Free VPNs just aren’t that secure
Free VPNs can be very dangerous. Why? Because to maintain the hardware and expertise needed for large networks and secure users, VPN services have expensive bills to pay. As a VPN customer, you either pay for a premium VPN service with your dollars or pay for free services with your data. If you’re not ordering at the table, you’re on the menu.
About 86% of free VPN apps for iOS and Android — accounting for millions of installs — have unacceptable privacy policies, ranging from a simple lack of transparency to explicitly sharing user data with Chinese authorities, according to two 2018 independent investigations into free VPN apps. from Top10VPN. Another 64% of free VPN app offerings had no online presence outside of their app store pages, and only 17% responded to customer support emails.
In June 2019, Apple reportedly banned apps that share user data with third parties. Eighty percent of the top 20 free VPN apps in Apple’s App Store appear to be breaking those rules, according to a June update on the Top10VPN investigation.
In 2021, 77% of apps flagged as potentially insecure in the Top10VPN VPN Ownership Survey — and 90% of those flagged as potentially insecure in the Free VPN Risk Index — still posed a risk.
“Google Play downloads of apps we’ve flagged as potentially unsafe have grown to 214 million in total, up 85% in six months,” the report said. “Monthly installs from the App Store held steady at around 3.8 million, which represents a relative increase as this total was generated by 20% fewer apps than at the beginning of the year as a number of apps are no longer available.”
On Android, 214 million downloads represent a lot of user login data, mined by unwitting volunteers. What is one of the most profitable things we can do with a large chunk of user input data?
You may catch malware
Let’s get this out of the way right now: 38% of free Android VPNs contain malware — despite the security features on offer, a CSIRO study found. And yes, many of those free VPNs were highly rated apps with millions of downloads. If you’re a free user, your chances of catching a nasty bug are greater than 1 in 3.
Ask yourself which costs less: a secure VPN service for about $100 a year, or hiring an identity theft recovery firm after a mob has stolen your bank account login and Social Security number?
It couldn’t happen to you, could it? Wrong. Mobile ransomware attacks are skyrocketing. Symantec detected more than 18 million mobile malware cases in 2018 alone, representing a 54% year-over-year increase in variants. In 2019, Kaspersky noted a 60% increase in password-stealing trojans.
Malware isn’t the only way to make money if you’re using a free VPN service; there is an even easier way.
Ad-avalanche
Aggressive advertising practices from a free plan can go beyond hitting a few annoying pop-ups and quickly cross into dangerous territory. Some VPNs pass ad-serving trackers through loopholes in your browser’s media-reading features, which then sit on your digital footprints like a prison guard in a B-grade remake of Escape from Alcatraz.
HotSpot Shield VPN gained notoriety for such accusations in 2017, when it was hit with a Federal Trade Commission complaint (PDF) alleging massive ad-serving privacy violations. Carnegie Mellon University researchers found that the company not only had a backdoor used to secretly sell data to third-party ad networks, but also used five different tracking libraries and actually redirected user traffic to servers secret.
When the story broke, HotSpot parent company AnchorFree denied the researchers’ findings in an email to Ars Technica: “We never redirect our users’ traffic to third-party resources instead of the websites they intended to visit. The free version of our Hotspot Shield Solution openly and clearly states that it is funded by advertising, however, we do not intercept any traffic with either the free or premium version of our solutions.”
Since then, AnchorFree has offered annual transparency reports, although their value still rests in the hands of the reader. Recently, HotSpot Shield was among only a handful of VPN apps found to respect users’ opt-outs to allow ad tracking. In a November 2021 study by Top10VPN, only 15% of free VPN apps respected iOS users’ choices when they opted out of voluntary ad tracking. The rest of the free VPN apps tested by Top10VPN simply ignored users’ Do Not Track requests.
Even if credit card fraud isn’t a concern, you don’t need pop-ups and ad lag weighing you down when you already have to deal with another major problem with free VPNs.
Buffering … buffering … buffering
One of the main reasons people get a VPN is to access their favorite subscription services or streaming sites — Hulu, Max (formerly HBO Max), Netflix — when they travel to countries where those companies block access based on at your location. What’s the point of accessing the geo-blocked video content you paid for if the free VPN service you’re using is so slow you can’t watch it despite a good internet connection?
Some free VPNs have been known to sell your bandwidth, potentially putting you on the legal hook for whatever they do with it. The most famous case of this was Hola VPN, which was caught in 2015 quietly stealing users’ bandwidth and selling it, mercenary-style, to any group that wanted to deploy its user base as a botnet.
At the time, Hola CEO Ofer Vilenski admitted they had been taken by a “spammer” but claimed in a lengthy defense that this bandwidth harvesting was typical of this type of technology.
“We assumed that stating that Hola is a [peer-to-peer] network, it was clear that people were sharing their bandwidth with the community network in exchange for their free service,” he wrote.
If entering the service as part of a botnet isn’t enough to slow you down, free VPN services usually also pay for fewer VPN server options. This means your traffic is generally bouncing longer between remote, congested servers, or even waiting behind paid user traffic.
In conclusion, subscription streaming sites are smart for those trying to sneak into their free video services. These services routinely block large numbers of IP addresses that they have identified as belonging to freeloaders. Free VPNs can’t afford to invest in a long list of fresh IP addresses for users like a paid VPN service can.
This means you may not be able to subscribe to a streaming service you paid for if your free VPN is using an old IP pool. Good luck getting HBO Max to load over that VPN connection.
Paid options are being improved all the time
The good news is that many solid VPNs on the market offer a variety of features, depending on your needs and budget. You can browse our reviews and ratings to find the right VPN software for you. If you’re looking for something mobile-specific, we’ve rounded up our favorite mobile VPNs for 2024.
If you’d like a primer before deciding which service to fork over, we’ve got it a VPN buyer’s guide to help you understand the basics of VPNs and what to look for when choosing a VPN service.