Beware: Many highly recommended “best VPNs” don’t live up to their privacy claims
Posted on June 27, 2018 By Dennis
Connecting through a VPN is a fantastic way for anyone to improve their online privacy and security. But using a VPN still requires a significant degree of trust in the VPN provider that operates the servers and makes the app. Sometimes, that trust is abused and users’ personal details are exposed. In this article, I’ll cover several privacy-related incidents in which VPN providers failed to live up to their privacy claims.
Incidents such as these sow doubt into the minds of consumers. While plenty of providers have proven to be trustworthy, you’ll find no shortage of critics who decry the VPN industry as a whole based on the inherent vulnerabilities that allow such misconduct to occur.
All of the VPNs listed in this article have had major privacy failings exposed, yet many still feature as ‘highly recommended’ or ‘Editor’s choice’ on well known tech publications where they spend thousands on advertising. Before you sign up for a ‘Best VPN service’ I recommend you read this article.
When connected to a VPN, data is encrypted on your device, then sent to the VPN server where it is decrypted before going on to its destination on the internet. During the decryption process on the server, the VPN provider has the opportunity to sneak a peek at your unencrypted internet traffic. Currently, this is the case for every VPN, and there’s no alternative but to simply trust the provider won’t log that information.
Nowadays, every VPN worth its salt plasters “no logs” or something similar across its website homepage. A logless VPN provider doesn’t keep records of its users’ activity while they connect to the VPN. Often, the “no logs” claim refers solely to traffic logs, which include the actual contents of internet traffic, such as websites visited, messages, emails, purchases, searches, etc.
But many VPN providers who advertise as logless in fact record and store data on users other than traffic logs. Connection logs, also called diagnostic or usage logs, include metadata like timestamps of when you connect and disconnect, how much data you transfer, and which VPN server you last connected to.
Most of this stuff is pretty harmless and just used for diagnostic purposes, but some of it can be used to trace activity back to a specific user. IP addresses, in particular, are often included in connection logs and are unique to every device connected to the internet. Furthermore, logs that tie account IDs to email addresses and connection metadata can be used to corroborate an individual user’s activity.
In 2011, UK-based HideMyAss catapulted into notoriety after it handed over evidence that resulted in the arrest of one of its users. Cody Kretsinger attempted to use HMA to hide his involvement in an attack on Sony Pictures and the PlayStation Network. When investigators approached HMA with a court order, the company complied by handing over information that ultimately led to Kretsinger’s arrest.
HideMyAss says it never logged the contents of internet traffic, but it did record the IP address of Kretsinger’s device and timestamps of when he connected and disconnected to the VPN. Those logs provided sufficient evidence to corroborate the FBI’s case against him.
The main issue here is not that HMA complied with law enforcement, but that it recorded those logs in the first place. The incident certainly damaged HMA’s reputation and business, likely for years to come. Despite setting an industry-wide precedent, many VPN providers continue to keep similar logs today.
In October 2017, Hong Kong-based PureVPN caught substantial criticism following the arrest of one of its users, Ryan Lin. Lin, a real scumbag, cyber stalked a woman, hacked into her accounts, and spread her personal photos and sensitive information to hundreds of people. Lin attempted to use PureVPN to hide his activities.
PureVPN remains a bit vague on the details, suffice to say the company handed over two IP addresses originating from Lin’s home and workplace. Despite claiming to be a “no-logs” provider, PureVPN’s compliance led to Lin’s arrest.
Lin’s behavior is unacceptable, to be sure, but PureVPN’s retention of IP addresses was enough for investigators to corroborate evidence from Gmail and build a case against Lin. That’s also unacceptable.
In 2016, US-based IPVanish’s parent company handed over logs that led Homeland Security to one of its users who was involved in child pornography, Vincent Gevertz. Homeland Security requested details of the user behind an IP address belonging to Highwinds Network Group, which owned IPVanish at the time. After initially rejecting the request, Highwinds ultimately complied, despite claiming to be a no-logs provider with no usage information.
Highwinds handed over an IP address owned by Comcast, which led investigators to Gevertz. While we certainly do not condone Gevertz’s actions, this is an example of why it’s important to avoid VPNs that log IP addresses. It might also deter people from choosing VPNs incorporated in the United States.
IPVanish has since changed hands and is now owned by StackPath. StackPath’s CEO responded to the incident, saying he can’t speak for what happened on someone else’s watch. He wrote on reddit, “With no exception IPVanish does not, has not, and will not log or store logs of our users as a StackPath company.”
Switzerland-based VyprVPN stores the user’s source IP address, the VPN server address they connect to, when they connect and disconnect, and how much data they consumed. This information is stored for 30 days. I’ve never heard of these logs leading to anyone’s arrest, but customers certainly have other complaints.
Many VyprVPN users have complained that the logs allow VyprVPN to detect and penalize users who torrent. Some report their accounts being suspended or even terminated in order to comply with DMCA claims received by the company.
In early 2014, Dutch police arrested a man who sent bomb threats to his school. According to the report, the man attempted to use EarthVPN to hide his identity. Police seized an EarthVPN server with a court order. An EarthVPN representative says the company never stored any identifying logs, but the data center where the server was seized kept IP transfer logs.
Tracking, ad injection, and malware
Most common among free VPN services, ad and cookie injection are used to generate income from advertising. A VPN can add cookies to your browser and insert advertisements right onto web pages. The cookies are persistent, meaning they remain active and continue to collect browsing data even when you’re not on the site where you picked them up. The injected advertisements read the cookie data, send it off to an ad exchange (probably run by a third party), and change accordingly.
The mining of personal data through cookies goes firmly against the privacy-oriented approach that VPNs should take.
Some VPN apps either contain malware payloads or are themselves a form of malware. Again, this is most common with free VPN apps with nothing to lose. The goal is to infect the user’s device with malware to make it perform some unintended action.
The type of malware and its specific purpose can be pretty much anything. A 2017 study (PDF) of nearly 300 Android VPN apps, 38 percent contained malware or malvertising.
Hola is one of the most egregious offenders of bad VPN security policies, and yet it remains one of the most popular free proxies. First, the company doesn’t operate central VPN servers. Instead, users connect through each other’s devices, utilizing each other’s spare bandwidth. The free version is not encrypted, and users could find themselves suspected of carrying out other users’ criminal activities.
In 2015, Hola turned its large userbase into a weapon: a massive botnet used to carry out attacks that overloaded servers in what’s known as a Distributed Denial-of-Service (DDoS) attack. Hola sold access to the botnet and users’ bandwidth with little oversight, allowing it to be used maliciously.
In 2017, a privacy advocacy group filed an official complaint with the FTC alleging VPN provider, Hotspot Shield, collects data and intercepts users’ traffic despite claiming to provide “complete anonymity.” The app places tracking cookies inside users’ browsers without their knowledge. Those tracking cookies allow advertisers to serve targeted ads based on collected user data.
As if that isn’t enough, the complaint goes on to state Hotspot Shield intercepted legitimate HTTP requests to certain ecommerce sites. The VPN redirected users to partner sites where AnchorFree, Hotspot Shield’s parent company, stood to make a profit.
The FTC has made no ruling on the complaint as of the time of writing.
Many VPNs use insufficient, obsolete, or deprecated security measures, and others simply lack security altogether. VPN security includes factors like encryption and leak protection.
In the same study that discovered malware in more than one-third of Android VPN apps, researchers found 84 percent of them leaked users’ web traffic, and 18 percent didn’t encrypt data at all.
Encryption (or lack thereof)
A VPN encrypts all of the internet traffic between the end user device and the VPN server. VPN encryption consists of three main elements: channel encryption, authentication, and the key exchange. VPN providers often only advertise the channel encryption, which should be at least 128-bit AES.
Authentication and key exchange are less advertised but just as important. Authentication ensures all the data sent and received arrives in its original form and hasn’t been modified. Authentication should be HMAC SHA1 or SHA2 (includes SHA256 and SHA512); regular SHA1 is now deprecated.
The key exchange helps securely establish the VPN connection. It is used to pass a shared encryption key to the client and server. If this shared key is discovered, the entire session’s worth of data can be decrypted, so it’s important to keep it secure. VPN key exchanges should use 2048-bit RSA keys or larger. Some VPNs still use 1024-bit RSA, but this has been cracked and thus is no longer considered secure.
A late 2017 report by Comparitech came to a similar conclusion: most VPNs leak personal data despite claims to the contrary.. The article examined how well VPNs prevent various types of leaks in which personal data escapes the encrypted tunnel. As it turns out, most VPNs struggle with WebRTC leaks, and many leak traffic when the connection is somehow disrupted. Even if the leaks only occur under certain circumstances, the report shows how we shouldn’t trust VPNs that claim to be leakproof.
So who can you trust?
With all this information, you might be more wary of VPN providers. Indeed, it’s difficult to know who to trust. Even if a VPN hasn’t had a public privacy incident like those we list above, that doesn’t mean it won’t in the future.
There’s no way to ensure a VPN won’t betray your trust. That being said, a few VPNs have been put to the test in the real world and passed with flying colors. ExpressVPN, Perfect Privacy and Private Internet Access have all had their servers raided by law enforcement in the past. None of them contained logs that could lead authorities to the specific user they were looking for. That’s a good indicator the VPN is living up to its security and privacy claims.
Image: “Party Gras Deux 32” by Anonymous9000