According to data from Freedom House’s 2017 Freedom on the Net report, which is based on an assessment of the status of Internet freedom in 65 countries, internet censorship is on the rise, and there has been an overall decline in global internet freedom for seven consecutive years now.

While we generally tend to imagine censorship to be more pronounced in third-world countries like Eritrea, a growing body of research is pointing to increasing censorship in developed regions like Europe.

Where it gets worse, however, is that systems that are supposedly used to bypass censorship are now posing more of a threat than the networks people are trying to use them to evade. Of particular note is free VPNs.

VPNs are generally regarded as a way to bypass censorship, both in developed and developing nations, and the concept of free VPNs has been generally alluring for two key reasons: First, privacy should be a basic human right, and it shouldn’t cost extra to enjoy this basic right. Any attempt to ensure free access to privacy should be commended, and that seems to be the idea behind free VPNs. Second, in developing countries like Eritrea, where censorship happens to be to be more pronounced, the average citizen struggles to survive on less than a dollar a day, and having to shell out about $6 or more monthly for premium VPN access is unrealistic. Free VPNs seem to afford people from regions like these, and even people in more developed regions, access to what should be a basic human right. But at what cost?

The growing trend of free VPNs' privacy abuses 

A growing body of research is showing that major providers of free VPN services are not as charitable as they are, though. According to a recent expose by TheBestVPN, practically all major free VPN service provider sell user data or violate user privacy in some way. Popular VPN services indicted include Hotspot Shield, Hola, Betternet, Opera VPN, and Facebook’s Onavo Protect.

Hotspot Shield, in particular, was revealed to be a major privacy violator. Boasting over 500 million users, Hotspot Shield has been accused of a lot of insidious practices when it comes to how it handles user data. According to a petition to the FTC by the Center for Democracy and Technology, besides making bold privacy and security claims in regards to its logging practices that are contradicted by its privacy policy, Hotspot Shield uses third-party tracking libraries to facilitate targeted advertisements. The petition also exposed Hotspot Shield’s monitoring of information about users’ browsing habits while using its VPN service, and “undisclosed data sharing practices with third party.” Information it shared with third parties included names of wireless networks and unique identifiers such as Media Access Control addresses and device IMEI numbers, and some of this information is shared through insecure, unencrypted connections. 

Other privacy violations Hotspot Shield was found engaging in included injecting JavaScript codes through iframes for advertising purposes, a technique that can be used to inject malicious code on users’ webpages. Even worse is the fact that Hotspot Shield has been found to redirect user e-commerce traffic to domains belonging to Hotspot Shield’s advertising partners. These claims were verified by a paper by the Commonwealth Scientific and Industrial Research Organization. 

Hola (152 million users), popularly used to bypass censorship and access Netflix in blocked locations, has also been put in the spotlight for selling access to users’ computers and putting its users’ privacy at risk on the pretext of offering free VPN services. A group of researchers once created a website exposing Hola’s various privacy abuses. Apparently, without user consent, Hola turned computers of users of its free VPN service into an exit node and sold their bandwidth to users of its paid arm, Luminati. There was also a bug that could be exploited to allow strangers to remotely run applications on computers on the Hola network. Hola later fixed most of these issues, although the researchers maintained that some of them are still present.

According to the exposé by TheBestVPN, Betternet, a popular free VPN app for mobile phone users with 38 million users, actively allows advertisers to place cookies in users’ browsers and track information about their browsing activities. Facebook’s Onavo Protect VPN collects personally identifying information that it shares with affiliates and third-parties. Opera also isn’t guilt-free. Through their popular in-built browser VPN, user information can be collected and shared with third parties.

In essence, there’s hardly a popular free VPN service provider that doesn’t exploit user data and compromise their privacy in some way. And the scale of this is so massive that it affects hundreds of millions of users. In fact, it’s become almost essential for free VPN service providers to abuse user data to be able to operate, or at least that’s how it seems.

The implication for users of free VPNs

When we look at the privacy violations going on in the free VPN industry, two major questions are pertinent: First, what are the implications for users of these services?While it might not seem like much of a big deal since the motivations of these free VPN service providers seem to be purely commercial, there are a lot of questions: for one, to whom are these data being sold? One of the free VPN services exposed was apparently being run by a Chinese big data company that boasts of having data from “650 million monthly active devices.”

In essence, you shouldn’t risk using a VPN service unless you trust it more than you trust your ISP. For all you know, it could be run by a criminal organization, a foreign government, or a Chinese data mining organization.

Even if run by a legitimate organization, the resources required to maintain a VPN service requires a level of financial commitment that results in many VPN service providers resorting to sharing/selling data or using questionable advertising methods to break even. This means your data could be shared with people who shouldn’t have it just to ensure the VPN service keeps running. Worse, data could be shared with governments or other entities that threaten the freedom of individuals using these services: Ryan Lin was arrested last year for activities he did with a VPN service that told him that they kept no logs. Apparently, they had logs to hand over to the FBI when it was requested of them. 

Perhaps what should be of utmost concern is the fact that your VPN service provider can snoop in on practically all of your online activities. It's worth asking if you want to give this kind of power to a  free  VPN service provider. If you’re not paying, you’re most likely the product. Identity theft and credit card fraud is on the rise, costing U.S. consumers more than $16 billion annually. And free VPN service providers are increasingly playing a role (the CDT petition earlier referenced reported that many users attributed being victims of credit card fraud to using the free Hotspot Shield VPN service).

While the free VPN service providers might only have a financial motive, questionable practices in regards to logging and transferring user data (mostly through insecure means) can have serious privacy implications for end users.

Second, we should ask, are there better alternatives? The best alternative is to find and use a reliable VPN service that you are paying for, with a proven track record and in a jurisdiction that is privacy-friendly. Yes, it will require some effort researching and deciding on an option, but ensuring your data privacy should be worth that much effort at least, and more decentralized networks for bypassing censorship like the Tor project or the I2P protocol should be explored.