Tuesday, July 16, 2019

Most “Free” VPN Apps Secretly Owned by China

Simon Migliano:

Unfortunately, the majority of apps appearing in the top results for “VPN” searches are free products from obscure and highly secretive companies that deliberately make it very difficult for consumers to find out anything about them.

[…]

Our investigation uncovered that over half of the top free VPN apps either had Chinese ownership or were actually based in China, which has aggressively clamped down on VPN services over the past year and maintains an iron grip on the internet within its borders.

[…]

Apple and Google have let down consumers by failing to properly vet these app publishers, many of whom lack any sort of credible web presence and whose app store listings are riddled with misinformation.

Via Josh Centers:

Additionally, the investigation revealed many have bad or nonexistent privacy policies, don’t even have legitimate Web sites, and share user activity with third parties. If you’re selecting a VPN in order to guard your privacy, be careful of which one you choose and do your research to find a trustworthy provider because a VPN service can monitor all of your Internet activity.

How can you even tell whether a paid VPN is trustworthy—not a honeypot and actually follows its privacy policy?

Update (2019-07-17): Adi Robertson (tweet):

An OO-certified app or site must meet three criteria. First, it needs to demonstrate “a basic level of transparency” by making its code and infrastructure — among other things — public and fully documented. Second, it needs to lay out its policy in the form of “claims with proof,” establishing what user data is collected, who can access it, and how it’s being protected. Third, those claims must be evaluated by an OO-certified auditor who then makes the audit results public.

The site OpenlyOperated.org, for example, is OO-certified. (It’s one of two OO-certified services right now, alongside Lin and Dewan’s Confirmed VPN.) Its audit report lists several easily readable and footnoted claims about the site, including the claim that your email address is kept totally private — even from the site’s operators. It then includes details about the encryption system that makes this possible, plus statements from cybersecurity consultants who corroborate the claims. While companies can already run privacy audits, Openly Operated’s branding is supposed to promise a certain level of depth, in addition to guaranteeing transparency.

Update (2019-08-19): Kenn White:

Myths about VPN providers

- they protect your identity
- they’re safe
- they don’t log
- they are competent
- they’ll shield you from the law
- NSA can’t…no, just stop. Really.

Update (2019-10-21): Kenn White:

A story of the entire VPN industry, in 4 acts. Starring NordVPN.

See also: Dan Goodin.

7 Comments RSS · Twitter


It's crazy to think about how much information you're handing over to any VPN provider, free or paid. I don't even trust my cellphone or internet providers to not get hacked and leak my information all over the place. So a VPN is critical and so far the best I've found is Mullvad. They have a long track record of maintaining user privacy and not logging activity. Accounts are anonymous, and their privacy policies are human-readable and easy to find on their website.


I'm more curious about the paid ones. I use IPVanish but there's a certain level of trust involved that your traffic isn't being heavily monetized.


Niall O'Mara

Handing over all you network traffic to an unknown entity is nuts - and in the name of security / privacy it's even more nuts. To me, using a VPN is akin to asking someone you meet at the pub who has a gun to look after your house. YMMV


VPNs might be an unknown, but ISPs and telcos are known to retain and sell your information. An alternative would be to form your own VPN on a VPS or webhost (of course then you are subject to the host's terms, trust, and opsec).


There is simply no way you can trust anyone other than yourself about encryption. A VPN usually has two ends, and in a consumer scenario you are either trying to get around geo restrictions, or protecting yourself from an untrustworthy (W)LAN. Setting up your own VPN in the cloud is easy with systems like Algo or Streisand. I personally just roll my own using OpenBSD and it’s OpenIKEd, but then I have access to a non-cloud endpoint with static IP for it.


I don't think it is nuts to use VPN, if you're being selective and make some research. Of course you will never really *know* for sure, you just have to make up your mind for whom you trust more and less. E.g. I actually trust Apple not to sell my private data to the Chinese government, but I can not be 100 percent sure, no one can. But I trust Apple *more* than Huawei for reason I don't think I have to explain.

So when it comes to VPN:s it's a matter of finding the most trustworthy and then asking yourself: do I trust this VPN provider more than my ISP/telco? Which is less "nuts"?

Mullvad was mentioned above and I think they are trustworthy from what I've read, as do I think some other Swedish and Finnish VPNs are.


Rolling your own VPN sounds great if you have the internet connection and endpoint to support it. Barring that it devolves to “layered defense” and “who do you trust and how much?” On macOS layered defense is running a hostfile, Little Snitch, and maybe AdGuard just at the network level. For most endusers on iOS the only option is local “VPN” profile for something like AdGuard Pro and then a vendor VPN,

I have serious misgivings about “just trusting a (free) VPN vendor” or something like Guardian OS, which requires the VPN because Apple “required” the VPN previous to the “rule change” for local profiles.

I’m glad the AdGuard devs did not compromise (too much) with Apple about AdGuard Pro, it (alone with a strong hostfile like Steven Black) is currently, AFAIK, the best “layered defense” on iOS... along with a good, vetted VPN.

(My choices, along with AdGuard in “split VPN” compatibility mode, these VPN vendors: VPNUnlimited, ProtonVPN free or paid, Guardian OS free or paid — AdG Pro takes up the “Personal Configuration” slot and the VPN vendors use the “Personal VPN” slot and they work in tandem... and quite well).

Leave a Comment