The modern Internet is a dangerous place. [Note: It has always been ‘dangerous’. But now the dangers are readily apparent.] There are people and institutions that want to seize your private information and use it for their own advantages. You need look no further than Facebook (or China) to realize this simple fact. As a result of these assaults on privacy, many people are finally turning to VPN ‘providers’ as a means of improving their security posture. But free VPN services may not be so free.
Background
In the eighties, universities in the US (funded by the US federal government) and across the globe began to freely communicate – and to share the software that enabled these communications. This kind of collaboration helped to spur the development of the modern Internet. And in the nineties, free and open source software began to seize the imagination (and self-interest) of many corporations.
At that time, there were two schools of thought concerning free software: 1) The RMS school believed that software was totally free (“as in speech”) and should be treated as a community asset, and 2) The ESR school believed that open source was a technical means of accelerating the development of software and improving the quality of software. Both schools were founded upon the notion that free and open software was “‘free’ as in speech, not as in ‘beer’.” [Note: To get a good insight into the discussions of free software, I would encourage you to read The Cathedral and the Bazaar by Eric S. Raymond.]
While this debate raged, consumers had become accustomed to free and open software – when free meant “as in beer”. By using open source or shareware tools, people could get functional software without any licensing or purchasing fees. Some shareware developers nagged you for a contribution. Others just told you their story and let you install/use their product “as is”. So many computer consumers became junkies of the “free” stuff. [Insert analogies of drug dealers (or cigarette companies) freely distributing ‘samples’ of their wares in order to hook customers.]
VPN Services: The Modern Analog
Today, consumers still love ‘free stuff’. Whether this is ‘free’ games for their phones, ‘free’ email services for their families (or their businesses), or free security products (like free anti-virus and free anti-malware tools). And recently, free VPN services have begun to emerge. I first saw them delivered as a marketing tool. A few years ago, the Opera team bundled a fee VPN with their product in the hopes that people would switch from IE (or Firefox) to Opera.
But free VPN services are now available everywhere. You can log into the Apple Store or the Play Store and find dozens of free VPN offers. So when people heard that VPN services offer encryption and they saw that ‘vetted’ VPN services (i.e., apps/services listed in their vendor’s app store) were available for free, people began to exploit these free VPN services.
Who Pays When Free VPN Isn’t Free?
But let’s dig into this a little. Does anyone really believe that free VPN services (or software) are free (i.e., “as in beer”)? To answer this question, we need only look to historical examples. Both FOSS and shareware vendors leveraged the ‘junkie’ impulse. If they could get you to start using their product, they could lock you into their ecosystem – thus guaranteeing massive collateral purchases. But their only costs were their time – measured in the labor that they poured into developing and maintaining their products.
Today, VPN service providers also have to recoup the costs of their infrastructure. This includes massive network costs, replicated hardware costs, and substantial management costs. So someone has to overcome these massive costs. And this is done out of the goodness of their hearts? Hardly.
Only recently have we learned that free social media products are paid for through the resale of our own personal data. When things are ‘free’, we are the product being sold. So this fact begs the question: who is paying for this infrastructure when you aren’t paying for it?
Free – “As In ‘China'” – Paid For It
Recently, Top10VPN (a website operated by London-based Metric Labs Ltd) published a report about free VPN providers listed on the App Store and the Play Store. What they found is hardly surprising.
- 59% of apps have links to China (17 apps)
- 86% of apps had unacceptable privacy policies, issues include:
- 55% of privacy policies were hosted in an amateur fashion Free WordPress sites with ad
- 64% of apps had no dedicated website – several had no online presence beyond app store listings.
- Over half (52%) of customer support emails were personal accounts, ie Gmail, Hotmail, Yahoo etc
- 83% of app customer support email requests for assistance were ignored
Just because a VPN provider has sketchy operating practices or is somehow loosely associated with Chinese interests does not necessarily mean that the service is compromised. Nor does it mean that your identity has been (or will be) compromised. It does mean that you must double-check your free provider. And you need to know that free is never free. Know what costs your are bearing BEFORE you sign up for that free VPN.
William Chalk (published @ Hackernoon) may have said it best: “In allowing these opaque and unprofessional companies to host potentially dangerous apps in their stores, Google and Apple demonstrate a failure to properly vet the publishers utilizing their platform and curate the software promoted therein.” But resolution of these shortcomings is not up to Apple and Google. It is up to us. We must take action. First, we must tell Apple and Google just how disappointed we are with their product review processes. And then we must vote with our dollars – by using fee-based VPN’s. Why? Because free VPN may not ensure free speech.
**Full Disclosure: I am a paid subscriber of a fee-based VPN service. And at this time, I trust my provider. But even I double-checked my provider after reading this article.