Can VPNs Really Be Trusted?

With hacking attacks, government surveillance and censorship constantly in the headlines, more and more people are looking for ways to increase their privacy online. One of the simplest and most popular solutions is to use a virtual private network. With a VPN, all your internet traffic is encrypted and tunneled through a third-party server, so it can’t be traced back to you. While this can be very effective, it must be noted that the main objective of a VPN provider – like any other company – is to make a profit. Although concern for the principle of web privacy may come into play, no one would be so naive as to assume that a VPN is in it for purely altruistic purposes. With this in mind, it’s worth asking: why should users place their trust in VPN providers?

VPNs Have Been Known to Run into Trouble

No Software is Immune to Vulnerabilities

Ordinarily, when you connect to a website from your computer, you do so from your IP address. However, when you use a VPN, rather than sending the message out directly, your data first gets sent to one of the VPN’s servers and is only then routed to its final destination. That means that instead of seeing your IP address, the website you’re visiting sees the IP address of the server, and no one – not your internet security provider, the government, or hackers – is able to trace your online activity back to you. In other words, the whole concept of achieving web security through a VPN is based on keeping your real IP address hidden. That’s why it was so disconcerting when a recent investigation revealed a vulnerability in three major VPNs that caused users’ IP addresses to be leaked. That’s not to say that IP addresses were revealed every time a customer used the VPN, just that under certain conditions it was possible for a hacker to divert the user’s traffic to the hacker’s server instead of the VPN’s and gain access to the user’s real IP address. Although this was obviously not good news, vulnerabilities like this crop up all the time in the cybersecurity world. What’s important is how proactive companies are in identifying and fixing them. Fortunately, two of the providers implicated in the study have since created a patch for the updated versions of their VPNs.

Some VPNs Hold onto Your Data

In addition to maintaining tight security, it’s also crucial that a VPN provider practice transparency. Those who have even dipped a toe into the world of VPNs have likely seen the words “no logs” touted as an attractive feature. This means that the VPNs themselves don’t track your internet activity. However, a no logs claim can denote different things for different VPNs, so it’s crucial that the VPN you use provide a clear privacy policy on its website. A good VPN won’t track sites visited, duration of sessions, or store your IP address, but most will keep records of your email address and payment information (for obvious reasons). Users should be aware of other nuances, as well. For instance, in order to provide better customer support, one VPN might take note of your operating system and how much data you use, while another may forgo this for the sake of increased privacy. If a provider’s privacy policy doesn’t reach this level of detail, consider it a red flag.

Certain VPN Mobile Apps Have Been Found to Contain Malware

A study by the Commonwealth Scientific and Industrial Research Organisation found that of 283 VPN Android apps examined, 38% showed indications of being infected with some form of malware. That said, once the researchers controlled for a high probability of false positives, they reduced that number to four percent. Almost half of this malware was for the purpose of advertising. In addition, 82% of the apps requested permission to access sensitive data, such as user accounts and text messages, and 18% used tunneling technologies that aren’t encrypted. What may be more disconcerting to some is how little VPN users are aware of potential risks. Because VPN apps require the ability to manipulate all of your phone’s web traffic, Android sends users two warnings notifying them of the change to their device. However, few users are likely to understand the full implication of granting such permission to a third party. Moreover, VPN users tend to give favorable reviews, and even when they don’t, security is low on their list of gripes. In fact, less than one percent of negative reviews for the VPN apps studied were related to security concerns.

Steps You Can Take to Improve Your Security

It’s clear from many of the above examples that the primary reason VPNs might put users’ privacy at risk is for the benefit of advertisers. From this, we can deduce that – because they don’t need to rely on advertising for revenue – VPNs that you have to pay for might be more trustworthy than free VPNs. That said, there do exist reputable free VPNs that manage to keep their doors open without selling your data. Generally, these make their money by openly displaying advertisements or by limiting features in order to encourage users to upgrade to a paid plan. And in the case of both paid and free VPNs, there are steps you can take to ensure your privacy and security:

1. Carefully read your VPN’s privacy policy and ask customer support if you have any questions or if something seems amiss.
2. Make sure you have antivirus software installed on your device.
3. Seek out objective third-parties that test and review VPNs.

As has been shown in the Android app study, VPN users tend to lack an awareness regarding security issues. Therefore, it’s crucial to take into account the reviews of experts who are qualified to identify potential threats. Besides helping users choose the right VPN for them, as the above-mentioned studies have shown, these sites also keep VPN providers on their toes and enable them to fix vulnerabilities as they arise   About the Author: Sara Levavi-Eilat is a writer and editor for vpnMentor.com where VPNs and cybersecurity issues are analyzed, tested and reported on.   Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.