A Large Number of Top Free VPN Apps Either Have Chinese Ownership or Are Based in China

William Chalk, reporting for HackerNoon: After big names like Whatsapp, Snapchat, and Facebook, VPNs are the most searched-for applications in the world. "VPN" is the second-highest non-branded search term behind "games", and free apps completely dominate the search results. The most popular applications have amassed hundreds of millions of installs between them worldwide, yet there seems to be very little attention paid to the companies behind them, and very little scrutiny done on behalf of the marketplaces hosting them. We investigated the top free VPN apps in the App Store and Google Play Store. We found that very few of these hugely popular apps do anywhere near enough to deserve the trust of those looking to protect their privacy online. We recorded the top 20 free apps in the search results for "VPN" in the App and Play Store for UK and US locales. In total, these applications have been downloaded 80 million times from Google and 4 million times each month from Apple. Our investigation discovered that over half of the top free VPN apps either have Chinese ownership or are actually based in China, which has aggressively clamped down on VPN services in recent years and maintains an iron grip on the internet within its borders. Furthermore, we found the majority of these apps have insufficient formal privacy protections and non-existent user support.

Obviously cannot be t'rusted'

[rickb928]

No Chinese software can be trusted. None. And 'Free VPN' software cannot really be trusted.

Actually, thinking it over, no software can be 'trusted'. Not any more. At best they sell whatever they can to whoever they can. At worst, they sell out to LE or intelligence agencies because if they don;t they will have their franchise revoked, or distribution severed, or be found committing suicide with a bullet in the back of the head.

No software or hardware an be trusted. Ever. Again.

Re:Obviously cannot be t'rusted'

[omnichad]

I don't know what t'rusted' is, but Chinese citizens are still heavy users of VPN services despite the ban. It's likely the reason their VPN companies are big enough to have global reach in the first place.

Re:Obviously cannot be t'rusted'

[nine-times]

Open source software can be "trusted" to a fair extent. At least then, experts can look at the code and see what it's doing.

Of course there are still risks. Open source software can still have bugs. Malicious code can be obfuscated. Compiled binaries might be different from the source. Hosted services based on FOSS can still be used by the host for malicious purposes. And I don't think it can count as "open source" in situations like Android phones, where you have to run the OEM's version that has unknown alterations, and you can't just wipe it and install your own version.

Still, any real hope for trusting our hardware and software would be for us to have control of it and know what it's doing.

Re:Obviously cannot be t'rusted'

[Dan1701]

The UK Government have recently decided, in their great, mighty and beneficent wisdom, that they shall do something to "protect children from internet pornography". Their Cunning Plan is to force all adult-themed websites to verify that users are of adult age, using one of a number of age verification services, some of which may well be UK government-sponsored. Needless to say, very few people actually care to self-register on what amounts to a register of masturbators, nor would many people care to have a list of which sites they visit available for a vast array of Government agencies, prodnoses and tabloid journalists to see. UK civil servants have a long-standing record for being quite incredibly bad at keeping sensitive information under wraps. Tricks such as encrypting data on a CD (because regulations say they must) and writing the password on the CD (because whoever wrote the regulations did not foresee such creative stupidity) have been seen in the past.

Furthermore, the age-clade of 13-18 year olds (mostly males) will also wish to view such sites and will for the most part be unable to do so, not being able to lay hands on hacked age verification credentials. So, both people who value their privacy, and adolescents who cannot obtain the age verification tokens, will be looking to use VPNs to get at the, err, reading materials.

People are for the most part cheapskates. A free VPN would seem like a wonderful gift to them, but a logged Chinese VPN is very much a poisoned chalice, especially when those doing the logging realise what a wonderful source of blackmail material they have on their hands.

One of my worries

[nine-times]

One of my worries about VPN apps (those used for privacy) is that, although they protect your privacy against your ISP, they hand over control to the VPN provider. They can say they'll keep your information private and they won't keep logs, but you're placing a lot of trust in that provider. If they have malicious intentions, or even if their security is bad and there's a method of compromising people's privacy that they're unaware of, then you're making it very easy for your privacy to be violated.

In fact, it can be worse than whatever spying your ISP can do. With a VPN app, they'd be able to monitor your traffic anywhere you go, all tied to a specific identity, tied back to whatever credit card you've used to pay for it.

Re:One of my worries

[AmiMoJo]

I tend to trust my VPN provider more than I trust my ISPs, especially the mobile ones. There is also value in routing your traffic to a different legal jurisdiction, because it makes it much harder for law enforcement to bypass due process.

Re:One of my worries

[DarkOx]

Don't forget to that technical issues aside in a lot cases people are trading one possible threat, local law enforcement and their own ISP where they have some contractual, statutory, and constitutional/lawful recourse against if "something" was done to them for some actor(s) in a foreign country where:

1) you may or may not be granted legal rights and protections
2) exposes you to foreign surveillance powers by own own government since your traffic is no longer domestic
3) generally face a more costly and difficult process for accessing any legal remedy

Basically the VPN guys can pretty much abuse you in any way they like. Sure you can quit using their VPN more easily than you can quit your ISP. You have the lever so if they start spamming your with ads and stuff you have control there. If they are more subtle than that and more nefarious and do something to you that isn't obvious though, chances are good there is NOTHING at all you can do about it; and they know that! Consider the incentives and disincentives. While I am not making a "if you have nothing to hide argument here" I am going to suggest that if whatever your reasons for wanting additional privacy fall short of criminal you might just be better off trusting your ISP and simply practicing good hygiene. IE - use the incognito mode in your browser as appropriate, patch your system, if you have to use 'sketchy sites' use a VM and revert the snapshot when you are done, be smart/think before your click.

Chinese VPN's are more secure than European

UK and Europe based VPNs mean they don't need a search warrant to look at your traffic. Using a UK VPN is the worst thing you can do, since they cooperate closely with our law enforcement, but don't have to use warrants to spy on US citizens. The Chinese might be spying on you while you buy weed on the darkweb and torrent pornos, but the Chinese aren't going to cooperate with the US authorities.

Re:Chinese VPN's are more secure than European

[Oswald+McWeany]

but the Chinese aren't going to cooperate with the US authorities.

That's true today. Who knows what the political climate will be in 5 years, 10 years... etc. You can't really trust anyone to keep your data private. You have to assume everything you do online is being stored as data by someone, somewhere, and may never be deleted.

That One Privacy Site

[worf_mo]

I've found the VPN section on That One Privacy Site to be quite an informative resource. There's a lot of information from Choosing A VPN up to a detailed comparison chart.

My use case: I don't care about LE nor intelligence agencies; I just need a reliable VPN for those times when I have to connect via an "insecure network" (as in hotel Wifi), and for that I simply installed OpenVPN on a VPS, created some certificates and installed them on my devices. Works like a charm, and if needed I can spin up a new VPS and install everything within minutes using a script like openvpn-install. And if one prefers to run an IPsec VPN server there's Algo VPN, a set of Ansible scripts that helps with the setup.

This could be a lot of fun for Chinese intel

[MikeRT]

And you bet your ass that the Ministry for State Security has met with the company owners and said that as long as they log and turn over the logs of foreigners, they have the blessing of the MSS. Because you can bet that Chinese intelligence is pouring over those logs, looking for kompromat on people who matter to their work.

Only VPN apps?

[doubledown00]

One should be worried about everything from the app store. It is awash in "free" games, GPS apps, etc that do nothing but mascarade as ad delivery conduits that also spy on the user.

This isn't new or limited to free VPN apps.

Just the other day we had a story about "free" GPS apps that were nothing but Google Map overlays that show ads. A few years ago there was a story about a bunch of long abandoned apps that had suddenly come alive again. It turned out that a Russian company bought the apps and their domains and had begun "updating" the app with new invasive code.

At times I feel like we're back in the late 80's / early 90's again downloading unknown cool sounding programs in the middle of the night off some guy's BBS. The difference is today the apps are surrounded in aura of legitimacy because they come from a "store".