Tech Made Simple

Hot Topics: How to Fix Bluetooth Problems | Browse the Web Anonymously | Complete Guide to Facebook Privacy | How to Block Spam Calls

Use It

author photo

Can You Trust a Free VPN?

by on March 19, 2019
in Internet & Networking, Computers and Software, Computer Safety & Support, Tips & How-Tos, Privacy :: 3 comments

Techlicious editors independently review products. To help support our mission, we may earn affiliate commissions from links contained on this page.

You know you need a VPN – a virtual private network that encrypts your internet traffic, protecting it from internet service providers who want to monetize it, and snoops on public Wi-Fi who want to spy on your online transactions. Or maybe you simply want to watch a bit of Netflix from back home while traveling abroad.

Luckily, there are hundreds of VPNs out there, and many of them are free. Bargain? Probably not.  

It’s true that some free VPN services come from reputable antivirus companies or VPN providers that offer a free option as well as paid-for tiers. However, it’s worth taking a step back and considering what these services may really be offering.

Why you need to trust your VPN provider

Once you install a VPN, all your internet traffic is routed through the VPN provider’s servers. This traffic is encrypted from your internet service provider – who may otherwise sell it to advertisers - but all this means is that you’ve now shifted your trust from the ISP to the VPN provider.

Depending on how a VPN provider encrypts and stores its users’ internet histories – and what its terms of service state - it may be able to access your internet data, perhaps to monetize for advertising, or it may be based in a country where it can be legally obliged to turn data over to law enforcement.

With VPNs, the security risk is that the user information they may have access to includes web searches and browsing history – sensitive data that users may not want in the hands of advertisers or surveillance-happy governments.

“If you value your privacy, a free VPN solution is not your best option,” says Brian Anderson, security expert at Kaspersky Lab North America. “Some providers offer VPN software that is completely free of charge – but in that case, you are often paying for the VPN with your data, which is then sold to advertisers.”

How your sensitive data can be exploited

Of course, advertising is what makes most of the internet go. But VPNs have access to vast breadths of browsing history that can be turned towards purposes which aren’t exactly in users’ best interests.

One investigation by VPN reviews site Top10VPN (disclosure: I’m features editor there) found that of the top 30 most downloaded free VPN apps on Google Play and the App Store, over 85% had privacy policies that did not set out sufficient protections for user data. On Android alone, two-thirds of the 150 most installed free VPNs requested intrusive permissions, including the ability to track users’ locations. Several of the free VPNs are based in China, where the government has banned VPN use and additionally has the right to force any company to turn over their server data, suggesting users’ internet traffic is far from protected. Indeed, some of these VPN providers specifically note they will share data with the Chinese government.

Other free apps’ revenue model may verge on the shady. An investigation by Trend Micro found that the HolaVPN free service is not only unencrypted, but it exploits its users’ bandwidth by allowing individuals on an ad network called Luminati to route their traffic through users’ IP addresses – most likely to generate fake impressions for ads in order to boost revenue. Luminati turned out to be a sister company to Hola, and its users are primarily mobile advertisers, according to Trend Micro, as well as data scrapers, ad fraudsters and cybercriminals who masked themselves behind the IP addresses of HolaVPN users. What’s more, Hola’s terms and conditions neglected to state that when users installed Hola, they were also installing software from Luminati.

“There are always shady organizations or threat actors who will create apps purporting to be legitimate by disguising how the app works or building the app in a way to monetize the user’s data,” says Jon Clay, director of Global Threat Communications at Trend Micro. “We do not see this type of activity from legitimate vendors of VPN applications.”

Choosing a VPN you can trust

Studies suggest most of us don’t read privacy policies before merrily tapping on Agree. However, if you’re going to install an app or program that can view all your internet traffic, it’s a good idea to get a clear understanding of how your data might be used.

“With any free apps, you need to read the privacy policies to understand what information will be collected from you,” says Clay. This is doubly true for free VPN apps, which have access to sensitive data along with a more immediate incentive to monetize it in ways you may not necessarily be comfortable with.

When choosing a VPN – free or otherwise - look for these terms

OpenVPN – This refers to the protocol used by the VPN to get online. “Avoid VPNs that use Point-to-Point Tunneling Protocol (PPTP) – it’s an old protocol, and widely considered insecure,” says Anderson. “By contrast, OpenVPN is a more modern VPN implementation, which is considered secure and reliable. Plus, it’s open source, so it’s frequently assessed for security holes.”

Permissions – If you’re using a VPN app on your phone, chances are it’ll request permissions upon installation. Some, like the ability to access your browsing history, are necessary for the VPN to function; others, such as your location, device identification, call log, camera or mic, are a signal that the provider is collecting far more data than needed.

SuperVPN Free VPN Client permissions

Zero-logs or no logging – This means a provider does not store users’ traffic or connection metadata such as IP address and connection times. This is generally considered the gold-standard of security. “The safest provider is one that doesn’t log data at all,” says Anderson.

Data collection – Scan the privacy policy for this term to make sure you know what types of information will be gathered and stored. For example, a VPN may not log usage data such as websites visited, but it may track metadata including IP address, session durations or connection times, which could be used to identify users to law enforcement. When ExpressVPN and Perfect Privacy servers were seized by police, the providers did not and could not offer any information on which IP addresses were in use by the subjects of an investigation. 

All this said, however, a privacy policy may not necessarily reflect what providers actually do – even for paid-for VPNs. Some providers have marketed themselves with the term ‘no-logs’ when in fact they are logging connection data, for example. This may be written as “no usage logs” or simply “no logs” coupled with a line or two about the “connection and bandwidth data” that will be collected. While the collection of such metadata isn’t necessarily an issue, the fact that a provider is not being fully transparent should raise a red flag.

The site Restore Privacy has a list of VPNs whose “no logs” statuses have been proven in real-world scenarios when attempts by law enforcement to seize data were thwarted by the lack of data available. Two of our favorite paid services have successfuly proven their "no logs" claims: NordVPN (disclosure, Techlicious has an affiliate relationship with NordVPN) and ExpressVPN.

Can any free VPNs be trusted?

Some reputable VPN providers offer a free version of their VPN, which may come with a data limit or a reduced feature set. “This is a good way to test out different VPNs and find the one that works best for your needs,” says Anderson.

Freemium services such TunnelBear (free for 500MB) and HotspotShield (free for limited bandwidth) fall under this category: both offer a free tier where users can route a certain amount of traffic via their VPN. These data limits don’t support streaming media or much beyond casual browsing; users can instead pay for a premium subscription. Such free services can be more secure since the providers have other revenue streams besides monetizing user data.

“There are many legitimate vendors of free VPNs and freemium services whose app will do what they say it will do. The only challenge with these free items is that they are likely to require you to give up some information to them or allow ads to run within the app,” says Clay. “If you are OK with these, then you could use them.”

You might also come across a free VPN bundled with a paid-for privacy tool such as a password manager. For instance, Dashlane offers VPN service included in their Premium ($5 per month billed annually) and Premium Plus subscription teirs. Since there’s a clear revenue model – the password manager subscription for example – chances are the VPN provider won’t depend on users’ traffic for monetization. However, the only way to be sure is to dig into those terms and conditions and read the privacy policy.

When it comes to choosing a secure VPN, “it’s good to look for players that are established in the market,” says Anderson. “Companies that have been in the VPN business for longer have had more opportunities to discover bugs and increase the reliability of their software.”

Trusted reviews sites can be a good resource for VPNs – free and paid-for – that have solid privacy credentials. Windscribe, for instance, is well-reviewed and offers a “minimal logs” policy plus 10GB of data per month, which is more generous than most free services. It also offers a paid-for tier with unlimited bandwidth.

You can take advantage of the 30-day free trials that the vast majority of VPNs offer before committing. Monthly fees can be as low as a few dollars a month for top-rated VPNs, especially for subscriptions of a year or more – a decent exchange for a fast internet connection that secures financial transactions and private data.

“With VPNs, the challenge is that they are performing a much-needed security function,” says Clay. “If you aren’t getting that security you could be setting yourself up for potential compromise.” 

[Image credit: VPN use on smartphone via BigStockPhoto]



Discussion loading

gravatar

Use with ChromeBook

From Jim on March 19, 2019 :: 2:15 pm

How do you use a VPN if you use a ChromeBook and gmail?

Reply

avatar

Many have Chrome versions

From Josh Kirschner on March 19, 2019 :: 9:59 pm

Many of the VPN services, such as NordVPN listed above, have Chrome versions.

Reply

gravatar

Nordvpn

From Ghostanswer on July 23, 2019 :: 9:02 am

Billions of people were affected by data breaches and cyber attacks in 2018, and I think it continues to escalate even more in 2019. I suggest a few simple tips to protect yourself and your personal information: update your software, use a trustful VPN (I also recommend NordVPN),use a unique password, and never open suspicious emails

Reply

Home | About | Meet the Team | Contact Us
Media Kit | Newsletter Sponsorships
Newsletter Archive
Terms of Use | Privacy & Cookie Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

© Techlicious LLC.

site design: Juxtaprose