Do Free VPNs Really Sell Your Data?

In the 21st century, privacy concerns top the list of people’s issues with spending time online. We warn children not to divulge their identity or address. We do the same with adults often. Identity theft runs rampant. Hackers attack both small and big businesses. Online protections keep increasing in importance.

Many companies and individuals now use virtual private networks (VPNs) to protect their information. Private citizens can easily do the same. Some people have expressed concern over the possibility that the VPN service would sell their information – either their personally identifying information or information regarding their websites visited or IP address.

How VPNs Work

Consumers usually worry that a free Virtual Private Network will sell their information. The simple reason for that is that VPNs cost quite a bit to run. They require expensive equipment and free providers tend to turn to advertising or in the past, information sales.

Example Ad #2

When the Internet was developed, it focused on the speed of transmission. Communication took place between a very few academic and military organizations. Security concerns did not rank high.

While the Internet remains a generally open network of virtual roads that information travels, using a private business VPN like a local area network connected with another of your satellite office’s LAN. Using a personal VPN merely encrypts the data between you and the network service. Once it reaches the server, it gets decrypted and then sent on to your final recipient. That means that if a hacker intercepts your information, they cannot read it. It encrypts the information and your machine’s IP address, plus it means that the service’s IP address is what your recipient sees.

This complicated process requires expensive servers, routers, network pipes and hardware to run a VPN.

Privacy Concerns

Besides serving advertisements or conducting information gathering, some free VPNs function as covers for malware distribution or criminal organizations to information harvest the personal information of their users. The personal information can then be used in identity theft schemes or sold. Other dubious practices include browser hijacking like Hotspot Shield was caught doing or the bandwidth stealing and redirecting that the Hola service was found doing for Luminati.

According to a CSIRO study, 38 percent of free Android virtual private network apps contain malware. Google Play acceptance and number of downloads mean nothing. For example, VPN Master – Free VPN Proxy has a rating of 4.5 out of 5 and nearly 100,000 downloads. Its app also turned up eight positive malware results when examined using VirusTotal. Malware hidden inside one of these apps targets five types of malicious actions:

  • serves spam, spam emails and targeted ads,
  • hijacks users’ online accounts,
  • steals bank, debit and credit card information ,
  • steals your digital assets or products,
  • encrypts or locks you out of your device for ransom (ransomware).

That’s why it’s so important to vet your choice of service by reading professional reviews and user reviews. CNET hosts a consistently updated directory of legitimate providers. Each provider receives a rating and review. The list notes whether the service logs: traffic, DNS requests, and IP addresses. Logging this provides them with your sites visited, location, and potentially, access to the information you send.

Some services like Surfshark have always had a policy of keeping no logs. It doesn’t track incoming or outgoing IP addresses, browsing or purchase history, servers used, network traffic information or other sessions. Services like these are few and far between. You can find them by using the directory.

As a second measure, just Google each service you consider. If a service provider has declined in quality since its CNET review, it will show up in the user reviews that appear in the search results. This way you will be more up-to-date and make a better decision.

How GDPR Helps

Enter the General Data Protection Regulation (GDPR). The European Commission planned its new regulation set beginning in January 2012. It took effect on May 25, 2018. It provides information protections to businesses and individuals in European Union member-states meant to ensure trust and readiness for the digital age.

The GDPR applies to any business that has European customers or a location in Europe. For online businesses like Software as a Service (SaaS) like a virtual private network, essentially it applies. So, what does GDPR do to protect you from businesses that would have mined and sold your personal information in the past? Simply put, GDPR made that illegal.

What GDPR Illegalized

Here’s specifically what GDPR made illegal:

  • keeping how the company uses customer or vendor information a secret,
  • refusing to or failing to provide consumers the ability to opt-out from communications and/or from their information being used,
  • refusing to or failing to provide a method of complete account/personal information deletion,
  • failure to report an information breach or hack,
  • forcing consumers to provide permissions in order to achieve app functionality.

The EU imposes hefty fines on the business if they’re caught in non-compliance. Some major corporations have already been hit by fines. Both Facebook and Google were sued under the GDPR by the non-profit NOYB for using “forced consent.” The organization takes its name from an American slang acronym for None of Your Business. Google and Facebook, plus the Facebook subsidiaries Instagram and WhatsApp were accused with violations of Article 7(4) of the regulation because those apps do not present opt-in choices for information processing consent individually. A user must consent to all or nothing in order to use the app, a practice made illegal on May 25, 2018. In Google’s case, the EU already levied the fines.

Enforcement of GDPR

Enforcement of online violations is much simpler than those of bricks-and-mortar variety. If a business does not pay their fines, their access to the European Internet nodes can be shut off. As discussed previously, the Internet began between academic, government and military entities. The government entities retain control of the Internet’s supernodes. Governments can ban IP addresses in mass. Try, for example, to watch a Chinese network television program online from the US. Using legal means, you can’t usually. Under normal circumstances, the distribution rights to certain shows only apply within their country of origin and countries where a network has purchased distribution rights. For the same reason, Chinese residents have a tough time viewing most American TV shows. The governments have blocked the IP addresses or have required the businesses themselves to prevent IP access. For those who don’t know, your IP address reveals your physical location, one of the reasons many people want to use a virtual private network.

Regulatory Requirements

The regulation set also requires businesses to make changes to communicate better how they use information. One of these requirements was an update to the business’ or organization’s privacy policy. That’s why at the end of May your email box was probably rather full of requests to read and accept the changes to the company’s privacy policy – for every business you do online.

One significant change to the law that applies to SaaS is the “right to be forgotten.” Let’s say you already use a VPN, but after reading this and visiting the CNET directory, you no longer want to use them. Perhaps you understand that it does still legally log information that you would rather keep to yourself. The GDPR provides consumers the right to tell the company they want to sever any existing relationship and they want their information wholly deleted from the business’ database and records. The industry must comply or risk a lawsuit from the consumer, as well as, EU fines and other punishments.

In the past, companies remained cagey when hacked or when a disgruntled employee or former employee destroyed, misused or stole data. The shady company might have kept it secret entirely or waiting weeks or months to inform consumers or vendors. Under GDPR, companies must report breaches within a week of their occurrence. They get another week to prove to the EU that their company functions securely and shore it up if it wasn’t.

GDPR Applies to Third Party Vendors

The GDPR also applies to two sets of entities: controllers and processors. Article 4 provides the details. Primarily, a controller “determines the purposes and means of processing of personal data.” The processor processes personal information for the controller. That means the law applies to a third-party company that handles information for a company or companies. The personal information the regulation set protects includes a consumer’s name, address, photos, IP address, biometric data and genetic information.

Did free virtual private network providers once misuse or sell your personal information? Yes, some did. Some will probably still try. The GDPR provides additional protections though, and while many organizations previously got away with numerous illegal activities related to personal information misuse, the new regulations go a long way to ensure that doesn’t happen anymore.

Leave a Reply

Your email address will not be published. Required fields are marked *