Using a virtual private network (VPN) is usually a good idea, especially if you frequent public Wi-Fi. By encrypting your Wi-Fi connection, a VPN protects your communications from invasive eyes and plays a vital role in your overall digital defense. But using a free VPN is a no good, very bad idea.
“A VPN has the capability to track users’ online behavior as well as their IP,” Shahnawaz Backer, Security Specialist, F5 Networks, says. “So it’s important that a user validates the credibility and privacy clauses of the free VPN services. Otherwise, they risk giving up their data to advertisers or worst, cybercriminals.”
To be clear, I’m not talking about free VPN plans offered by known names like ProtonVPN. These companies offer complimentary, but slower, free tiers next to their full-speed VPN plans. I mean free VPN services offered by obscure brands without any paid options.
A VPN connects your device to the VPN provider’s servers, using an encrypted connection. It then connects you to the internet through those servers. Anyone trying to intercept your connection can only see that you’re connecting to the VPN’s servers.
But the way a VPN works also means that whoever runs the VPN has the potential to see what you’re doing. Facebook’s free Onavo VPN app, for example, was explicit in how it harvested users’ data. Onavo’s terms of service stated that, “ … Onavo collects your mobile data traffic. This helps us improve and operate the Onavo service by analyzing your use of websites, apps and data.”
Apple reportedly asked Facebook to remove the Onavo VPN app, as it violated the store’s guidelines on data collection. But the app is still available on the Google Play Store for download.
“The free VPNs services are able to log and track all user activity, online habits, and IP addresses,” Backer says. “This potentially poses as a treasure trove for advertisers, cybercriminals and agencies, should the data fall into the wrong hands.”
But how do you know that legitimate VPN services aren’t spying on you too?
Short of rolling your own VPN, there’s no way to know for sure. A VPN secures you from eyes on the network but can expose you to the VPN. There’s always risk involved, but you can call it a calculated risk. An anonymous spy on the network is most likely malicious. A VPN company with paying customers is less likely to be evil.
“Like so much else in computer security, VPNs are mainly about trust,“ Nick FitzGerald, ESET Senior Research Fellow, says. “The cryptographic protocols employed in VPNs mean that, by design, only two parties can decrypt the traffic traversing the VPN — the two parties at each end of the VPN connection. Hence, if you are using a VPN for privacy and/or security reasons, you must be especially sure that you can trust the VPN service provider.”
HOW TO SHOP FOR A VPN
So what should you do when looking for a paid VPN service?
1. LOOK FOR TRANSPARENCY
One way to ascertain the credibility of a VPN provider is through transparency. A leadership page with real names and faces provides more trustworthiness than an anonymous company.
2. LOOK FOR LOGGING
3. LOOK FOR OPEN PROTOCOLS
Shop for a service that supports open source protocols like OpenVPN. Open source means that anyone can audit the code, making it less likely to compromise the protocol.
4. LOOK FOR GLOBAL SERVERS
A solid VPN will have servers around the world. This increases your odds of getting reliable and fast connections.
5. LOOK FOR THE ‘14 EYES’
If you’re especially paranoid, you’ll want to avoid VPNs based in the ‘14 eyes.’ These are countries that are known to spy on citizens and can force VPNs to give up private data.