Free VPNs, or basically any “free product”, always comes with a price. It’s no secret that when something is free on the internet, it’s you who is the product.
This is true for free software downloads, social media platforms, and services like GSuite. The idea is that when software developers offer their digital goods for free, they are usually a lot less free than you might think. In exchange for the use of their platform or service, when you fork over your email address, you may be giving over much more than just that.
For example, when you sign up for social media services like Facebook or Instagram, these services can also see your purchasing history, your likes, and your friends. This data is then sold to digital marketing agencies that use it to create highly targeted ads. These ads display products and services similar to those you have already shown interest in. This leads to increased clicks and more importantly, more revenue for the product’s developers. (To learn more about the nitty-gritty of the complex data economy, check out this epic article from PCMag.com.)
But security products are okay, right? Um, no.
So you may know to be on the lookout for such data-sapping tactics when it comes to social media platforms and free software, like games and photo editors. But you probably don’t expect it to be true of security-related products like VPNs.
VPNs or virtual private networks, create a private tunnel from your computer or device to another computer, using that computers’ connection to traverse the open internet. Everything is encapsulated in a private network and is encrypted.
VPNs are supposed to protect users by acting as a shield between them and the dangers of the internet. They keep your internet service provider (ISP) from accessing your information when you’re online and are considered a more secure option than ISP for accessing blocked or restricted websites. They are also used by organizations to help lock down entry to their networks and keep data safe.
These benefits really do go a long way to help increase privacy and security so many experts say VPNs are a need-to-have tool for anyone using the internet. And in an effort to get more people on the VPN bandwagon, there are many providers who offer a free model of their paid VPNs—albeit with less features—for those unready to take the full VPN plunge.
But what if your VPN wasn’t actually interested in keeping you secure—and instead, just wanted you for your data?
According to David Gewirtz in ZDNet.com “It costs quite a lot to provide the infrastructure to operate a VPN service, from the network pipes to the servers. That infrastructure has to be paid for somehow. If it’s not paid for by user fees, it’s likely to be paid for by advertising, data gathering, or some nastier reason.”
Food for thought, huh?
To back this up, let’s turn to arecent study of over 100 popular free VPNs conducted by thebestvpn.com, an independent website that reviews VPNs. The study found that 26 of these so-called privacy-focused VPNs are anything but concerned with your privacy. These bad apples collect file logs that contain identifying info like IP addresses and location, connection time stamps, and bandwidth data. This is shocking, considering they are supposed to protect their users from data collection, not do it themselves.
But the invasion of privacy and the moral flexibility of an Olympiad don’t stop there; one of the listed vendors was found to be collecting their users’ bandwidth data. The VPN provider—which is considered a community VPN, meaning it allows users across the world to share internet connections with the aim of bypassing censorship laws—just happens to be a sister company of a residential proxy provider.
The VPN provider was passing along their users’ bandwidth to their sister company, who then sold it to the highest bidder. In one case, the buyer used it to launch DDoS attacks. That’s right; innocent people’s collected bandwidth data was used to launch attacks that took a popular imageboard offline. So users thought they were getting enhanced security— but really, they were being used as unwitting accomplices in criminal activities.
Moreover, the company was found to be using their user’s resources and monetizing them, even when users were offline. A thorough study of the company’s web traffic, conducted by a prominent security firm, found that approximately 85% was being redirected towards mobile ads, which can be used in click fraud campaigns.
(*Sighs, shakes head*)
No such thing as a free lunch
So does this mean that free on the web is really never all that “free”?
Look at it this way; companies have expenses to cover. Even if the people behind the services are great, they still need to make a buck. So if they aren’t charging you money, you can be sure that they are making a profit in some other way. In our data-hungry world, there’s a good chance that your data is what’s covering their bills.
There are times when this is a relatively fair trade-off; you give Google your permission to use your data (even if you aren’t aware that you’ve given it to them— so here’s a teeny piece of advice; going forward, read all TOCs and privacy statements to be more in-the-know about what’s happening with your information) in exchange for using GSuite. You let Facebook see what’s happening on your feed so you can stay in touch with your friends. If you are aware of what’s taking place and you’re okay with that, carry on, carry on.
But sometimes, data collection can be used for efforts far more insidious than mere ad targeting. Sometimes, it passes into the realm of criminal activity, as highlighted above. Does this mean you should never use a free service? Nope, not if you’re okay with it —just understand what you’re getting yourself into.
So caveat emptor, or caveat downloader, as the case may be. When the product is free, it very likely comes with some risks you don’t want to be taking.