Who really stands behind popular free VPNs?

After Whatsapp, Snapchat and Facebook, most often people are looking for mobile VPN applications. VPN is the second most popular non-trademark term after the game, and only free applications dominate the search results. The most popular of them have collected hundreds of millions of installations around the world, however, it seems that too little attention is paid to which companies are behind them, and mobile app stores are studying them too superficially.

When a person decides to install a VPN on his device of any company, he, in fact, decides to trust his data to this company instead of his wired or wireless provider. The VPN provider can examine your traffic, modify it, take notes, and, if rules allow, send it somewhere else. Given the potential for data abuse, it is critical that the user choose a VPN wisely.

We studied the most popular VPN apps in the App Store and the Google Play Store. We found that only a small fraction of these insanely popular applications do at least something to earn the trust of people trying to protect their privacy while being online.

Study

We studied the 20 most popular free applications that appear in the list of VPN requests on the App and the Play Store for Britain and the USA. In general, they are downloaded 80 million times a month from Google and 4 million times from Apple. Our full methodology and a list of all VPNs studied can be found in the detailed report .

We found the opposite of high standards, which the user could expect in applications distributed by Google and Apple and in such a sensitive category. Most applications come from unknown and highly secret companies that make every effort to hide information about themselves from users.

These VPN applications have been downloaded tens of millions of times from the largest app stores, but they practically do not give the user any information about the companies behind them and what they do with the huge flow of sensitive traffic passing through their server every day.

Our study found that more than half of the most popular free VPN applications either belong to the Chinese, or are directly located in China, a country that has aggressively suppressed VPN services in recent years and is holding back the Internet with its iron hand. In addition, we found that most of these applications lack formal protection of personal information and lack user support.

Ownership of services and their presence on the web

59% of the studied applications either belong to the Chinese, or are directly located in China, despite the fact that VPNs are strictly prohibited in this country and Internet traffic is monitored. This raises questions about why these companies — with large user bases around the world — are allowed to continue working.

Chinese VPNs are downloaded by users from the United States, Britain, Latin America, the Middle East and Canada. The owners of three of them, TurboVPN, ProxyMaster, and SnapVPN, are related companies. In the privacy policy, they note: "Our business may require us to transfer your personal data to countries outside the Eurozone (EEA), including countries such as the People's Republic of China or Singapore."

One of the offers, VPN Patron, is owned by the Hong Kong company IST Media, which advertises itself in China as a mobile advertising company and monetizes Internet user behavior.

Considering the efforts that these companies have made to hide information about their owners, it is often quite difficult to dig out who exactly is behind the applications, especially the average user.

64% of these providers do not have a special website or web presence, and more than half of the listed emails are personal accounts in Gmail or Yahoo domains. Over 80% of our requests for support were left unanswered.

Despite this lack of transparency, these companies were able to instill confidence in poorly informed users by the fact that their applications were approved by Apple and Google stores.

Privacy policy, tracking, recording user actions

Perhaps the popularity of these applications alone may be enough to convince the majority of users that they are reliable, but a thorough examination reveals serious problems.

Conscientious VPN services, whether free or subscription-based, usually have detailed privacy policies that describe how they work and oblige them not to follow users or record their traffic.

However, many popular VPN applications have nothing even closely resembling such policies, and many have no policies at all. This underlines the unpleasant uncertainty about what is happening with huge amounts of user data, and makes you worry that millions of users around the world give unknown and potentially hostile organizations access to their traffic.

We found that 86% of these applications use non-standard privacy policies, where the issue of user privacy is carefully managed or not covered at all. Some of these applications get full access to users' Internet traffic, allow themselves to track them and send their data to third parties from China. Among the data collected about the user there is a list of visited websites, IP-address (including the user's location), time, duration of viewing sites, device identifiers, email addresses and so on.

Common problems in privacy policies include:

• Tracking user actions.
• Sending information about his behavior to third parties.
• Lack of important details regarding tracking policies.
• Generalized texts of policies that are not specific to VPN.
• The stated data transmission to third parties from China.
• Lack of policy.

More than half (55%) of politicians look like lovers' work - for example, they are located on free Wordpress sites with ads or text files on anonymous web pages - which makes you even more worried about the legality of these companies.

What does all of this mean?

From the consumer’s point of view, all applications in the official store are marked as safe and legitimate by the owners of Apple or Google stores. However, given the breadth of misinformation and opacity associated with these lists, it becomes clear that supervision in this category remains minimal.

Unsuspecting users redirect their mobile Internet traffic through servers owned by companies, most of which do not provide any protection against data misuse. This is elementary negligence on the part of the largest tech giants, the lack of control on their part, which leads to the fact that millions of consumers are subject to the wholesale collection of data under the guise of online protection.

The findings also raise questions such as: why does China allow these companies to work, violating its strict laws prohibiting the use of a VPN, and with whom companies share this data after they are received.

In addition to the many questions that have emerged after discovering such strong Chinese influence in this area, these discoveries require that Apple and Google explain to consumers why they approve of applications from companies with no web presence, offering minimal or deceptive corporate information, and having weak, and sometimes disagreeing with user privacy policies.

By allowing these non-transparent, unprofessional companies to place potentially dangerous applications in their stores, Apple and Google are demonstrating their inability to verify the companies using their platforms and supervise the programs advertised there. All demonstrations of the desire for privacy control are meaningless if this potentially dangerous category of applications is subject to so little oversight.