Is Your VPN Collecting And Selling Your Data?

Is Your VPN
Collecting And
Selling Your Data?

The very tool you use to protect your digital privacy may be violating it without your permission.

In February of 2021 I came across reports of an interesting package for sale via a hacker forum. The anonymous seller claimed to have three databases containing credentials for 12 million Android users.

These databases contained users’ passwords and information about their mobile device. They even had the Google account details for many of these users. The data allegedly came from three of the most popular VPN apps for Android.

How could the hacker get his or her hands on such a huge amount of such private data? VPNs exist to protect your privacy online; surely this hack necessitated high-tech wizardry and low-level coding brilliance.

Not at all! The VPN apps stored their logs in databases using default userids and passwords! So this “hacker” could have found a simple password list like this one. All they had to do was to try the default user name and password on those databases to get in.

Moreover, the most popular app of the three, SuperVPN, was known to be unsafe for more than a year before this incident. This didn’t stop Google allowing it on the Play Store. Nor from allowing Android users to install it 100 million times! So much for Google ensuring your safety by patroling what’s on their Store and on your phone.

If the very apps meant to protect your privacy can be guilty of such massive and remedial blunders, what are the chances that we can trust them? How do we know they are guarding our digital privacy as they claim?

The truth is we can’t. Not without doing some homework and background checking to find out what’s going on. Fortunately there are some VPN services that actually do what they promise.

What Is A VPN?

Think of a VPN as a tunnel through which your data flows. The VPN encrypts (converts to a code) everything going through this tunnel so that it no-one can read it. Your Internet Service Provider (ISP) will be able to see an internet connection from your device. But they can’t read the data inside the tunnel. They have no way of knowing what traffic is going through it, where it comes from or where it’s going to.

That’s enough of a definition for now. (There’s plenty of information online explaining what a VPN is in detail. For example, here and here.)

Why Do I Need To Improve Privacy With a VPN?

But exactly why do you need to “hide” your online activity ? And who are you hiding it from?

First, your ISP has enormous access to your online activity. Many laws exist which allow governments and other agencies to view that information.

In the E.U. the GDPR should protect us from that. In the U.S., though, ISPs make money by selling the data of the customers who pay them! And they don’t even need permission. (Here’s a fascinating report examining what U.S. ISPs know about their users. It mentions privacy intrusion, illusory choices to consumers and using data in potentially harmful ways.)

Even in Switzerland, famous for its privacy laws, you aren’t completely safe. Swiss email provider ProtonMail is known for high standards of privacy and does not log user activity. But in October 2021, Swiss police ordered them to collect and had over data about a certain user. They then handed that data to the French authorities!

Even Switzerland can not guarantee your digital privacy

At an everyday level your mundane data is gold to advertisers. And the more the better. If a company knows what you do online, where you go, what you prefer etc. they can target you with relevant ads. In the hands of authorities, this data is often used for something more sinister like surveillance.

In this manner you are continuously tracked across the internet. Your IP address, your location and much more is being logged. Do you have a Facebook account? To see what I mean, have a look at the huge amount of data Facebook knows about your online behaviour, even after you leave Facebook!

Of course, https already encrypts traffic these days. But only between your browser and a webserver. This encryptions simply isn’t enough now that tracking has become much more sophisticated. Browser fingerprinting and tracking by placing a pixel or a cookie on your local computer are commonplace. Companies as well as governments are aggressively gathering information about you, even as you read this.

How a VPN Can Improve Your Privacy

Following are some of the many ways a VPN can help with your digital privacy.

On a public network, by definition, someone with the right tools can see all data you send and receive. As mentioned, ISPs can see everything you do online. A VPN will protect you in this case by encrypting that data. The ISP can see that your account is connected but NOT what you are doing online.

VPNs are useful to businesses by providing employees with secure connections to the company network from home or on the road. On a home network you’re more secure because of the login credentials needed to connect to your router but a VPN adds an extra layer of privacy.

A VPN can also reduce advertiser tracking. When you connect to the VPN, you connect to one of their servers. This server gives you an IP address, thus hiding your real IP address. If an advertiser wants to track you using your IP address, they can’t follow you.

A VPN can bypass censorship. This can be very useful when a government or nation-state want to silence critical voices. Be careful using a VPN in such places as you could be breaking the rules and risk the wrath of powerful people.

A widespread modern use of a VPN is to bypass country-specific blocks, particularly those of streaming services. For example, Netflix has different content in different regions of the world. Using a VPN you can get an IP address in another country and so appear to Netflix to be in that country. Then you can watch the country-specific content problem free. I’ve never used my VPN for this but it’s a huge use case for people who have time to watch TV.

What a VPN Can Not Do

Misinformation abounds where little-understood technology is involved. So, let’s address your information sources first: get your information from trusted sources. (Your trusted sources may differ from mine. Mine don’t include non-technical friends and family, mass media, social media and most Redditt and Quora users.)

A VPN works on your internet connection and on that alone. It can’t protect you from problems for which it’s not designed. Once you realise this limitation you’ll understand why there are so many things it can’t do.

First, a claim made by some VPN services is that it can keep you 100% anonymous online. It can’t; stay away from any service that claims it can because they are lying. Your ISP always knows you’re online (they gave you the acocunt and IP address after all). Some countries can demand VPN traffic and logs. Everything you do on social media is there to be seen because it’s … well, social. To be anonymous on social media, stop using it. Total anonymity online is only possible by, you guessed it, not being online.

It also won’t protect you from viruses and other malware. (Some VPN services do have this extra feature built in but it’s a separate function).

It’s also important to understand that even with a VPN, once you identify yourself to a service via a username and password, they can track you. You cannot stop sites like Google, Facebook and Amazon from seeing when you log into your account. They can then use their tracking tools (Facebook’s pixel or Google’s massive network of websites running Google analytics) to follow you online.

Neither will a VPN increase your connection speed, usually. In fact, many will reduce your speed significantly. VPN encrypting typically adds 5-10% to your traffic volume. Some exceptions apply here. If your ISP is throttling your bandwidth or has poor routing then using a VPN could boost performance.

When you shop online your credit card information can end up in the hands of tech giants like Amazon and marketers. A VPN can’t do aynthing about that.

A VPN won’t stop websites you visit from tracking you via browser profiling. When you factor in your operating system, browser, timezone, screen resolution, language, plugins, etc., it’s very unlikely that two browsers will have the same fingerprint.

Tracking can be blocked to some degree with a VPN

Cookies are stored on your browser’s device so a VPN can’t do anything about that.

A VPN will not help you get past services that specifically block VPNs.

Most worrying is what a VPN SHOULD do but often doesn’t. Many VPN services have leaks and most of them keep logs about user activity!

In addition, a VPN won’t protect you from Phishing attacks, hacking of your online accounts (like Google, FB, Amazon, Netflix, your website), unsecured devices and it won’t protect you against social engineering scams.

Finally, when using a VPN you’ll come across more captchas and other security checks to validate you as a real user. Since many users use the VPN at the same time, many of them can have the same IP address assigned by the VPN. This can make a website suspicious and present an “are you human” check more often than when not on a VPN.

That’s a lot of things it doesn’t do. As I said, a VPN encrypts your internet traffic. That’s it.

In short, a VPN can stop bandwidth throttling by your ISP, potentially prevent DDoS attacks, encrypt your data (even on unsecured or fake networks), bypass geo-blocks and firewalls, make torrenting safer and hide your digital footprint.

Used as part of your security strategy (together with a firewall, antivirus software, ad blockers and password managers) you can be reasonably confident of a more private presence on the web than without.

Which VPN Should I Choose In 2022?

The big question here is simply one of trust. Can you believe the claims of the VPN provider? This is why you should seek out a service that is transparent and audited by a third party.

Let me get this out of the way first: Free VPNs are generally not worth the time taken to install them. They usually

reduce speed
have a low number of server options globally
sell your information to allow targetted advertising.

Ever hear the phrase “if the product is free then you are the product” … ?

Of coure, it’s not only the free VPNs you need to watch out for. In truth, you need a VPN service that provides all of the following:

No Logging. Many VPNs claim they don’t log your activity. A famous case concerned the popular UFO VPN which claimed to record no logs. Security investigators found that they not only recorded user activity but the database storing those logs was accessible via the internet with no password. (UFO VPN is still going strong but no longer claims to keep no logs.)

Many VPNs who do keep logs state in their Terms of Service that they may share your information with third parties. Stay away. This condition of use has no place from a service that purports to protect your privacy.

Of those that claim no logging, choose one that has been verified by a third-party.
Location. You’ll want a service outside of jurisdictions that allow or demand forced handover of personal user information. Make sure it’s outside all of the 5-eyes, 9-eyes and 14-eyes alliances. These countries collect and share user data, often illegally.

The 5-eyes alliance countries can spy on each others’ behalf and share their findings with each other.

They should provide a money-back guarantee.
Performance should live up to the provider’s claims.
Choose a service that allows connecting multiple devices. This way your office PC, home laptop, mobile phone and even the devices of family members can benefit from the service.
No leaks. Some VPNs can leak IP addresses or other DNS information. Again, choose one that’s been checked independently.
VPN services clearly hold a lot of power and this power will increase in future. Be sure you use one you trust.

That’s quite a lot to ask for. When you apply the above list as a standard to all the VPNs on the market, there are very few that make the cut.

Fortunately, some services offer all of the above and more. NordVPN, ExpressVPN and SurfShark consistently make the top 5 lists by those who monitor VPN services closely. One site I respect is RestorePrivacy – check them out for in-depth reviews and tests.

Note: Self-hosted VPNs are becoming a thing but they remain in the domain of tech nerdery. They are a valid free option but out of the question for most people because of the level of knowledge required. Besides, data is often stored on Cloud platforms like Google’s or Amazon’s. So you run the usual risks of dealing with the tech giants: They can use your data or hand it over to third parties when requested.

Beyond VPNs – How To Ensure Even More Digital Privacy

There are, of course, other things you can do to increase your privacy in addition to using a VPN. Which of these you add will be determined by your tolerance for technical complication and the time taken to set them up:

Use a password manager to ensure complicated passwords. It also makes logging into sites much easier. Bitwarden is a good open-source manager.
Use ad blockers and other privacy extensions on the browsers you use.
Use a Privacy friendly browser: Brave, FireFox, Tor, Ungoogled Chromium, Bromite for android are all better choices than Chrome or Edge or Safari.
Use a privacy friendly search engine like Duck Duck Go or Brave.
Never, ever store passwords in your browsers.
Use antivirus software that doesn’t install third party apps and collect your data. Many antivirus solutions utilise invasive data collection techniques. They can abuse your privacy and often come with “unwanted” additions.
Use Secure messenger apps. WhatsApp collects and shares data from your phone with Facebook, their parent company.
Use a private email service like Protonmail (still better than most despite handing over data in the case above) or Tutanota. Gmail gives access to 3rd parties and Yahoo has been found scanning emails in real time for the U.S. government.
Dont be naive; avoid social engineering scams.
Use a more private operating system like Elementary Linux, Ubuntu or Linux Mint.
Run your VPN while using your browser’s incognito mode.
Use a Virtual Machine (VM) to hide information about your physical device.
Use the Tor browser to make your fingerprint identical to all Tor users. This will make browsing very slow, though.

Bonus tip

Carefully read through the privacy policies of every software and service you use. Yes, it’s boring and it takes time. But you’ll become very well educated about your digital privacy.

CONCLUSION

If, for whatever reason, you want your traffic to appear to be coming from another country, a VPN can help. If you want to make it harder for advertisers to track you across the internet, a VPN can help there, too. If you want to ensure that your ISP knows as little as possible about your online activity, a VPN will help with that as well.

Just remember that it is never, ever “perfectly safe” to exchange data over the internet. There are always flaws and breaches and mistakes and probably always will be. Its always best to have multiple approaches to your online security and a VPN is a solid tool in that case.

Your Say

Of course there are always the naysayers: some experts claim that a VPN is a useless waste of your time and money. What do you think?

Sources

https://www.technadu.com/what-a-vpn-does-not-do/97835/
https://www.mcafee.com/blogs/privacy-identity-protection/attention-android-users-this-free-vpn-app-leaked-the-data-of-21-million-users/#:~:text=As%20of%20last%20Friday%2C%20someone,(10%20million%20installs)%2C%20and
https://cybernews.com/security/one-of-the-biggest-android-vpns-hacked-data-of-21-million-users-from-3-android-vpns-put-for-sale-online/
https://sites.google.com/site/saynamweb/password
https://coveryourtracks.eff.org/static/browser-uniqueness.pdf
https://www.pcmag.com/reviews/alphabet-outline-vpn
https://www.makeuseof.com/privacy-anonymity-security-mean/
https://www.pcmag.com/how-to/what-is-a-vpn-and-why-you-need-one
https://www.pcmag.com/news/t-mobile-to-share-customers-web-browsing-data-with-advertisers-unless-they
https://www.ftc.gov/system/files/documents/reports/look-what-isps-know-about-you-examining-privacy-practices-six-major-internet-service-providers/p195402_isp_6b_staff_report.pdf
https://techcrunch.com/2020/09/24/free-vpn-bad-for-privacy/#:~:text=Free%20VPNs%20are%20bad%20for%20you.&text=VPNs%20work%20by%20funneling%20all,privacy%20or%20give%20you%20anonymity.
https://restoreprivacy.com/vpn/best/
https://www.ftc.gov/system/files/documents/reports/look-what-isps-know-about-you-examining-privacy-practices-six-major-internet-service-providers/p195402_isp_6b_staff_report.pdf
https://sites.google.com/site/saynamweb/password
https://vpnpro.com/vpn-basics/what-is-a-vpn/
https://www.facebook.com/help/2207256696182627/?ref=ofa
https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint
https://www.zdnet.com/article/reader-question-answered-if-i-have-https-do-i-need-a-vpn/
https://www.howtogeek.com/724472/do-isps-track-and-sell-your-browsing-data/
https://www.techdirt.com/articles/20210908/17064547528/protonmail-turned-over-french-activists-ip-address-to-law-enforcement-following-request-swiss-authorities.shtml#:~:text=ProtonMail%2C%20a%20hosted%20email%20service,was%20using%20the%20online%20service.
https://techcrunch.com/2021/09/06/protonmail-logged-ip-address-of-french-activist-after-order-by-swiss-authorities/
https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint
https://en.wikipedia.org/wiki/Encryption
https://restoreprivacy.com/privacy-tools

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.