Are Free VPNs Safe?
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Are Free VPNs Safe?

An honest discussion about whether it’s safe to use free VPNs

Let’s talk about free VPNs. Typically, when we get asked about whether or not it’s safe or wise to use a free security product, it’s free SSL. And to be honest, we’re loathe to weigh in on that too heavily because as soon as we do someone accuses us of having a conflict of interest.

But we really don’t have any skin in the VPN game, so we’ve got no problem discussing free VPNs and whether or not they can be trusted. And that’s one of the more important distinctions when it comes to VPN services. With other security products it’s a binary. Does this work? Yes or no. That’s still a question with VPNs, but the more pressing one is whether or not you can trust the service itself.

Because when you use a VPN, the servers you log into still have the ability to track what you’re doing and where you’re going, even if no one else can. And if the folks running those VPN servers are unscrupulous, you may be worse off using the free VPN than not using one at all.

So, today we’re going to discuss free VPN services, which ones you can trust and what you need to be looking for if you decide to forego our warning and dabble with the free VPNs anyway.

Let’s hash it out.

Running a free VPN ain’t free

Let’s start with why you should be dubious of truly free VPN services: the cost of running a VPN service. I try not to be too cynical, but altruism is not a virtue you see a whole lot of on the internet. And that’s what it would require to run a truly free VPN service that was actually any good.

Are free vpns safe?

Think about it, to run a VPN you need to purchase a whole bunch of servers and IP addresses, you need to spend money building out the client it will use, you need be able to afford to keep it all running, to staff it and you’ll need to be able to scale as you grow. None of that is cheap. And to do it all and not charge anything would mean you’re running it at a loss.

Nobody starts a business to run it at a loss.

That means these free VPN services have to make money somehow. And if they’re not making money by charging their users, they’re probably making it OFF their users. That can only mean one of a few things, and none of them are what you intended when you decided to start using a VPN.

A little transparency, please

We are a culture that is driven by its Freudian Id. We want instant gratification. And oftentimes when we see something is free, common sense goes out the window. This is why you see people fighting over the ordnance for t-shirt cannons or see grown men knocking over children for foul balls at baseball games. Even just seeing the word “free” garners a visceral reaction from many people – that’s why you see it used in more than its fair share of phishing emails.

The (meandering) point I’m making is that not enough people take the time to actually click around the VPN’s website and learn what it does to support itself when the word “free” is involved. It’s even more of a problem on mobile and via app stores, where a lot of that information isn’t even present.

Here’s the thing, if a VPN is up front about how it’s going to log, store and use your data – and you miss it – that’s on you. If the VPN service DOESN’T provide that information. It’s on them. And it should be strikes one, two and three.

Generally, with any VPN, you should already be checking:

  • Logging policies
  • Technical safeguards
  • Locations
  • How it makes its money

The first three items on this list should be stated explicitly. The fourth is a little more implicit.

Policies and Safeguards

With logging policies, the less logging that’s done the better. If there is logging, how long do they keep the logs for? This is one log context where shorter is better. Do they anonymize logs? How do they anonymize the logs? You need to be like John Henry and focus on those logs.

Technical safeguards refers to how they secure connections. You’re specifically trying to understand what protocol will be used and what kind of encryption will be securing the connection. Is that encryption industry standard? Are they even doing anything? Some VPNs don’t even encrypt their connections while many others conduct important business outside of the encrypted tunnel, which leaks your information. It’s very important that you understand what safeguards are in place.

Where are their servers located?

The world is not unified when it comes to internet freedoms, data rights and privacy. There is a patchwork of laws and regulations that affect different countries and regions. In researching this article one of the themes I’ve noticed is what basically amounts to fearmongering about the Five Eyes intelligence alliance between Australia, Canada, New Zealand, the US and UK. And while those countries have agreements in place to provide legal access to data, provided it goes through the right channels – that is absolutely pedestrian compared to what goes on in other corners of the world.

Still, it is worth noting that many countries, including those in the EU, have requirements that certain data be stored within their borders where it is subject to their laws and could be turned over to their government. For a lot of people, that won’t be a problem. Not to deal your ego a blow, but the stuff you’re using a VPN for – pirating movies, streaming blocked content, hiding from your ISP – doesn’t rise to the level of warranting attention from Five Eyes or Interpol. It takes a lot to get the black helicopters to show up over in the Western world.

For other people in other locations? It might be something worth considering.

And finally…

How do they make their money?

When you see a Free VPN offered by a company with paid plans, it’s safe to assume that it’s making its money off its paid subscriptions. And to incentivize paying, you’re not going to be able to use all of that VPN’s features. There’s a trade-off.

With free VPNs, it’s a little less obvious. And the more opaque they are about how they might be making their money, the more suspect you should be. Some free VPNs have enough integrity to come right out and admit they’re going to sell your data. It’s in their private policy. Did you read the privacy policy? C’mon, this is what we just talked about…

Keep in mind, this industry is massive and almost completely unregulated. There is very little barrier to entry when it comes to “free VPNs.” And as you’re about to see, a lot of these apps aren’t VPNs at all. Just because an app or program CLAIMS to be a free VPN, doesn’t mean anyone ever took the time to actually verify the claim.

When VPNs aren’t (just) VPNs

The basic premise of a VPN is that you log in to it, and it helps guard your privacy by obfuscating your activity, securing your communication and ideally anonymizing you completely. But, as we already discussed, you have to TRUST the VPN because it still has all of that valuable data on you. This is why the no logging policies are so important.

How a VPN works

But, a lot of VPNs fail to live up to that whole privacy premise. The Australian Commonwealth Scientific and Industrial Research Organization (CSIRO) did a study of Android apps claiming to be VPNs and it wasn’t exactly encouraging.

82% of free VPNs required permissions to sensitive resources
75% of free VPNs used third-party tracking libraries
38% of free VPNs infected their devices with malware
18% of free VPNs didn’t even use encryption
84% of free VPNs handle IPv6 traffic outside of the encrypted tunnel
66% of free VPNs handle DNS requests outside of the encrypted tunnel

Granted, that’s Android apps, but the startling lack of regulation in that industry only lends itself to this kind of garbage. Let’s take a look at some other Free VPN horror stories…

Free VPNs might track and sell your data

The Android numbers skew more towards malfeasance, but in general there are still a lot of bad actors in the VPN space. One 2018 study found 26 of the world’s top 117 VPN services log data. That includes paid services. When you filter out the paid services, the numbers look even worse. While your activity may be hidden to the rest of the world, your VPN service sees it all. And a lot of that data may be valuable. After all, they wouldn’t bother logging it if they didn’t intend to sell it for profit. Per CSIRO, BetterNet, which boasts over 38-million users, also leverages 14 different tracking libraries. Meaning your ISP might not be able to see BetterNet users – but tons of other, lesser-know entities sure can. It gets even more frightening when you consider the number of VPNs that ask for extensive permissions on the devices they secure. That allows them to harvest even more user data, sometimes data that wasn’t even transacted during the use of the VPN.

Free VPNs might give you malware

According to Metric Labs’ head of research, Simon Migliano, “one in five” of the 150 free VPNs he studied had malware. That’s a bit lower that CSIRO’s figure – it tested 280+ free VPNs so it scraped more from the bottom of the barrel – but the figure generally reinforces that you never know what you’re getting with free VPNs. You wouldn’t play Russian Roulette with those odds, don’t blindly trust a VPN based on them, either.

And here’s the thing, delivering malware is a huge pain in the butt. Or… so I’ve been told. The vast majority of it, over 90%, gets delivered via email. And you still have to convince the recipient to open it or run it – whatever makes it tick. Enterprising minds have long been searching for an easier way. Well, it turns out that if you make an Android app and advertise it as a free VPN, people will install your malware and execute it of their own volition – the digital equivalent of the salmon hopping right into the bear’s mouth.

Free VPNs might steal your bandwidth

Let’s talk about bandwidth for a second, because the definition can be a bit confusing at times. There is a definition for (signal) bandwidth as it relates to hertz and frequencies – that’s not the one we’re interested in. For our purposes, bandwidth refers to the maximum rate that data can be transferred through a network path. We aren’t going to stray too far into the weeds on this but everyone has at some point been in a situation with shared WiFi. Maybe it was at a dorm, with some roommates or even on a public network – but your connection speed was contingent upon who else was using the internet at that moment. If too many people got on, things could lurch to a halt. That’s bandwidth, each user, each connection is partitioned a fraction of that bandwidth to operate on.

On any connected device you have two commodities you likely never think about: bandwidth and processing power. We’re going to get to processing power in a second, but your device or computer is likely not making use of all the bandwidth it’s been allotted. It would be nice to think it does, but nothing in tech works at 100% efficiency – network bandwidth included. Some of the more unscrupulous actors in the free VPN game are more than happy to take any extra bandwidth right off your hands, too. The best example of this is the free VPN product offered by Hola, which has over 152-million users and has been caught selling its free users’ bandwidth to paid customers via another arm of its business. If you’re not sure what that means, think of it this way: you might be using a free VPN to stay anonymous and avoid undue scrutiny, but at the same time your VPN is essentially renting your bandwidth and IP address – the one associated with you – to someone else. And anything they do can be traced back to you. Not great, Bob.

Free VPNs might Cryptojack you

One of the other things Hola was caught for – and it’s unclear whether this part was intentional – was a bug that allowed programs to be run remotely on its users’ computers. And while we’re willing to give the benefit of the doubt here – this is also not an isolated incident.

But first a quick refresher on Cryptojacking. Cryptocurrency, most famously BitCoin (which is the example we’ll use), is essentially minted through a mathematical process that involves a blockchain and a prohibitively difficult problem to solve. In fact, the math problem is so costly to compute that even the world’s most powerful supercomputer would be overmatched. As a result, “miners” often pool their resources together to try and solve the problem. When they do, they get to add a new block to the blockchain – the new block will contain all the transactions that took place while the block was being solved – and they get a reward paid out in BitCoin. This is called cryptomining. The reward is typically divided amongst the miners that pooled their resources. And therein lies the rub. The rewards for solving each block are diminishing at a set rate and the blocks continue to get harder to solve. That means less money for more work, which is not what anyone signed up for.

The cryptocurrency community is full of criminals and charlatans, many of whom have no qualms about compromising other people’s devices to create a botnet, which can in turn throw all of its combined computing power at solving the next block. And here’s the best part: they wouldn’t even have to split the reward. Early on you saw a lot of IoT devices getting conscripted into botnets. Now we’re starting to see more ingenious methods for compromising devices and stealing their processing power: free VPNs.

Ironically, VPNs often advertise themselves as a defense against Cryptojacking. Turns out they can also get you cryptojacked, too.

Free VPNs might hijack your browser

Most of us take for granted that our browsers do what we ask them to. You rarely have to worry about Firefox or Chrome getting mouthy, unless you’re dealing with certificate errors or known malicious websites – then they do speak up. But having your browser take you to all range of websites you never intended to go to isn’t usually a problem for most of us. Unless you hook up with the wrong free VPN that is.

Case in point:

“AnchorFree’s VPN app HotspotShield performs redirection of e-commerce traffic to partnering domains. When a client connects through the VPN to access specific web domains, the app leverages a proxy that intercepts and redirects the HTTP requests to partner websites.”

That’s not uncommon, either. And to be honest, it’s actually one of the least scummy ways free VPNs take advantage of their users. Far preferable to having your bandwidth sold out from under you or your information widely shared. Still, that’s a sad statement in and of itself. Like a choice between pestilence and a plague.

Are there any good Free VPN options?

There’s a terrifying amount of bad advice related to this question. And typically, the answer comes from a party with skin in the game – they’re making money off all this somehow. As we mentioned earlier – we aren’t. We’ve got no stake in the VPN industry, but we do know a thing or two about encryption and privacy. And we constantly preach the importance of cybersecurity education. So here goes.

VPN concept

If you want to use a free VPN, you really only have a handful of options:

  • Use the free version of a paid VPN
  • Use an open-source VPN
  • Spin up your own VPN

Don’t try to use the University of Tsukuba’s free VPN or any of those other weird workarounds – those are designed to serve different functions, not so you can circumvent the MLB’s blackout rules to stream baseball or some such nonsense.

Freemium VPNs

Freemium is one of those internet buzzwords that gets tossed around a lot and doesn’t always get used correctly. Freemium just means that the base product is available for free, but additional features will cost you money. We’re actually seeing a turn to this model from the videogame world right now with titles like Fortnight, Apex Legends and Dauntless. If you don’t mind running on a stripped down version of a VPN, this is probably your most straightforward option.

Top VPN services like NordVPN and Express VPN offer solid freemium versions. But, again, be careful before you just blindly jump into bed with any old VPN service on account of it having paid tiers. Hola had paid tiers and it sold its free users’ bandwidth and IP addresses to its paying customers. This is why you have to read the fine print.

Open-Source VPNs

The safest option when it comes to truly free VPNs is to use an open-source one. OpenVPN is by far the most popular, but there are other variants that may fit your needs a little bit better. Open source VPNs don’t have any clandestine financial motivations and their code is public so it can be regularly vetted and critiqued.

Here’s the thing though, this is not really a beginner-level option. You need to have at least a basic knowledge of what it is you’re doing, because there’s not going to be a whole lot of hand-holding. You’re likely going to need to crowdsource your support from forums and mailing lists. So, if you’re looking for something quick and easy – move along, there’s nothing to see here.

Spin up your own free VPN

You remember how we just said using an open-source free VPN wasn’t exactly a task for novices? Well, crank that up to 11. While you’ll have much greater control over your data and the security measures that are in place, which should help protect your privacy and foster some degree of anonymity – the amount of work that’s required to pull this off is worthy of its own article.

Suffice it to say, this option is only for those with quite a bit of experience.

Just be careful with free VPNs

You SHOULD be skeptical of free VPNs. If you take just one thing from this entire article, make sure it’s to look closely at any “free” VPN before using it. We get it, who doesn’t love stuff to be free? But there’s almost always a catch. With free VPNs that spectrum ranges from paid VPN services trying to sell you additional features all the way to VPNs that infect you with malware and/or steal your bandwidth.

The important thing is being able to identify that catch. The honest players state it up front. We may not love what the catch is but there’s a degree of integrity that comes with at least owning it.

It’s when the catch isn’t obvious – when it’s not stated explicitly and it’s difficult to discern from the information you’ve been given – that you need to be the most careful. So, read the damn fine print.

As always, leave any comments or questions below…

Hashed Out by The SSL Store is the voice of record in the SSL/TLS industry.


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.