidiary produced a VPN app – the now-defunct VPN Defender – to carry out the same kind of inventory of users’ installed apps. The App Annie Basics software label, formerly Distmo, has been suggested by TechCrunch as another likely data harvesting vector. Its apps include the popular Astro File Manager, as well as Phone Guardian Mobile Security & VPN protection.

When smartphone users’ installed apps and habits are logged by intrusive apps, this valuable market data is then sold on to developers, publishers and others in the app publishing space.

If you’re using a VPN for security, then turning to an unknown service provider with no transparency policy as a purportedly more secure alternative to your usual ISP is a poor move. Remember that you’re effectively choosing a different company that’ll be able to see all your activities instead of whoever supplies your broadband.

Matt Burgess

Even if you just want to switch regions for a quick look at what US Netflix viewers get to see, it’s important to think first about exactly what other data about you, your phone and your activities you might be giving to whom.

While the gold standard for privacy is a correctly configured VPN endpoint that you control, that’s not practical for everyone, and non-exploitative commercial VPN services – even free ones – do exist.

Research is critical: we’re here to help, with the WIRED guide to the best VPNs, but if you have specific concerns, make sure your VPN provider addresses them. Check their transparency pages, logging policies and look at how they’ve handled legal actions and security issues in the past.

If you need a free VPN service in a hurry, Windscribe and ProtonVPN are our current recommendations, with solid track records for security and transparency, and will likely serve you better than a random selection from the Play Store’s most popular or promoted list.

🗺️ Fed up of giving your data away? Try these privacy-friendly Google Maps alternatives instead

🔊 Listen to The WIRED Podcast, the week in science, technology and culture, delivered every Friday

Get The Email from WIRED, your no-nonsense briefing on all the biggest stories in technology, business and science. In your inbox every weekday at 12pm sharp.

Matt Burgess

Sophia Epstein

Matt Burgess


Source: https://www.wired.co.uk/article/free-vpn-android-ios-privacy

Virtual private network, Computer

World news – US – Free VPNs are a privacy nightmare. You shouldn’t download them

En s’appuyant sur ses expertises dans les domaines du digital, des technologies et des process , CSS Engineering vous accompagne dans vos chantiers de transformation les plus ambitieux et vous aide à faire émerger de nouvelles idées, de nouvelles offres, de nouveaux modes de collaboration, de nouvelles manières de produire et de vendre.

CSS Engineering s’implique dans les projets de chaque client comme si c’était les siens. Nous croyons qu’une société de conseil devrait être plus que d’un conseiller. Nous nous mettons à la place de nos clients, pour aligner nos incitations à leurs objectifs, et collaborer pour débloquer le plein potentiel de leur entreprise. Cela établit des relations profondes et agréables.

Nos services:

  1. Création des sites web professionnels
  2. Hébergement web haute performance et illimité
  3. Vente et installation des caméras de vidéo surveillance
  4. Vente et installation des système de sécurité et d’alarme
  5. E-Marketing

Toutes nos réalisations ici https://www.css-engineering.com/en/works/

Previous articleKena Bridge of Spirits est repoussé
Georges MOMO
Georges MOMO est Ingénieur informatique ( Diplôme obtenu à 3IL Limoges France) Il début sa carrière par un stage de fin d'étude d'ingénieur à Toulouse sur un projet de AIRBUS Toulouse Blagnac, il enchaîne ensuite à Nantes où il travaille sur le projet de la migration documentaire de la BPCE. Son ambition le conduit ensuite à Paris où il travaille sur deux projets de la banque de France (Validation des titres de bourse émis sur le marché européen et la génération centralisée des documents) qu'il quitte quelques années plus tard occupant le poste de responsable technique. Passionné de l'information, il est actif sur le web et sur le terrain depuis les années 2000.


Please enter your comment!
Please enter your name here