Are All Free VPNs Unsafe?

The number of VPN users worldwide has exceeded 1.5 billion, with 77% using VPN for personal use. In Russia, the demand for VPN is also growing: in 2023, the user number increased by 37%, by 2.5 times as compared to 2021. Most are looking for free services, rarely thinking about the fundamental contradiction: a free app has to monetize through advertising and large-scale data collection, while the primary function of a VPN is to provide security and privacy, thus minimizing information leaks. Following the comprehensive test conducted by top10vpn independent website, this contradiction in actually not resolved in favor of the free service subscribers. All the popular VPN apps studied systematically put personal information at risk.

The key function of VPN, i.e. maintaining an encrypted communication channel (tunnel) with the desired server, is poorly performed by 88% of the apps tested. They allow data leaks from the tunnel, which means that the Internet provider, office network system administrator or Wi-Fi access point owner can partially learn what the user does on the Internet when the VPN is enabled. Most often, these are leaked DNS queries, which can be used to understand what websites a user is opening.

Moreover, 36% of VPNs tested use weak encryption, while 53% demonstrated connection instability, slowdowns and disruptions. This is not just an inconvenience as disruptions put personal data at risk. Despite disabling the VPN, other smartphone apps continue to work and data is spread across the open network. 

In order to target ads more precisely, most digital platforms track their users in detail, including collecting detailed statistics from installed apps. To do this, the app itself shall have advertising platform libraries embedded in it, and the tested VPN apps had a lot of such libraries, that is, 84% of VPNs contain “spy” trackers from social media and marketing systems. Thus, 71 apps send user personal data to the servers of foreign social media, Yandex and aggregator companies like Kochava.

The permissions system in Android is designed precisely to limit unwanted data collection. However, VPN apps ask for a lot of permissions they don’t need for their main job: 10% ask for camera access, 20% ask for precise location and 46% collect the full list of installed apps. Overall, 69% of the apps tested request “risky” permissions.

Among the 100 apps tested, 19 are detected by antivirus scanners as malicious, and 18 access those Internet servers having a reputation for maliciousness. The study authors emphasize that false positives are possible here and the results do not mean that one in five apps is a virus. But a maliciousness verdict can be given for such features as aggressive ad display (including on the lock screen and on top of other apps) or bypassing system security features.

Researchers note that almost all free VPN services make advertising claims like “we don’t collect your data” and “we don’t share your data,” but these are usually not true. The special data safety label on Google Play mandatory for all developers contains misleading information for 93% of the VPN apps in the study. If we compare the Google Play label with the full version of the app privacy policy, we find big discrepancies: 32% of app labels state that an app does not collect data, but the privacy policy confirms this only in two cases. Moreover, 75% of apps incorrectly state the data to be collected, 64% incorrectly state with whom they share data, and 32% incorrectly describe the security measures taken.

Thus, the authors of free VPN apps deceive users even more often than developers of other software categories where discrepancies occur, according to the research conducted by Mozilla, only in 80% of cases.

The study results show that none of its participants managed to provide free VPN services, while maintaining high quality and security. No app offers both a reliable and secure communication channel and the absence of unwanted tracking. Therefore, it is better to choose paid solutions right away, ideally combining VPN with additional privacy protection services. The soon-to-be-launched Membrana service will be just such a service, apart from a legal and fast VPN, it includes protection from ads and tracking, a filter for unwanted calls, one-time emails and phone numbers for temporary registration, as well as other useful features for an active digital life.