If VPNs are supposed to protect the user’s personal data, some unscrupulous providers do not hesitate to exploit them. This is revealed by an American survey of popular applications.
Long reserved for professionals, VPNs (Virtual Private Networks) are becoming more and more popular among the general public. And for good reason: easy to install and use, these services which serve as a relay on the Internet make it possible to secure and anonymize a connection, but also to change the public IP address, and therefore to modify a geographical location to access services that are in principle inaccessible, in particular on streaming platforms. So many assets that make them valuable for many Internet users in their daily use.
Only here: by the very fact of their nature as intermediaries, VPNs “see” pass all the information that passes between their users and the sites they consult. Some obvious and necessary, others more confidential, in principle encrypted (usernames, passwords, bank details, etc.). However, if it seems normal that VPN publishers keep certain statistical information – essential to be able to provide packages according to the amount of data consumed or to limit connections to a certain number of devices –, one can wonder about the use they make of other more sensitive data, such as the addresses of the sites visited, or other, more confidential data. Especially when you know that the majority of service providers offering free services live precisely from the exploitation – and revenge – of personal data. And, in this area, it seems that not all VPNs are in the same boat…
For more information, the venerable washington post addressed the issue by studying, with experts, the nature and amount of data collected by certain VPNs. In this case, free applications, very popular. And more precisely, applications of Chinese origin. And the newspaper found they pose privacy risks, going so far as to say they collect more information than TikTok! It is however necessary to place this analysis – and its conclusion – in the current context of diplomatic and economic relations between China and the United States, the Americans being wary of everything that comes from the Middle Empire, in particular when it’s about technology. This is evidenced by the crisis that crystallizes with the question of the banning of TikTok on American soil and in other countries. The fact that the media is focusing on Chinese VPNs is to be put into context.
VPN Security: Recorded Personal Data
Like most tools offering online services, VPNs record and keep certain data in identification files to manage their users: first and last name, email address and bank details, in the event that a paid subscription has been taken out. From the classic, so who does not pose a priori no problem. But they also use “activity logs” – logs, in English –, which contain the user’s IP address, his connection time to the service, the destination IP addresses, the volume of data exchanged per day, the details of the connection sessions, etc. And there, it is a little more complicated. To know exactly what the VPN used collects, you have to look in the provider’s general conditions of sale… hoping that it is transparent!
There is a big difference between the amount and nature of personal data recorded by paid VPNs and free VPNs, with the latter tending to resell certain personal data to third parties – this is even the basis of their business model. Popular VPNs have misled consumers about their practices while concealing their origins, operations, and headquarters, according to an investigation by The Washington Post. The newspaper particularly points the finger at VPNs based in China or controlled by Chinese nationals, insofar as the Beijing government can force Chinese technology companies to provide information to government authorities.
VPN Security: Opaque Privacy Policies
However, these problematic VPNs are promoted by digital giants Google and Apple through their official app store. Indeed, they sell them advertising space on the App Store and the Play Store and take a commission for each sale made on their platforms. The Washington Post cites the example of the Turbo VPN application, which is among the top results on the Google Play Store with more than 100 million downloads. A closer look reveals that Innovative Connecting, its publisher, is registered in the Cayman Islands but has its headquarters in Singapore. And going a little further, we discover that several Chinese nationals have been directors of the company in recent years. “Like many other apps, there is no way to prove who or where the real owners are”, explains the newspaper. Note however that, in its general conditions of sale, Turbo VPN indicates that it does not keep an activity log and only accesses and transmits anonymous data or data related to the operation of its application (technical bugs, connection failures, diagnoses…).
As for Thunder VPN, which also appears in the first results of the Play Store, the application belongs to Signal Lab which, contrary to what its name might suggest, has no connection with Signal encrypted instant messaging. The company, which would be based in Hong Kong, indicates in its privacy policy that its VPN does not keep user activity logs, but may collect connection times to its service, total amount of data transferred per day, etc. In addition, it reserves the right to monitor user activity to investigate “any possible violation” of the terms of use and reserves the right, “in our sole discretion and without notice, remove, block, screen or otherwise restrict any material or information that we consider to be actual or potential violations of the restrictions set forth in these Terms, and any other activity that may engage the liability of Thunder VPN or its customers.“ Curious and not really reassuring…
The Washington Post asked Google and Apple about which VPNs they allow on their official store. The apple brand replied that “VPN apps are powerful tools that can be used to track users’ internet traffic, so we have strict guidelines on what VPN app developers must do to get on the App Store.” For its part, the Redmond firm explains that “Google Play has policies in place to ensure user safety that all developers, including VPN apps, must adhere to. We take security and privacy claims against apps seriously, and if we find that an app has violated our policies, we’re taking appropriate action.” Some pretty vague answers…
Admittedly, the Washington Post investigation should be put into the context of suspicion of interference and espionage that reigns in the United States vis-à-vis China. But, even if its results must be taken with a grain of salt, it has the merit of pointing out an unknown – and underestimated – aspect of VPNs: the actual use of the data that these services process. It’s all well and good to go through an intermediary to protect yourself on the Net: you still need to have absolute confidence in the confidentiality of all the information that you see passing through…