If you buy something using links in our stories, we may earn a commission. Learn more.
Downloading any old free VPN from Androidâs Play Store or the App Store can be problematic. Data harvesting, leaks and logging are just the start
Weâre using to get internet services for free. But even if youâre happy to swap your data and advertising views for email, cloud storage or image optimisation, you might want to think again before picking a free Virtual Private Network (VPN) service at random from the Play Store or App Store.
When you connect to a VPN, an encrypted tunnel is created between your computer and an endpoint server, giving you a new IP address â potentially in another country â and ensuring that your internet traffic canât be deciphered by your ISP or the administrator of your local network. But many free VPNs donât work as theyâre supposed to, leaking data and even actively spying on their users.
âThe three biggest threats when it comes to free VPN mobile apps are data harvesting; incomplete protection; and corner-cutting in development that potentially leads to vulnerabilities,â says Simon Migliano, head of research at Top10VPN.com.
While mainstream commercial VPN providers such as Windscribe, TunnelBear and ProtonVPN provide free tiers as a loss leader to promote their commercial services or even as a public good, theyâre a long way from the ad-funded, mobile-focused services that most often crop up in reports of data harvesting and mishandling.
In short, a lot. In July 2020, UFO VPN, a provider based in Hong Kong which claims that it keeps no logs of user activity, was discovered by Comparitech researchers to be storing user logs, access records and plain-text passwords in an openly accessible database.
After it was initially secured, the database was re-exposed just days later. Following initial assurances from UFO VPN that it had been âfixedâ, Comparitech editor Paul Bischoff says he hasnât heard from the UFO VPN since, even after the re-exposure of user data.
UFO VPN â along with seven sibling firms identified by researcher at VPN Mentor, all linked to a company called Dreamfii HK Limited â offers both paid and free VPN services, but is best known for its advertising-funded free VPN services. It claims there are âno logs, no monitoringâ of user activity â something the breach disproves. UFO VPN had not responded to a request for comment by the time of publication.
âWe always advise readers against using free VPN services because they tend to have less robust security and privacy policies,â Comparitechâs Bischoff adds. âMany of them collect user data that can be used to drive advertising revenue, which defeats the purpose of using a VPN for privacy. UFO VPN just happened to accidentally expose its data.â
While itâs relatively rare for this kind of non-contractual storing and mishandling of data to be so dramatically revealed, many free mobile VPNs have poor or non-existent data handling policies, among a range of issues highlighted in 2019 analysis by Top10VPN.
And privacy with a free VPN isnât a given, either. Migliano says that a misconfigured VPN can leak information about your online activities, even if itâs successfully changed your IP address: âWhen we first tested the 150 top Android VPNs last year, as many as 25 per cent suffered these leaks and while the situation has greatly improved, almost one in ten continued to leak in our follow-up tests.â
This includes Hola VPN, which has over 50 million installs on Android. âGiven the very high turnover of VPN apps in the app stores,â Migliano says, âitâs a bit of a lottery as to whether your new VPN will actually keep your browsing activity private from your ISP.â
Top10VPN has also found that many free VPN apps use generic third-party components to implement common app features, but fail to remove intrusive permissions and functions, including those relating to a deviceâs camera, microphone and GPS tracking.
Where your VPN is based is hugely important â as local laws dictate what data governments and law enforcement may be able to access. In June this year Top10VPN highlighted several free VPN providers with troubling privacy and security records based in China or Hong Kong, highlighting recent changes to Hong Kongâs security laws that require user activity logs to be retained by service providers.
Hong Kong previously had no data retention laws in place. However, Migliano and his team found that many Hong Kong based VPNs are â and were â owned by Chinese companies, which he says âraises questions about how these apps can continue to operate if they are not compromised in some way, such as by sharing their usersâ browsing data with the authorities.â
Itâs because of data retention laws in places such as Hong Kong, the UK, Russia and Ireland that many privacy-oriented VPN providers are legally headquartered in places such as Panama and the British Virgin Islands, which are also not part of international government surveillance and intelligence-sharing agreements, such as the âFourteen Eyesâ alliance.
Data retention requirements in countries such as the UK have led to logs being handed over to law enforcement, but even for the most law-abiding VPN user, the very existence of logs leads to the possibility of having your activity data exposed, as we saw with UFO VPN.
Itâs for this reason that VPN companies that have had servers seized, only to reveal no user activity logs, such as ExpressVPN and Perfect Privacy, are regarded as the best choices for privacy. Other privacy-focused provides maintain transparency reports logging law enforcement data requests, and third-party audits of logging, security and privacy policies are also increasingly popular in the sector.
In some cases, the VPN serviceâs exploitative behaviour is the point, and you canât necessarily trust the big names, either, particularly if VPNs or information security arenât their usual areas of business.
Facebook â which has now discontinued its VPN offerings â was notorious for this, with its Onavo Protect VPN, closed in 2018, and Facebook Research VPN, shuttered in 2019. Both harvested data about their users and what they were looking at online.
Previously a privacy-oriented VPN, Onavo promised browsing protection while collecting mobile tracking, while Facebook Research VPN explicitly monitored activity, giving $20 a month to participants as young as 13.
Public exposure ended both services, but in March 2020, Android app analytics platform Sensor Tower was caught using free VPN apps to capture data about what apps users had installed on their phones.
Theyâre not the only examples either. A 2014 TechCrunch report observed that rival analytics firm App Annieâs Smart Sense subsidiary produced a VPN app â the now-defunct VPN Defender â to carry out the same kind of inventory of usersâ installed apps. The App Annie Basics software label, formerly Distmo, has been suggested by TechCrunch as another likely data harvesting vector. Its apps include the popular Astro File Manager, as well as Phone Guardian Mobile Security & VPN protection.
When smartphone usersâ installed apps and habits are logged by intrusive apps, this valuable market data is then sold on to developers, publishers and others in the app publishing space.
If youâre using a VPN for security, then turning to an unknown service provider with no transparency policy as a purportedly more secure alternative to your usual ISP is a poor move. Remember that youâre effectively choosing a different company thatâll be able to see all your activities instead of whoever supplies your broadband.
Even if you just want to switch regions for a quick look at what US Netflix viewers get to see, itâs important to think first about exactly what other data about you, your phone and your activities you might be giving to whom.
While the gold standard for privacy is a correctly configured VPN endpoint that you control, thatâs not practical for everyone, and non-exploitative commercial VPN services â even free ones â do exist.
Research is critical: weâre here to help, with the WIRED guide to the best VPNs, but if you have specific concerns, make sure your VPN provider addresses them. Check their transparency pages, logging policies and look at how theyâve handled legal actions and security issues in the past.
If you need a free VPN service in a hurry, Windscribe and ProtonVPN are our current recommendations, with solid track records for security and transparency, and will likely serve you better than a random selection from the Play Storeâs most popular or promoted list.
ðºï¸ Fed up of giving your data away? Try these privacy-friendly Google Maps alternatives instead
ð Listen to The WIRED Podcast, the week in science, technology and culture, delivered every Friday
Get The Email from WIRED, your no-nonsense briefing on all the biggest stories in technology, business and science. In your inbox every weekday at 12pm sharp.
Virtual private network, Computer
World news – US – Free VPNs are a privacy nightmare. You shouldnât download them