Many organizations use Virtual Private Networks (VPNs) to connect their remote users and facilities to their internal networks. The VPN encrypts the traffic so that spies can’t read it as it traverses the Internet. At the Naval Postgraduate School, where I work, students and faculty can install VPN software on their personal devices that let them access files and services on the school’s internal network.
In addition to their role in network security, VPNs are powerful tools for individual privacy and freedom on the Internet, my focus here. They let you visit sites anonymously, as the sites see only the source address of your VPN provider. To an outside observer, such as a government monitoring the Internet, the only site you access is that of your provider.
VPNs also let you skirt around blockades installed by countries that censor what their users can access. For this reason, VPNs are banned or regulated in several countries that restrict freedom of speech. China, for example, has banned VPNs that let individuals access international sites blocked by China’s Great Firewall. Only government-approved VPNs can be used in Iran.
VPNs and Users’ Data
Unfortunately, these VPNs also pose a huge risk. A VPN provider could track your Internet activity and then release, sell or misuse that data. It can log which sites you visit and record the contents of communications that are not end-to-end encrypted. It is likely that government-approved VPNs in countries such as Iran log user data and turn it over to their governments when asked.
Even if a VPN provider has a strong privacy policy, the government of the country with jurisdiction over the provider can demand access to your data. While the provider could attempt to thwart this by not keeping long-term records, governments can require that providers retain user data for a specified period. Further, even if there are no past logs, a government can demand that your future accesses be logged and given to the government.
A malicious VPN provider could also send you to a fake site posing as the one you thought you were visiting. The fraudulent site might then acquire your login credentials and other sensitive data, or deliver malicious code to your computer or phone.
Harvesting Information
The VPN software running on your device could also contain malicious code. One study found that 38 percent of VPN apps for Android devices were infected with some kind of malware or spyware. This malicious code might be used to blast you with unwanted ads. Or, it might harvest passwords, credit card data, and other sensitive information that can be sold on black markets. It might track all your activity, not just VPN usage, and exploit the data for profit.
The VPN app provider might not even intend to put malicious code in its app. In 2015, FireEye found over 4,000 apps in Apple’s App Store with malware. The app developers had unwittingly used a rogue version of Apple’s Xcode development kit that had been uploaded to a server in China used by Chinese app developers. The kit contained malware, which was transferred to the apps during development.
Because of these risks, it is important to select a VPN provider that is trustworthy. As a general rule, free apps are likely to be the riskiest, as the providers might seek to profit by selling or otherwise exploiting data they acquire by tracking their users. The security research firm Restore Privacy found that 75 percent of the 283 free VPN services they analyzed contained tracking possibilities.
Another study, by Metric Labs’ Top10VPN, examined 30 of the most popular free VPN apps in Apples App Store and Google Play. They found that 86 percent of the VPN providers had unacceptable privacy policies. Some had no policy at all, while others had insufficient data regarding tracking and sharing user data.
Although it was difficult to determine where most of the providers were located, the study found that 59 percent of them were either based in or backed by China. Some even admitted to sharing user data with China! And 83 percent of the providers failed to respond to customer support requests.
Choose Wisely
VPNs are worthwhile if you need to browse the Internet anonymously or circumvent censors – but only if you can find one that can be trusted to protect your privacy and keep you safe. Using a free app is dangerous and not advised.
The Electronic Frontier Foundation (EEF) offers several factors to consider when selecting a VPN provider, including whether it has a history of being trustworthy and an explicit privacy policy to not log user traffic. The EFF also provides links to two sources that might be useful.
The first, That One Privacy Site, provides guidance for selecting a VPN provider as well as a comparison of 185 VPNs regarding privacy, technical, and business factors. The second, Torrent Freak, offers a list of questions to ask a potential VPN provider. It then gives the responses they received to these questions from various providers.
I cannot attest to the quality of the data offered by either of these, but they seem like a good place to start.