A research carried out by Surfshark reveals that the terms and conditions applied by most free VPN businesses mean that anyone who signs up can jeopardize a lot more than just their browsing history.
Among the most common hidden means that allow free VPNs to generate profit is tracking users’ online activities and sharing data with third-parties, as well as selling their bandwidth to data mining companies. Moreover, the research shows that apps often don’t specify what technologies they use to ensure users’ privacy and security.
“Operational transparency of free VPNs is usually kept under lock, while their privacy policies deliberately make it difficult to understand how they monetize products and services to generate profit,” – says Naomi Hodges, a Cybersecurity expert at Surfshark.
“However, it is clear that free VPN services are the biggest culprits of data abuse, as they have built a profitable business model by selling user information to the highest bidders. It means anyone can purchase their users’ data, including government authorities or agencies.”
The issue is particularly relevant in parts of the world where governments impose limits on internet access. For example, the Indian government has only recently restored a 2G mobile internet connection in Jammu and Kashmir with a ‘whitelist’ of 301 approved websites. Surfshark analysis shows out of the 16 most popular VPN apps, 13 log users’ information, and a vast majority share it with third-parties.
Tracking online activity for targeted advertising
11 out of 16 analyzed apps contain ads that reduce the chances of not being tracked nearly to zero. If an app is ad-supported, it usually means developers can gather data points about users’ online activity for targeted advertising.
For instance, the relatively popular app Thunder VPN contains ads, but claims to “not log or track user data.” However, in the same Privacy Policy page, the service contradicts itself by stating that “When you use our app we may collect the following information: IP address, Internet service provider, OS version, the language of the device, app identifier, app version, independent device identifier, ad identifier, device manufacturer and model.”
Sharing data with third-parties
The vast majority of the free VPNs collect users’ data themselves. Then, they analyze this data and provide it to unknown third-parties that use it to segment customers into profiles. However, in some cases, free VPN service providers allow third-parties to access their customer base directly.
For example, TurboVPN operated by three closely-related companies based in Singapore with links to mainland China has more than 100,000,000 Google Play installs. It claims to be a no-logs VPN, but their privacy policy openly admits that third-parties can set independent tracking libraries on their product: “advertising partners may set and access their cookies, pixel tags, and similar technologies on our services.”
Relatedly, Psiphon’s Privacy Policy admits that it tracks users browsing history and shares access to it with third-parties: “Our advertising partners use cookies to enable them and their partners to serve ads based on your usage data.”
Selling users’ bandwidth
Hola VPN allows browsing the internet using the connections of other Hola users. People throw their IP addresses into a pool for other users to use as they please. It means that those users might be easily exposed to malware. If somebody acts maliciously through this network, they might harm the wellbeing of innocent people. Furthermore, this free VPN service has one of the most intrusive logging policies: they reserve their right to track web pages their users visit, time spent on those pages, or phone usage patterns. In addition to this, Hola VPN claims that it “may also transfer or disclose Personal Information to our subsidiaries, affiliated companies.”
“The fact that your personal information could be sold to third-parties is usually written on the privacy policy page, but most people don’t read them. Having that in mind, we have conducted this technical analysis, which could help users more easily identify untrustworthy service providers,” – says Naomi Hodges.
Free VPN apps analyzed in the research by Surfshark include:
1. X-VPN (China)
Logged data:
- Email/social media account information
- Used servers
- Connection time stamps
- Choice of the protocol
- Network type and error reports
- Device information
- App version
- Data usage and geographics (city-level)
- Payment method
- Transaction ID (or reference ID)
- Other timestamps
- Sites visited via their servers from all users
2. Turbo VPN (Singapore & China)
Logged data:
- Diagnostic information
- Internet service provider
- Geographics (country-level)
- Choice of server location
- Speed test data
- Crash reports
- App version
- VPN connection
- Data usage
- Advertising partners may set and access their cookies, pixel tags, and similar technologies on services
- They may otherwise collect or have access to information about its users (which they may collect over time and across different online services).
3. Secure VPN (Hong Kong)
Logged data:
- Billing and email address
- Payment information
- IP address
- Internet service provider
- Operating system versions
- Language of the device
- App identifier
- App version
- Independent device identifier
- Ad identifier
- Device manufacturer and model
- Email address
- The time zone and the network state (WiFi and so on)
- Times when connected to service
- Choice of server location and the total amount of data transferred per day.
4. BetterNet (USA)
Logged data:
- IP address
- Amount of data transferred
- Times when connected to service
- Information from and about the device user use to access services
- Device identifiers
- Browser types
- Device types and settings
- Operating system versions
- Mobile, wireless, and other network information (such as internet service provider name, the carrier name and signal strength)
- Application version numbers
- Nature of the requests that the user makes to servers
- Timestamps, and referring URLs
- Approximate location based on IP address
5. Touch VPN (USA)
Logged data:
- IP address
- Amount of data transferred
- Times when connected to service
- Information from and about the device user use to access services
- Device identifiers
- Browser types
- Device types and settings
- Operating system versions
- Mobile, wireless, and other network information (such as internet service provider name, the carrier name and signal strength)
- Application version numbers
- Nature of the requests that the user makes to servers
- Timestamps, and referring URLs
- Approximate location based on IP address
6. Hotspot Shield VPN (USA)
Logged data:
- IP address
- Amount of data transferred
- Times when connected to service
- Information from and about the device user use to access services
- Device identifiers
- Browser types
- Device types and settings
- Operating system versions
- Mobile, wireless, and other network information (such as internet service provider name, the carrier name and signal strength)
- Application version numbers
- Nature of the requests that the user makes to servers
- Timestamps, and referring URLs
- Approximate location based on IP address
7. Ultrasurf (USA)
Logged data:
- Clickstream information
- Browser type
- Time and date
- The subject of advertisements clicked (or scrolled over) during user visits to this and other Websites to provide ads.
- IP address
- Number of links the user clicks within the site
- Times when connected to service
- Web page user linked to Ultrasurf site from
- Pages viewed on the site
8. Psiphon Pro (Canada)
Logged data:
- Connection timestamps
- Region codes (country and city)
- Chosen connection protocol
- Session count and duration
- Total bytes transferred and bytes transferred for some specific domains
9. DroidVP (Philippines)
Logged data :
- Connection time and date
- IP address
- Duration of connections
- Consumed bandwidth
10. Thunder VPN (USA)
Logged data:
- IP Address
- ISP (Internet Service Provider)
- Operational system version
- Language of the device
- App identifier
- App version
- Independent device identifier
- Ad identifier
- Device manufacturer and model
- Email address
- Time zone
- Network state (WiFi)
- Times when connected to our service
- Choice of server location
- The total amount of data transferred per day
11. Hola VPN (Israel)
Logged data:
- Browser type
- Web pages user visits
- Time spent on visited pages
- Access times and dates
- IP address
- Users name
- Email address
- Screen name
- Payment and billing information
- Installed applications: details of applications that are installed on the user’s device
- When user registers through social network accounts (e.g., Facebook, Google+), Hola VPN gains access to the user’s basic information such as full name, home address, email address, birth date, profile picture, friends list, personal description, as well as any other information publicly made available.
12. Your Freedom (Germany)
Logged data:
- Type of tunnel (mode, parameters)
- Source of IP address
- Data connections established
- Timestamp
- Account name
- Referrer
- The duration of connection (time between login and logout events)