Are Free VPNs Safe?

An honest discussion about whether it’s safe to use free VPNs

Let’s talk about free VPNs. Typically, when we get asked
about whether or not it’s safe or wise to use a free security product, it’s
free SSL. And to be honest, we’re loathe to weigh in on that too heavily because
as soon as we do someone accuses us of having a conflict of interest.

But we really don’t have any skin in the VPN game, so we’ve
got no problem discussing free VPNs and whether or not they can be trusted. And
that’s one of the more important distinctions when it comes to VPN services.
With other security products it’s a binary. Does this work? Yes or no. That’s
still a question with VPNs, but the more pressing one is whether or not you can
trust the service itself.

Because when you use a VPN, the servers you log into still
have the ability to track what you’re doing and where you’re going, even if no
one else can. And if the folks running those VPN servers are unscrupulous, you
may be worse off using the free VPN than not using one at all.

So, today we’re going to discuss free VPN services, which
ones you can trust and what you need to be looking for if you decide to forego
our warning and dabble with the free VPNs anyway.

Let’s hash it out.

Running a free VPN ain’t free

Let’s start with why you should be dubious of truly free VPN services: the cost of running a VPN service. I try not to be too cynical, but altruism is not a virtue you see a whole lot of on the internet. And that’s what it would require to run a truly free VPN service that was actually any good.

Are free vpns safe?

Think about it, to run a VPN you need to purchase a whole bunch of servers and IP addresses, you need to spend money building out the client it will use, you need be able to afford to keep it all running, to staff it and you’ll need to be able to scale as you grow. None of that is cheap. And to do it all and not charge anything would mean you’re running it at a loss.

Nobody starts a business to run it at a loss.

That means these free VPN services have to make money
somehow. And if they’re not making money by charging their users, they’re
probably making it OFF their users. That can only mean one of a few things, and
none of them are what you intended when you decided to start using a VPN.

A little transparency, please

We are a culture that is driven by its Freudian Id. We want instant gratification. And oftentimes when we see something is free, common sense goes out the window. This is why you see people fighting over the ordnance for t-shirt cannons or see grown men knocking over children for foul balls at baseball games. Even just seeing the word “free” garners a visceral reaction from many people – that’s why you see it used in more than its fair share of phishing emails.

The (meandering) point I’m making is that not enough people take the time to actually click around the VPN’s website and learn what it does to support itself when the word “free” is involved. It’s even more of a problem on mobile and via app stores, where a lot of that information isn’t even present.

Here’s the thing, if a VPN is up front about how it’s going
to log, store and use your data – and you miss it – that’s on you. If the VPN
service DOESN’T provide that information. It’s on them. And it should be
strikes one, two and three.

Generally, with any VPN, you should already be checking:

  • Logging policies
  • Technical safeguards
  • Locations
  • How it makes its money

The first three items on this list should be stated explicitly. The fourth is a little more implicit.

Policies and Safeguards

With logging policies, the less logging that’s done the
better. If there is logging, how long do they keep the logs for? This is one
log context where shorter is better. Do they anonymize logs? How do they
anonymize the logs? You need to be like John Henry and focus on those logs.

Technical safeguards refers to how they secure connections. You’re specifically trying to understand what protocol will be used and what kind of encryption will be securing the connection. Is that encryption industry standard? Are they even doing anything? Some VPNs don’t even encrypt their connections while many others conduct important business outside of the encrypted tunnel, which leaks your information. It’s very important that you understand what safeguards are in place.

Where are their servers located?

The world is not unified when it comes to internet freedoms, data rights and privacy. There is a patchwork of laws and regulations that affect different countries and regions. In researching this article one of the themes I’ve noticed is what basically amounts to fearmongering about the Five Eyes intelligence alliance between Australia, Canada, New Zealand, the US and UK. And while those countries have agreements in place to provide legal access to data, provided it goes through the right channels – that is absolutely pedestrian compared to what goes on in other corners of the world.

Still, it is worth noting that many countries, including those in the EU, have requirements that certain data be stored within their borders where it is subject to their laws and could be turned over to their government. For a lot of people, that won’t be a problem. Not to deal your ego a blow, but the stuff you’re using a VPN for – pirating movies, streaming blocked content, hiding from your ISP – doesn’t rise to the level of warranting attention from Five Eyes or Interpol. It takes a lot to get the black helicopters to show up over in the Western world. For other people in other locations? It might be something worth considering.

For other people in other locations? It might be something worth considering.

And finally…

How do they make their money?

When you see a Free VPN offered by a company with paid plans, it’s safe to assume that it’s making its money off its paid subscriptions. And to incentivize paying, you’re not going to be able to use all of that VPN’s features. There’s a trade-off.

With free VPNs, it’s a little less obvious. And the more opaque they are about how they might be making their money, the more suspect you should be. Some free VPNs have enough integrity to come right out and admit they’re going to sell your data. It’s in their private policy. Did you read the privacy policy? C’mon, this is what we just talked about…

Keep in mind, this industry is massive and almost completely unregulated. There is very little barrier to entry when it comes to “free VPNs.” And as you’re about to see, a lot of these apps aren’t VPNs at all. Just because an app or program CLAIMS to be a free VPN, doesn’t mean anyone ever took the time to actually verify the claim.

When VPNs aren’t (just) VPNs

The basic premise of a VPN is that you log in to it, and it
helps guard your privacy by obfuscating your activity, securing your
communication and ideally anonymizing you completely. But, as we already
discussed, you have to TRUST the VPN because it still has all of that valuable
data on you. This is why the no logging policies are so important.

How a VPN works

But, a lot of VPNs fail to live up to that whole privacy
premise. The Australian Commonwealth Scientific and Industrial Research
Organization (CSIRO) did a study of Android apps claiming to be VPNs and it
wasn’t exactly encouraging.

82% of free VPNs required permissions to sensitive resources75% of free VPNs used third-party tracking libraries38% of free VPNs infected their devices with malware18% of free VPNs didn’t even use encryption84% of free VPNs handle IPv6 traffic outside of the encrypted tunnel66% of free VPNs handle DNS requests outside of the encrypted tunnel

Granted, that’s Android apps, but the startling lack of
regulation in that industry only lends itself to this kind of garbage. Let’s
take a look at some other Free VPN horror stories…

Free VPNs might track and sell your data

The Android numbers skew more towards malfeasance, but in general there are still a lot of bad actors in the VPN space. One 2018 study found 26 of the world’s top 117 VPN services log data. That includes paid services. When you filter out the paid services, the numbers look even worse. While your activity may be hidden to the rest of the world, your VPN service sees it all. And a lot of that data may be valuable. After all, they wouldn’t bother logging it if they didn’t intend to sell it for profit. Per CSIRO, BetterNet, which boasts over 38-million users, also leverages 14 different tracking libraries. Meaning your ISP might not be able to see BetterNet users – but tons of other, lesser-know entities sure can. It gets even more frightening when you consider the number of VPNs that ask for extensive permissions on the devices they secure. That allows them to harvest even more user data, sometimes data that wasn’t even transacted during the use of the VPN.

Free VPNs might give you malware

According to Metric Labs’ head of research, Simon Migliano, “one in five” of the 150 free VPNs he studied had malware. That’s a bit lower that CSIRO’s figure – it tested 280+ free VPNs so it scraped more from the bottom of the barrel – but the figure generally reinforces that you never know what you’re getting with free VPNs. You wouldn’t play Russian Roulette with those odds, don’t blindly trust a VPN based on them, either.

And here’s the thing, delivering malware is a huge pain in the butt. Or… so I’ve been told. The vast majority of it, over 90%, gets delivered via email. And you still have to convince the recipient to open it or run it – whatever makes it tick. Enterprising minds have long been searching for an easier way. Well, it turns out that if you make an Android app and advertise it as a free VPN, people will install your malware and execute it of their own volition – the digital equivalent of the salmon hopping right into the bear’s mouth.

Free VPNs might steal your bandwidth

Let’s talk about bandwidth for a second, because the
definition can be a bit confusing at times. There is a definition for (signal) bandwidth
as it relates to hertz and frequencies – that’s not the one we’re interested
in. For our purposes, bandwidth refers to the maximum rate that data can be
transferred through a network path. We aren’t going to stray too far into the
weeds on this but everyone has at some point been in a situation with shared
WiFi. Maybe it was at a dorm, with some roommates or even on a public network –
but your connection speed was contingent upon who else was using the internet
at that moment. If too many people got on, things could lurch to a halt. That’s
bandwidth, each user, each connection is partitioned a fraction of that bandwidth
to operate on.

On any connected device you have two commodities you likely never think about: bandwidth and processing power. We’re going to get to processing power in a second, but your device or computer is likely not making use of all the bandwidth it’s been allotted. It would be nice to think it does, but nothing in tech works at 100% efficiency – network bandwidth included. Some of the more unscrupulous actors in the free VPN game are more than happy to take any extra bandwidth right off your hands, too. The best example of this is the free VPN product offered by Hola, which has over 152-million users and has been caught selling its free users’ bandwidth to paid customers via another arm of its business. If you’re not sure what that means, think of it this way: you might be using a free VPN to stay anonymous and avoid undue scrutiny, but at the same time your VPN is essentially renting your bandwidth and IP address – the one associated with you – to someone else. And anything they do can be traced back to you. Not great, Bob.

Free VPNs might Cryptojack you

One of the other things Hola was caught for – and it’s unclear whether this part was intentional – was a bug that allowed programs to be run remotely on its users’ computers. And while we’re willing to give the benefit of the doubt here – this is also not an isolated incident.

But first a quick refresher on Cryptojacking. Cryptocurrency, most famously BitCoin (which is the example we’ll use), is essentially minted through a mathematical process that involves a blockchain and a prohibitively difficult problem to solve. In fact, the math problem is so costly to compute that even the world’s most powerful supercomputer would be overmatched. As a result, “miners” often pool their resources together to try and solve the problem. When they do, they get to add a new block to the blockchain – the new block will contain all the transactions that took place while the block was being solved – and they get a reward paid out in BitCoin. This is called cryptomining. The reward is typically divided amongst the miners that pooled their resources. And therein lies the rub. The rewards for solving each block are diminishing at a set rate and the blocks continue to get harder to solve. That means less money for more work, which is not what anyone signed up for.

The cryptocurrency community is full of criminals and
charlatans, many of whom have no qualms about compromising other people’s
devices to create a botnet, which can in turn throw all of its combined computing
power at solving the next block. And here’s the best part: they wouldn’t even
have to split the reward. Early on you saw a lot of IoT devices getting conscripted
into botnets. Now we’re starting to see more ingenious methods for compromising
devices and stealing their processing power: free VPNs.

Ironically, VPNs often advertise themselves as a defense
against Cryptojacking. Turns out they can also get you cryptojacked, too.

Free VPNs might hijack your browser

Most of us take for granted that our browsers do what we ask them to. You rarely have to worry about Firefox or Chrome getting mouthy, unless you’re dealing with certificate errors or known malicious websites – then they do speak up. But having your browser take you to all range of websites you never intended to go to isn’t usually a problem for most of us. Unless you hook up with the wrong free VPN that is.

Case in

“AnchorFree’s VPN app HotspotShield performs redirection of e-commerce traffic to partnering domains. When a client connects through the VPN to access specific web domains, the app leverages a proxy that intercepts and redirects the HTTP requests to partner websites.”

That’s not uncommon, either. And to be honest, it’s actually
one of the least scummy ways free VPNs take advantage of their users. Far
preferable to having your bandwidth sold out from under you or your information
widely shared. Still, that’s a sad statement in and of itself. Like a choice
between pestilence and a plague.

Are there any good Free VPN options?

There’s a terrifying amount of bad advice related to this
question. And typically, the answer comes from a party with skin in the game –
they’re making money off all this somehow. As we mentioned earlier – we aren’t.
We’ve got no stake in the VPN industry, but we do know a thing or two about
encryption and privacy. And we constantly preach the importance of cybersecurity
education. So here goes.

VPN concept

If you want to use a free VPN, you really only have a handful
of options:

  • Use the free version of a paid VPN
  • Use an open-source VPN
  • Spin up your own VPN

Don’t try to use the University of Tsukuba’s free VPN or any
of those other weird workarounds – those are designed to serve different
functions, not so you can circumvent the MLB’s blackout rules to stream
baseball or some such nonsense.

Freemium VPNs

Freemium is one of those internet buzzwords that gets tossed
around a lot and doesn’t always get used correctly. Freemium just means that
the base product is available for free, but additional features will cost you
money. We’re actually seeing a turn to this model from the videogame world
right now with titles like Fortnight, Apex Legends and Dauntless. If you don’t
mind running on a stripped down version of a VPN, this is probably your most
straightforward option.

Top VPN services like NordVPN and Express VPN offer solid freemium versions. But, again, be careful before you just blindly jump into bed with any old VPN service on account of it having paid tiers. Hola had paid tiers and it sold its free users’ bandwidth and IP addresses to its paying customers. This is why you have to read the fine print.

Open-Source VPNs

The safest option when it comes to truly free VPNs is to use
an open-source one. OpenVPN is by far the most popular, but there are other
variants that may fit your needs a little bit better. Open source VPNs don’t
have any clandestine financial motivations and their code is public so it can
be regularly vetted and critiqued.

Here’s the thing though, this is not really a beginner-level option. You need to have at least a basic knowledge of what it is you’re doing, because there’s not going to be a whole lot of hand-holding. You’re likely going to need to crowdsource your support from forums and mailing lists. So, if you’re looking for something quick and easy – move along, there’s nothing to see here.

Spin up your own free VPN

You remember how we just said using an open-source free VPN wasn’t exactly a task for novices? Well, crank that up to 11. While you’ll have much greater control over your data and the security measures that are in place, which should help protect your privacy and foster some degree of anonymity – the amount of work that’s required to pull this off is worthy of its own article.

Suffice it to say, this option is only for those with quite
a bit of experience.

Just be careful with free VPNs

If you take just one thing from this entire article, make
sure it’s to look closely at any “free” VPN before using it. We get it, who
doesn’t love stuff to be free? But there’s almost always a catch. With free VPNs
that spectrum ranges from paid VPN services trying to sell you additional
features all the way to VPNs that infect you with malware and/or steal your

The important thing is being able to identify that catch. The honest players state it up front. We may not love what the catch is but there’s a degree of integrity that comes with at least owning it.

It’s when the catch isn’t obvious – when it’s not stated
explicitly and it’s difficult to discern from the information you’ve been given
– that you need to be the most careful. So, read the damn fine print.

As always, leave any comments or questions below…

Hashed Out by The SSL Store is the voice of record in the SSL/TLS industry.

*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Patrick Nohe. Read the original post at: