How shareware VPN providers sell your data
Hello, Habr.
We have the news for you: there are no free VPNs. You always pay - by viewing ads or your own data. For apologists of the basic idea of anonymity on the Internet, the latter payment method is especially unpleasant. The problem is that you decide to sell or transfer information about you to third parties yourself.
User agreements are everywhere, but who reads them? In the summer of 2017, 22,000 Britons agreed to clean public toilets by going online via the public Wi-Fi network (I wonder what we agree to by connecting to Wi-Fi in the Russian metro). Non-profit project The Best VPN Services conducted a studyand found out that some VPN providers share user data “legally” - this is spelled out in the User Agreement of even the most popular of them. Today is exactly a year since the publication of that material, and we decided to see if the information in the study remained relevant.
According to an article by The Best VPN Services, some VPN services transfer information about users to provider-related companies or to those who simply pay more. In addition, many services do not tell users how to make money from them, or they talk about it opaque: hereyou can read the complaint of the American Center for Democracy and Technology (CDT) on the work of the shareware Hotspot Shield Free VPN, addressed to the Federal Trade Commission. It turned out that the service violated its own privacy policy and collected MAC addresses, IMEI, names of wireless networks and other user information. After reverse engineering the client application, the researchers found five different libraries that could be used for deanonymization.
And here you can find out what the Organization for Scientific and Industrial Research (CSIRO) thinks about VPN applications from Google Play: 84% of them contribute to traffic leakage. Another feature of shareware VPN services is the distribution of links to websites of certain companies and intrusive advertising.
Researchers at The Best VPN Services ranked the 10 most popular VPN providers that can sell your personal data to other companies and people:
We assume that there are actually many more such services. But the above providers at least do not hide it - just no one reads their user agreements.
Let's focus on the most interesting “discoveries” of The Best VPN Services project and consider the three largest VPN providers. A analysis of each of the ten selected services can be found on the study page , adjusted for the fact that it was published in May 2018. We will talk about the updated data.
Hola is a browser-based VPN with more than 150 million users. The company exploits the idea of “community-supported freedom”: the VPN is free, but you can add to the service.
After a DDoS attack on the 8chan board in 2015 (there is an article about it on Habré), it turned out that Hola sells Internet channels of users to third parties: in particular, user data falls into the Luminati commercial network. This information caused a great response in the Internet community, and a group of activists created the Adios website , Hola! where denounces extension vulnerabilities.
Official Hola answer:“We are an innovative company. Skype also used your traffic. We sell Luminati only to respectable customers (not like Tor). Everyone has vulnerabilities: Apple iCloud, Snapchat, Skype, Sony, Evernote, Microsoft . ”
Let's look at the Hola user agreement, which was relevant in 2018: The
provider honestly names its goals: research, analysis and marketing. But that doesn't sound like anonymity. A fresh agreement looks like this:
Source: hola.org/legal/privacy (2019)
Collecting data to “improve quality or to provide services” is a frequent item in many VPN services. But here, the provider again openly reports that it shares user data with other companies. At the same time, Hola stores user data forever - until it is needed to ensure the operation of the service:
Source: hola.org/legal/privacy (2019)
Previously, the provider did not hide that the information about the user goes to the Luminati commercial network. In other words, access to your computer used to be sold to people who pay for it. It is not known whether Hola is doing something similar today: the wording in privacy is now quite vague.
Here is a snippet from the old Privacy Policy:
Source: hola.org/legal/privacy(2018). Now Hola site no longer has such information.
Methods for earning Hola:
According to Hola, in fact, they do not transmit information to third parties. They have a paid version used by companies and corporations. They use "a small part of your computer’s resources when they are not in use (so that we never slow you down) for the benefit of the network . "
Source: hola.org/faq
Betternet is another major VPN service with free and premium versions, with over 38 million users. On the official website, the provider is trying to honestly answer the question of where it gets the money from : users are invited to install third-party partner applications and watch an advertising video. Or buy a subscription to get the "highest level of service." Does this mean that your data does not sell? No, it seems.
“We can share your location (at city level)” ...
Source: www.betternet.co/privacy-policy CSIRO
also note that Betternet has a large-scale library with user data. In 2018, their Privacy Policy looked different: Betternet stated that advertisers can access the user's browser history. Screenshot from the last Privacy Policy (2018) How Betternet makes money on users today:
An honest and free VPN could be a great way to popularize the Opera browser. In the spring of 2018, the Opera VPN mobile application announced the termination of work, and now the previous site is no longer available. But the free VPN in Opera since 2016 has not gone anywhere. At the same time, the privacy policy that can be found on the site is the same for all products: Opera can collect your personal data. Including for marketing campaigns. The privacy policy enables the provider to provide information to third parties and track your data.
Source: www.opera.com/privacy
“When installing the Opera application, a random installation identifier is generated. We may collect this identifier, as well as the identifier of your device and hardware specifications, configuration of the operating system and environment, data on the use of functions. We use this information for certain legitimate business purposes:
This information helps us improve our products and services. We have no practical way to use this information to identify you personally. We can store this data for up to three years ... ”
Source: www.opera.com/privacy
Polish researcher Mikhail Shpachek believes that this is not a VPN at all, but the most common proxy. Shpachek published the proofon GitHub, here is his comment:
“This“ VPN ”Opera, in fact, is simply a reconfigured HTTP / S proxy that protects only traffic between Opera and the proxy, nothing more. This is not a VPN. In the settings, they themselves call this function a “protected proxy” (and also call it VPN, of course). ”
Answer from browser developers:
“We call our VPN a“ browser VPN. ” Under the hood, this solution has protected proxies that work in different parts of the world through which all browser traffic passes, properly encrypted. [Our solution] doesn’t work with the traffic of other applications, like system VPNs, but, in the end, it’s only a browser VPN. ”
How Opera makes money on you:
Comment by Stanislav Shakirov, Technical Director of RosKom Svoboda :
Based on our many years of personal experience, we can responsibly declare: our own VPN service is very expensive for owners. The provider must pay:
This does not include user support, development funds, or at least some kind of advertising.
On an altruistic-free basis, the existence of such a service in our universe under many questions. What are these owners for? What funds are used to offset expenses? What is asked from the user in return? It is useful to ask these questions not only to free VPN services, but to any other shareware services on the Internet. Especially those that work with sensitive user data.
We have the news for you: there are no free VPNs. You always pay - by viewing ads or your own data. For apologists of the basic idea of anonymity on the Internet, the latter payment method is especially unpleasant. The problem is that you decide to sell or transfer information about you to third parties yourself.
User agreements are everywhere, but who reads them? In the summer of 2017, 22,000 Britons agreed to clean public toilets by going online via the public Wi-Fi network (I wonder what we agree to by connecting to Wi-Fi in the Russian metro). Non-profit project The Best VPN Services conducted a studyand found out that some VPN providers share user data “legally” - this is spelled out in the User Agreement of even the most popular of them. Today is exactly a year since the publication of that material, and we decided to see if the information in the study remained relevant.
According to an article by The Best VPN Services, some VPN services transfer information about users to provider-related companies or to those who simply pay more. In addition, many services do not tell users how to make money from them, or they talk about it opaque: hereyou can read the complaint of the American Center for Democracy and Technology (CDT) on the work of the shareware Hotspot Shield Free VPN, addressed to the Federal Trade Commission. It turned out that the service violated its own privacy policy and collected MAC addresses, IMEI, names of wireless networks and other user information. After reverse engineering the client application, the researchers found five different libraries that could be used for deanonymization.
And here you can find out what the Organization for Scientific and Industrial Research (CSIRO) thinks about VPN applications from Google Play: 84% of them contribute to traffic leakage. Another feature of shareware VPN services is the distribution of links to websites of certain companies and intrusive advertising.
What does a deal with a VPN devil look like?
Researchers at The Best VPN Services ranked the 10 most popular VPN providers that can sell your personal data to other companies and people:
We assume that there are actually many more such services. But the above providers at least do not hide it - just no one reads their user agreements.
Let's focus on the most interesting “discoveries” of The Best VPN Services project and consider the three largest VPN providers. A analysis of each of the ten selected services can be found on the study page , adjusted for the fact that it was published in May 2018. We will talk about the updated data.
Hola and selling your data to “only decent customers”
Hola is a browser-based VPN with more than 150 million users. The company exploits the idea of “community-supported freedom”: the VPN is free, but you can add to the service.
After a DDoS attack on the 8chan board in 2015 (there is an article about it on Habré), it turned out that Hola sells Internet channels of users to third parties: in particular, user data falls into the Luminati commercial network. This information caused a great response in the Internet community, and a group of activists created the Adios website , Hola! where denounces extension vulnerabilities.
Official Hola answer:“We are an innovative company. Skype also used your traffic. We sell Luminati only to respectable customers (not like Tor). Everyone has vulnerabilities: Apple iCloud, Snapchat, Skype, Sony, Evernote, Microsoft . ”
Let's look at the Hola user agreement, which was relevant in 2018: The
provider honestly names its goals: research, analysis and marketing. But that doesn't sound like anonymity. A fresh agreement looks like this:
Source: hola.org/legal/privacy (2019)
Collecting data to “improve quality or to provide services” is a frequent item in many VPN services. But here, the provider again openly reports that it shares user data with other companies. At the same time, Hola stores user data forever - until it is needed to ensure the operation of the service:
Source: hola.org/legal/privacy (2019)
Previously, the provider did not hide that the information about the user goes to the Luminati commercial network. In other words, access to your computer used to be sold to people who pay for it. It is not known whether Hola is doing something similar today: the wording in privacy is now quite vague.
Here is a snippet from the old Privacy Policy:
Source: hola.org/legal/privacy(2018). Now Hola site no longer has such information.
Methods for earning Hola:
- Provider may transfer your personal information to third parties.
- The provider uses the user’s device as a host and gets access to it until you use a VPN (promises to leave personal information safe and use the gadget only as a router).
According to Hola, in fact, they do not transmit information to third parties. They have a paid version used by companies and corporations. They use "a small part of your computer’s resources when they are not in use (so that we never slow you down) for the benefit of the network . "
Source: hola.org/faq
Betternet and draining your browser history
Betternet is another major VPN service with free and premium versions, with over 38 million users. On the official website, the provider is trying to honestly answer the question of where it gets the money from : users are invited to install third-party partner applications and watch an advertising video. Or buy a subscription to get the "highest level of service." Does this mean that your data does not sell? No, it seems.
“We can share your location (at city level)” ...
Source: www.betternet.co/privacy-policy CSIRO
also note that Betternet has a large-scale library with user data. In 2018, their Privacy Policy looked different: Betternet stated that advertisers can access the user's browser history. Screenshot from the last Privacy Policy (2018) How Betternet makes money on users today:
- Advertisers have access to the approximate location of the user (at the city level).
- Display advertising.
VPN ghost in Opera
An honest and free VPN could be a great way to popularize the Opera browser. In the spring of 2018, the Opera VPN mobile application announced the termination of work, and now the previous site is no longer available. But the free VPN in Opera since 2016 has not gone anywhere. At the same time, the privacy policy that can be found on the site is the same for all products: Opera can collect your personal data. Including for marketing campaigns. The privacy policy enables the provider to provide information to third parties and track your data.
Source: www.opera.com/privacy
“When installing the Opera application, a random installation identifier is generated. We may collect this identifier, as well as the identifier of your device and hardware specifications, configuration of the operating system and environment, data on the use of functions. We use this information for certain legitimate business purposes:
- To better understand how people interact with our applications and services;
- To change, personalize or otherwise improve our applications and services;
- Determine the effectiveness of advertising campaigns and advertising;
- Detect, debug and fix crashes in our applications and services;
- To prevent security breaches and abuse.
This information helps us improve our products and services. We have no practical way to use this information to identify you personally. We can store this data for up to three years ... ”
Source: www.opera.com/privacy
Polish researcher Mikhail Shpachek believes that this is not a VPN at all, but the most common proxy. Shpachek published the proofon GitHub, here is his comment:
“This“ VPN ”Opera, in fact, is simply a reconfigured HTTP / S proxy that protects only traffic between Opera and the proxy, nothing more. This is not a VPN. In the settings, they themselves call this function a “protected proxy” (and also call it VPN, of course). ”
Answer from browser developers:
“We call our VPN a“ browser VPN. ” Under the hood, this solution has protected proxies that work in different parts of the world through which all browser traffic passes, properly encrypted. [Our solution] doesn’t work with the traffic of other applications, like system VPNs, but, in the end, it’s only a browser VPN. ”
How Opera makes money on you:
- Providing information about you to commercial partners.
- Permission (on a commercial basis) to track information about you.
Comment by Stanislav Shakirov, Technical Director of RosKom Svoboda :
“Collecting metadata and selling it to marketing agencies is standard practice for many Internet services, not just VPNs. Often this is spelled out in User Agreements, but usually no one reads it. As for VPN services, it is, of course, better to choose those that do not: it is not known how the information, albeit anonymized, will then be processed, because from it you can also draw conclusions that can harm the user.
VPN is a business that operates within a particular jurisdiction. Therefore, yes, it is absolutely legal to collect and transmit data by notifying the user about this in User Agreements. If nothing is said about this in User Agreements, the VPN provider has no right to transfer anything to a third party. But is it de facto - it is not known: the service also needs to live on something, if it is free.
When we start using any service, it is better to immediately think about how it makes money. If the service is free and does not sell your metadata, then it probably inserts its ads or intercepts your sensitive data, such as logins, passwords, bank card data. It happens that large and decent VPN services make free promo tariffs, but they are usually limited in speed or traffic. You also need to understand how the service itself works. Remember the unpleasant story with the Hola plugin, which supposedly gave a free VPN, but it turned out that when using the plugin, other users could access the network through your computer. If the actions of such persons on the network are unlawful, the police will come to the owner of the computer. ”
Instead of an epilogue
Based on our many years of personal experience, we can responsibly declare: our own VPN service is very expensive for owners. The provider must pay:
- Maintenance of a network of servers in various countries;
- Traffic, which for such services is never free and unlimited due to the huge volumes of user consumption;
- Round-the-clock technical support, monitoring and software development.
This does not include user support, development funds, or at least some kind of advertising.
On an altruistic-free basis, the existence of such a service in our universe under many questions. What are these owners for? What funds are used to offset expenses? What is asked from the user in return? It is useful to ask these questions not only to free VPN services, but to any other shareware services on the Internet. Especially those that work with sensitive user data.