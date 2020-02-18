In the eyes of many people, VPNs are services that allow you to visit sites that are blocked by governments or when access is restricted for some reason. People often do not want to pay for the fight against incomprehensible restrictions. But do they lose more by trusting free VPNs?

How does it all work?

Initially, VPN technology was created for companies that needed to provide employees with secure access to their electronic resources. Employees could be anywhere – in the office, in another country, etc.

Today, VPNs have gone beyond corporate use. More and more home users install VPN apps on their devices. VPNs are networks that work on top of the Internet. Of course, you connect to the VPN via the Internet, but for VPN users, all Internet traffic goes through specific servers. Using a VPN, users connect to websites through an intermediary server.

VPN servers are located in data centers in different countries. A client program gets installed on the user’s device, which is needed to launch the connection. The client program may be a standalone application or a browser extension.

When you connect to the VPN, a special tunnel is formed that launches an encrypted communication channel. Usually, the VPN connection between the client and server is encrypted. This allows, for example, to hide your traffic from the ISP or from other people who can analyze it.

But not everything is so cloudless. No one may guarantee that the VPN service does not use your data.

How do free VPNs make money?

No business can last long on pure enthusiasm. The owners of free VPN services, of course, need to earn money, as they pay for equipment, traffic, pay their employees.

Option one for a free VPN to earn money is advertising. This is quite a common thing. For example, if you want to watch YouTube for free now, you have to watch ads too.

But free VPNs may not earn a lot of money on just ad impressions. There is a more profitable option. You can collect user information like what news they read, what devices they use, how long time they spend on social networks, etc.

Below are several real-life examples that have changed the concept and perception of free VPNs.

Opera VPN

It is good when the service honestly admits that it sells user data. For example, SurfEasy – the service that Opera bought to embed its VPN into the browser, said that its solution was collecting information.

Opera is interested in how users use mobile devices. Opera can then provide this data to researchers and advertisers.

But that is not all. Polish researcher Michal Špaček found that Opera VPN is actually not a VPN at all. The developer found the line: “Protected proxy provided by SurfEasy Inc.” and realized that something was wrong here. Michal Špaček studied the source code and published the results on GitHub. The researcher claims:

“This Opera VPN is basically just a reconfigured HTTP/S proxy that only protects traffic between Opera and the proxy, nothing more. This is not a VPN. In their settings, they call this tool a protected proxy.”

And the developers have confirmed this:

“Our VPN is something we call a browser VPN. Under the hood it works by routing all the browser traffic properly encrypted via our secure proxies in various parts of the world. It will not route the traffic from other applications – as a system wide VPN would do – it’s a browser VPN after all.”

And the best part, even if you enable VPN in Opera, the browser will still reveal your real IP. This is a known issue that has to do with WebRTC, which affects many browsers.

Hola VPN

The Hola VPN creators sold user traffic to everyone they could. Besides, Hola VPN contained remote code execution vulnerabilities. This was revealed in May 2015, when the administrators of the 8chan reported a DDoS attack on their site. Administrators found that the attack was carried out using the Hola infrastructure.

Nobody was imprisoned or fined for this. Hola just added a few points to its price list. For example, in order to use a VPN and not to share traffic with others, you had to pay $5 per month.

At the same time, 8chan administrators found other holes, such as disclosing a unique user ID, escalating system privileges, and remotely executing code. Of course, those were quickly eliminated, but no one knows what may happen in the future.

Hola officially responded to the allegations:

“Part of the growing pains of creating a new service can be vulnerability to attack. It has happened to everyone (Apple iCloud, Snapchat, Skype, Sony, Evernote, Microsoft…), and now, to Hola.”

And:

“The reality is that we have a record of the real identification and traffic of the Luminati users, such that if a crime is committed, we can report this to the authorities, and thus the criminal is immediately identified.”

Hotspot Shield

One more scandal erupted around Hotspot Shield. It would seem that Hotspot Shield honestly warned that it shows ads on each page. But everything turned out to be much worse.

The Center for Democracy and Technology (CDT) of the USA has filed a complaint with the US Federal Trade Commission about the activities of the Hotspot Shield app. The complaint stated that the service violates its own privacy policy.

Human rights activists found that Hotspot Shield monitors and intercepts user traffic, and collects user data.

CDT specialists conducted a joint study with Carnegie Mellon University. The results were disappointing: the service collected MAC addresses, IMEI, wireless networks’ names, and other information that can deanonymize users.

In addition, on many PC help forums, users reported that some websites still see their real IP addresses.

Other problems with free VPNs

A VPN can suddenly stop working, and you won’t even notice it. To prevent the VPN connection from turning off abruptly, you can use paid VPN services that offer a so-called Kill Switch feature. If the VPN connection fails for some reason, the Kill Switch feature terminates all connections, and you will immediately notice it.

What can you about free VPNs?

The first advice is to use paid VPNs, at least when you have to enter personal data or transmit important information. Actually, you can spend nothing even using paid VPNs. The scheme looks like this: most of the time you use a free VPN for unblocking some geo-restricted content and looking for cheaper flight tickets or hotel rooms. When you need to share sensitive info – you sign up for a free trial of a paid VPN. Such services often offer 30 days money-back guarantee. You can use the service for example, while on vacation and get a refund once you return.

Paid VPNs will earn more on their honest name than on selling traffic to shady companies. In addition, they provide decent speed, allow you to choose a server in the right country and offer a lot of other “goodies.”

Yes, as Hola representative said, no one is immune from hacker attacks, even paid VPNs. So, avoid the old PPTP protocol and look for solutions that use the OpenVPN, read user reviews and professional VPN reviews, read license agreements, and do not bluntly trust ads.

Author’s Bio: David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking.