Thursday, July 23, 2020

“No-Logging” VPN Providers

Craig Silverman (tweet, also: Nick Heer):

Sensor Tower, a popular analytics platform for tech developers and investors, has been secretly collecting data from millions of people who have installed popular VPN and ad-blocking apps for Android and iOS, a BuzzFeed News investigation has found. These apps, which don’t disclose their connection to the company or reveal that they feed user data to Sensor Tower’s products, have more than 35 million downloads.

Paul Bischoff (via Hacker News):

Hong Kong-based VPN provider UFO VPN exposed a database of user logs and API access records on the web without a password or any other authentication required to access it. The exposed information includes plain text passwords and information that could be used to identify VPN users and track their online activity.


More than two weeks after we sent a disclosure to UFO VPN, the company shut down the database and responded by email[…]

“We don’t collect any information for registering,” the spokesperson said. “In this server, all the collected information is anonymous and only be used for analyzing the user’s network performance & problems to improve service quality. So far, no information has been leaked.” [sic]

But based on some sample data, we do not believe this data to be anonymous.

Shaun Nichols:

A string of “zero logging” VPN providers have some explaining to do after more than a terabyte of user logs were found on their servers unprotected and facing the public internet.


A few days later, on July 5, the data silo was separately discovered by Noam Rotem’s team at VPNmentor, and it became clear the security blunder went well beyond UFO. It appears seven Hong-Kong-based VPN providers – UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN – all share a common entity, which provides a white-labelled VPN service.

And they were all leaking data onto the internet from that unsecured Elasticsearch cluster, VPNmentor reported.

Via Nick Heer:

There is nothing inherently wrong with white labelled goods and services, but I do think their use is inadequately disclosed. It is detrimental to our understanding of what we are buying and makes it hard to compare different products.


7 Comments RSS · Twitter

I don't see the logic here. Step 1 is apparently to be smart enough to know why you need a VPN, but Step 2 is to be dumb enough to go with a free one?

@Ben How can you know that a paid one does what it promises, either?

smart enough to know why you need a VPN

Tons of ads run to convince you you need one.

dumb enough to go with a free one

As Michael says, price tag isn’t a guarantee for trust.

You can't really know for sure and nothing is guaranteed, but at least the paid ones have a business model that in theory would be to provide a trustworthy service with a good reputation so you stay as paying customer.

Old Unix Geek

You simply can't know. Any government can create "High Trust VPN services". Not only do they get higher signal to noise (people who have something to hide use them) but they also get paid!

Sure, there's no way to really know. I use Proton VPN because I trust their reputation. Previously I used Nord and PIA. They worked well, but I think Nord had some data breach a year or two ago and PIA was somehow associated with Russia or something weird. I decided Proton was worth the extra $3 per month or whatever in comparison. But using a free version of something that's ostensibly supposed to protect my privacy just seemed completely at odds. Why would any company do that, unless somehow they were making money off of my private data? That much seems obvious.

>I use Proton VPN

I think that's a pretty good bet. Use a paid provider located in a country with strong privacy laws. The only other option you have is to set up your own VPN.

Leave a Comment