According to data from Freedom House’s 2017 Freedom on the Net report, which is based on an assessment of the status of Internet freedom in 65 countries, internet censorship is on the rise, and there has been an overall decline in global internet freedom for seven consecutive years now.
While we generally tend to imagine censorship to be more pronounced in third-world countries like Eritrea, a growing body of research is pointing to increasing censorship in developed regions like Europe.
Where it gets worse, however, is that systems that are supposedly used to bypass censorship are now posing more of a threat than the networks people are trying to use them to evade. Of particular note is free VPNs.
VPNs are generally regarded as a way to bypass censorship, both in developed and developing nations, and the concept of free VPNs has been generally alluring for two key reasons: First, privacy should be a basic human right, and it shouldn’t cost extra to enjoy this basic right. Any attempt to ensure free access to privacy should be commended, and that seems to be the idea behind free VPNs. Second, in developing countries like Eritrea, where censorship happens to be to be more pronounced, the average citizen struggles to survive on less than a dollar a day, and having to shell out about $6 or more monthly for premium VPN access is unrealistic. Free VPNs seem to afford people from regions like these, and even people in more developed regions, access to what should be a basic human right. But at what cost?
The growing trend of free VPNs' privacy abuses
A growing body of research is showing that major providers of free VPN services are not as charitable as they are, though. According to a recent expose by TheBestVPN, practically all major free VPN service provider sell user data or violate user privacy in some way. Popular VPN services indicted include Hotspot Shield, Hola, Betternet, Opera VPN, and Facebook’s Onavo Protect.
Hola (152 million users), popularly used to bypass censorship and access Netflix in blocked locations, has also been put in the spotlight for selling access to users’ computers and putting its users’ privacy at risk on the pretext of offering free VPN services. A group of researchers once created a website exposing Hola’s various privacy abuses. Apparently, without user consent, Hola turned computers of users of its free VPN service into an exit node and sold their bandwidth to users of its paid arm, Luminati. There was also a bug that could be exploited to allow strangers to remotely run applications on computers on the Hola network. Hola later fixed most of these issues, although the researchers maintained that some of them are still present.
According to the exposé by TheBestVPN, Betternet, a popular free VPN app for mobile phone users with 38 million users, actively allows advertisers to place cookies in users’ browsers and track information about their browsing activities. Facebook’s Onavo Protect VPN collects personally identifying information that it shares with affiliates and third-parties. Opera also isn’t guilt-free. Through their popular in-built browser VPN, user information can be collected and shared with third parties.
In essence, there’s hardly a popular free VPN service provider that doesn’t exploit user data and compromise their privacy in some way. And the scale of this is so massive that it affects hundreds of millions of users. In fact, it’s become almost essential for free VPN service providers to abuse user data to be able to operate, or at least that’s how it seems.
The implication for users of free VPNs
When we look at the privacy violations going on in the free VPN industry, two major questions are pertinent: First, what are the implications for users of these services?While it might not seem like much of a big deal since the motivations of these free VPN service providers seem to be purely commercial, there are a lot of questions: for one, to whom are these data being sold? One of the free VPN services exposed was apparently being run by a Chinese big data company that boasts of having data from “650 million monthly active devices.”
In essence, you shouldn’t risk using a VPN service unless you trust it more than you trust your ISP. For all you know, it could be run by a criminal organization, a foreign government, or a Chinese data mining organization.
Even if run by a legitimate organization, the resources required to maintain a VPN service requires a level of financial commitment that results in many VPN service providers resorting to sharing/selling data or using questionable advertising methods to break even. This means your data could be shared with people who shouldn’t have it just to ensure the VPN service keeps running. Worse, data could be shared with governments or other entities that threaten the freedom of individuals using these services: Ryan Lin was arrested last year for activities he did with a VPN service that told him that they kept no logs. Apparently, they had logs to hand over to the FBI when it was requested of them.
Perhaps what should be of utmost concern is the fact that your VPN service provider can snoop in on practically all of your online activities. It's worth asking if you want to give this kind of power to a free VPN service provider. If you’re not paying, you’re most likely the product. Identity theft and credit card fraud is on the rise, costing U.S. consumers more than $16 billion annually. And free VPN service providers are increasingly playing a role (the CDT petition earlier referenced reported that many users attributed being victims of credit card fraud to using the free Hotspot Shield VPN service).
While the free VPN service providers might only have a financial motive, questionable practices in regards to logging and transferring user data (mostly through insecure means) can have serious privacy implications for end users.
Second, we should ask, are there better alternatives? The best alternative is to find and use a reliable VPN service that you are paying for, with a proven track record and in a jurisdiction that is privacy-friendly. Yes, it will require some effort researching and deciding on an option, but ensuring your data privacy should be worth that much effort at least, and more decentralized networks for bypassing censorship like the Tor project or the I2P protocol should be explored.
If you want to comment on this post, you need to login.