Why Using A Free VPN Is A No Good, Very Bad Idea

Using a virtual private network (VPN) is usually a good idea, especially if you frequent public Wi-Fi.

Portrait of Tammy Strobel

Using a virtual private network (VPN) is usually a good idea, especially if you frequent public Wi-Fi. By encrypting your Wi-Fi connection, a VPN protects your communications from invasive eyes and plays a vital role in your overall digital defense. But using a free VPN is a no good, very bad idea.

“A VPN has the capability to track users’ online behavior as well as their IP,” Shahnawaz Backer, Security Specialist, F5 Networks, says. “So it’s important that a user validates the credibility and privacy clauses of the free VPN services. Otherwise, they risk giving up their data to advertisers or worst, cybercriminals.”

To be clear, I’m not talking about free VPN plans offered by known names like ProtonVPN. These companies offer complimentary, but slower, free tiers next to their full-speed VPN plans. I mean free VPN services offered by obscure brands without any paid options.

A VPN connects your device to the VPN provider’s servers, using an encrypted connection. It then connects you to the internet through those servers. Anyone trying to intercept your connection can only see that you’re connecting to the VPN’s servers.

But the way a VPN works also means that whoever runs the VPN has the potential to see what you’re doing. Facebook’s free Onavo VPN app, for example, was explicit in how it harvested users’ data. Onavo’s terms of service stated that, “ … Onavo collects your mobile data traffic. This helps us improve and operate the Onavo service by analyzing your use of websites, apps and data.”

Apple reportedly asked Facebook to remove the Onavo VPN app, as it violated the store’s guidelines on data collection. But the app is still available on the Google Play Store for download.

“The free VPNs services are able to log and track all user activity, online habits, and IP addresses,” Backer says. “This potentially poses as a treasure trove for advertisers, cybercriminals and agencies, should the data fall into the wrong hands.”

But how do you know that legitimate VPN services aren’t spying on you too?

Short of rolling your own VPN, there’s no way to know for sure. A VPN secures you from eyes on the network but can expose you to the VPN. There’s always risk involved, but you can call it a calculated risk. An anonymous spy on the network is most likely malicious. A VPN company with paying customers is less likely to be evil.

“Like so much else in computer security, VPNs are mainly about trust,“ Nick FitzGerald, ESET Senior Research Fellow, says. “The cryptographic protocols employed in VPNs mean that, by design, only two parties can decrypt the traffic traversing the VPN — the two parties at each end of the VPN connection. Hence, if you are using a VPN for privacy and/or security reasons, you must be especially sure that you can trust the VPN service provider.”

My Reading Room


So what should you do when looking for a paid VPN service?


One way to ascertain the credibility of a VPN provider is through transparency. A leadership page with real names and faces provides more trustworthiness than an anonymous company.


Look for a privacy policy that states the nature of logs. Some VPNs will keep minimal logs to maintain the service, but at the least, they shouldn’t keep traffic logs.


Shop for a service that supports open source protocols like OpenVPN. Open source means that anyone can audit the code, making it less likely to compromise the protocol.


A solid VPN will have servers around the world. This increases your odds of getting reliable and fast connections.


If you’re especially paranoid, you’ll want to avoid VPNs based in the ‘14 eyes.’ These are countries that are known to spy on citizens and can force VPNs to give up private data.

My Reading Room