Privacy Flaws of Free VPNs

TechsPlace | When looking for a VPN service for the first time, most people start by looking at the free options. This is a bad idea. VPNs are supposed to establish a secure network between you and the server. They facilitate a secure transfer of data through encrypted tunnels. That way, VPN services protect you from prying eyes of snoopers, hackers, and government agencies looking to track your online activities. VPN is an excellent tool when it comes to internet privacy.

However, not all VPNs are made the same. Some are not as secure as they may want you to believe. This is true for many of the free VPN services out there. In 2019, Top10VPN tested 150 of the most popular android VPNs on Google Play store with a total of 260M downloads and found that 25% had DNS leaks, 85% featured questionable permissions and functions in the source code that hint on spying, and 27 were flagged as malware as tested by VirusTotal. Here are the privacy flaws of free VPNs:

Intrusive Permissions

The presence of intrusive permissions doesn’t necessarily make a VPN unsecure, but it doesn’t mean that it’s safe either. Often, the presence of intrusive permissions and risky functions in a software program is a sign of hasty development that neglects the users’ need for privacy. Most of the free VPNs need to make money somehow. Seeing as they are ‘free,’ they can’t charge the users a nominal fee so they resort to shady practices.

To keep these VPN services free, most enable aggressive advertising within these applications. Some free VPN services even use location-based permissions and functionality to geo-target ads to users with an active VPN. Developers of free VPNs often bundle their software with excessive, intrusive permissions and functions. This could be deliberate or an unintended consequence of hasty development. Either way, consumers looking to protect their privacy with a VPN deserve better.

Risky Functions

More than 60 percent of the applications tested contained risky functions potential for privacy abuses not expected from a VPN app. Many displayed the location manager exposing the device’s last known location. Intrusive permissions and risky functions open the door to potential abuse of privacy. Recent Android versions come with built-in protection for such applications. Application permissions are set to ‘denied’ by default until the app requests that they are allowed.

DNS Leaks

What is a DNS leak? First, you’ll have to understand what a DNS is. DNS is short for Domain Name System, which functions as the phonebook of the Internet. In the human language, a website is in the form of a domain name, like google.com, but to the web browser, the destination is actually in the form of an Internet Protocol (IP) address. DNS translates your website query into an IP address so browsers and loads your requested page.

A DNS leak occurs when a VPN fails to protect your device’s DNS queries even when the rest of your internet traffic is hidden the VPN tunnel. This happens when your query is fired at a DNS server (mostly owned by your ISP) that tracks internet activities. A DNS leak hence allows your DNS server operator and your internet service provider to access private data such as the apps you use and the websites you visit. If you’re wary of a leak, use a DNS leak test to find and fix it.

End Word

In 2017, the University of NSW and UC Berkley tested 283 Android VPNs. The test found that 38% contained malware or malvertising (malicious ads that contained viruses) that can steal passwords, 80% requested access to sensitive information such as texts and user data, and 20% did not even encrypt traffic — one of the key functions of a VPN. Most of the affected services are free VPNs.

This should come as no surprise. As the saying goes, if something is free, you are the product. In 2017, the Economist wrote: “The most valuable resource is no longer oil – it’s data.” Recognize this and you will see that tech and telecom companies out there, big and small, are all scrambling for your data in the most sneaky ways imaginable. Your privacy and cybersecurity are your own to protect, and you should never trust big brands or popular services to do that for you.