VPNs are in high demand as Americans scramble to keep access to TikTok and WeChat amid a looming government ban. There are dozens of free VPNs out there that promise to protect your privacy by keeping you anonymous on the internet and hiding your browsing history.
Don’t believe it. Free VPNs are bad for you.
But where VPNs try to solve a problem, they can also expose you to far greater privacy risks.
TechCrunch’s Romain Dillet has an explainer on what a VPN is. In short, VPNs were first designed for employees to virtually connect to their office network from home or while on a business trip. These days,
VPNs are more widely used for hiding your online internet traffic, and tricking streaming services into thinking you’re another country when you’re not. That same technique also helps activists and dissidents bypass censorship systems in their own countries.
VPNs work by funneling all of your internet traffic through an encrypted pipe to the VPN server, making it more difficult for anyone on the internet to see which sites you are visiting or which apps you are using.
But VPNs don’t inherently protect your privacy or give you anonymity. VPNs simply divert all of your internet traffic from going to your internet provider’s systems into the VPN provider’s systems instead.
That begs the question: Why should you trust a VPN that promises to protect your privacy more than your internet provider? The answer is that you can’t, and you shouldn’t.
By far some of the worst offenders are the free VPNs.
As the old adage goes, if it’s free then you are the product. What that means is that they make money off you — specifically, your data. Like any service that costs nothing, VPNs are often supported by ads. That means taking your internet traffic and selling it to the highest bidder to serve you targeted ads while you’re connected to the VPN. Other free VPNs have been accused of injecting ads into the websites that you visit.
While there are paid and premium VPNs that are generally more mindful about your privacy, they aren’t anonymous as they can be linked to your billing address. Paid VPNs also don’t solve the problem of funneling all of your internet traffic to a potentially untrustworthy company.
Some VPN providers also claim to protect your privacy by not storing any logs or track which websites you visit or when. While that may be true in some cases, there’s no way you can be completely sure.
In fact, some VPN providers have claimed they don’t store any logs — but were proven completely false.
Take UFO VPN, which at the time had about 20 million users. It claimed to have a zero-logging policy. But security researchers found the company’s logging database exposed to the internet, no password needed. The database was packed with logs of user activity, including which websites users were visiting.
Former NYPD director of cyber intelligence and investigations Nick Selby, now the chief security officer at fintech startup Paxos, said he only uses VPN providers that he knows do not store any logs. During his time as a police officer he would serve search warrants and know which providers were “the best at giving me nothing,” he told TechCrunch.
It’s not to say that all VPNs are unscrupulous or invading your privacy. Much of the problem with VPNs is that you can’t look under the hood and see what’s going on with your data. Standalone VPNs, like Algo and WireGuard, let you create and control your own VPN server through a cloud service, like Amazon Web Services, Microsoft Azure, Google Cloud, or Digital Ocean. But remember: your encrypted data is stored on another company’s cloud, making it potentially susceptible to being grabbed by the authorities.
VPNs can be useful, but it’s important to know their limitations. Just don’t rely on them to protect your privacy or your anonymity.