You know you need a VPN – a virtual private network that encrypts your internet traffic, protecting it from internet service providers who want to monetize it, and snoops on public Wi-Fi who want to spy on your online transactions. Or maybe you simply want to watch a bit of Netflix from back home while traveling abroad.
Luckily, there are hundreds of VPNs out there, and many of them are free. Bargain? Probably not.
It’s true that some free VPN services come from reputable antivirus companies or VPN providers that offer a free option as well as paid-for tiers. However, it’s worth taking a step back and considering what these services may really be offering.
Why you need to trust your VPN provider
Once you install a VPN, all your internet traffic is routed through the VPN provider’s servers. This traffic is encrypted from your internet service provider – who may otherwise sell it to advertisers - but all this means is that you’ve now shifted your trust from the ISP to the VPN provider.
Depending on how a VPN provider encrypts and stores its users’ internet histories – and what its terms of service state - it may be able to access your internet data, perhaps to monetize for advertising, or it may be based in a country where it can be legally obliged to turn data over to law enforcement.
With VPNs, the security risk is that the user information they may have access to includes web searches and browsing history – sensitive data that users may not want in the hands of advertisers or surveillance-happy governments.
“If you value your privacy, a free VPN solution is not your best option,” says Brian Anderson, security expert at Kaspersky Lab North America. “Some providers offer VPN software that is completely free of charge – but in that case, you are often paying for the VPN with your data, which is then sold to advertisers.”
How your sensitive data can be exploited
Of course, advertising is what makes most of the internet go. But VPNs have access to vast breadths of browsing history that can be turned towards purposes which aren’t exactly in users’ best interests.
One investigation by VPN reviews site Top10VPN (disclosure: I’m features editor there) found that of the top 30 most downloaded free VPN apps on Google Play and the App Store, over 85% had privacy policies that did not set out sufficient protections for user data. On Android alone, two-thirds of the 150 most installed free VPNs requested intrusive permissions, including the ability to track users’ locations. Several of the free VPNs are based in China, where the government has banned VPN use and additionally has the right to force any company to turn over their server data, suggesting users’ internet traffic is far from protected. Indeed, some of these VPN providers specifically note they will share data with the Chinese government.
Other free apps’ revenue model may verge on the shady. An investigation by Trend Micro found that the HolaVPN free service is not only unencrypted, but it exploits its users’ bandwidth by allowing individuals on an ad network called Luminati to route their traffic through users’ IP addresses – most likely to generate fake impressions for ads in order to boost revenue. Luminati turned out to be a sister company to Hola, and its users are primarily mobile advertisers, according to Trend Micro, as well as data scrapers, ad fraudsters and cybercriminals who masked themselves behind the IP addresses of HolaVPN users. What’s more, Hola’s terms and conditions neglected to state that when users installed Hola, they were also installing software from Luminati.
“There are always shady organizations or threat actors who will create apps purporting to be legitimate by disguising how the app works or building the app in a way to monetize the user’s data,” says Jon Clay, director of Global Threat Communications at Trend Micro. “We do not see this type of activity from legitimate vendors of VPN applications.”
Choosing a VPN you can trust
Studies suggest most of us don’t read privacy policies before merrily tapping on Agree. However, if you’re going to install an app or program that can view all your internet traffic, it’s a good idea to get a clear understanding of how your data might be used.
“With any free apps, you need to read the privacy policies to understand what information will be collected from you,” says Clay. This is doubly true for free VPN apps, which have access to sensitive data along with a more immediate incentive to monetize it in ways you may not necessarily be comfortable with.
When choosing a VPN – free or otherwise - look for these terms
OpenVPN – This refers to the protocol used by the VPN to get online. “Avoid VPNs that use Point-to-Point Tunneling Protocol (PPTP) – it’s an old protocol, and widely considered insecure,” says Anderson. “By contrast, OpenVPN is a more modern VPN implementation, which is considered secure and reliable. Plus, it’s open source, so it’s frequently assessed for security holes.”
Permissions – If you’re using a VPN app on your phone, chances are it’ll request permissions upon installation. Some, like the ability to access your browsing history, are necessary for the VPN to function; others, such as your location, device identification, call log, camera or mic, are a signal that the provider is collecting far more data than needed.
Zero-logs or no logging – This means a provider does not store users’ traffic or connection metadata such as IP address and connection times. This is generally considered the gold-standard of security. “The safest provider is one that doesn’t log data at all,” says Anderson.
The site Restore Privacy has a list of VPNs whose “no logs” statuses have been proven in real-world scenarios when attempts by law enforcement to seize data were thwarted by the lack of data available. Two of our favorite paid services have successfuly proven their "no logs" claims: NordVPN (disclosure, Techlicious has an affiliate relationship with NordVPN) and ExpressVPN.
Can any free VPNs be trusted?
Some reputable VPN providers offer a free version of their VPN, which may come with a data limit or a reduced feature set. “This is a good way to test out different VPNs and find the one that works best for your needs,” says Anderson.
Freemium services such TunnelBear (free for 500MB) and HotspotShield (free for limited bandwidth) fall under this category: both offer a free tier where users can route a certain amount of traffic via their VPN. These data limits don’t support streaming media or much beyond casual browsing; users can instead pay for a premium subscription. Such free services can be more secure since the providers have other revenue streams besides monetizing user data.
“There are many legitimate vendors of free VPNs and freemium services whose app will do what they say it will do. The only challenge with these free items is that they are likely to require you to give up some information to them or allow ads to run within the app,” says Clay. “If you are OK with these, then you could use them.”
When it comes to choosing a secure VPN, “it’s good to look for players that are established in the market,” says Anderson. “Companies that have been in the VPN business for longer have had more opportunities to discover bugs and increase the reliability of their software.”
Trusted reviews sites can be a good resource for VPNs – free and paid-for – that have solid privacy credentials. Windscribe, for instance, is well-reviewed and offers a “minimal logs” policy plus 10GB of data per month, which is more generous than most free services. It also offers a paid-for tier with unlimited bandwidth.
You can take advantage of the 30-day free trials that the vast majority of VPNs offer before committing. Monthly fees can be as low as a few dollars a month for top-rated VPNs, especially for subscriptions of a year or more – a decent exchange for a fast internet connection that secures financial transactions and private data.
“With VPNs, the challenge is that they are performing a much-needed security function,” says Clay. “If you aren’t getting that security you could be setting yourself up for potential compromise.”
[Image credit: VPN use on smartphone via BigStockPhoto]