How are the top free VPNs using your data

The saying, “if it sounds too good to be true, it probably is” is, unfortunately, the case when it comes to the vast majority of free VPNs.

Boasting the ability to provide anonymous browsing, these VPNs are incredibly appealing, especially considering they’re free. But in most cases, there is a cost to using these services – your data.

Ironically, by trying to protect your privacy by using a free VPN, you may be exposing yourself to greater risks by allowing these services to share your data with third parties.

To find out how the top VPNs on Google Play and in the App Store are using your data, we looked at the top 20 in each.

See also: Best VPNs (paid)

Key findings

  • None of the free VPNs for Android offer what we consider to be good data protection, while around half of the ones for iOS do
  • Most free VPNs display adverts – some will even sell your data
  • Trackers and low connection speeds are common across free VPNs
  • Some Free VPNs for Android come with dangerous permission levels
  • Most free VPNs have some kind of logging policy, with a worrying number having invasive logs (i.e. traffic data)

Why might your free VPN be dangerous?

  • It may sell your personal data to third parties, e.g. advertisers
  • It may collect logs that detail your internet activities
  • It could infect your device with malware, thus compromising your data
  • It may leave your device vulnerable to attackers due to poorly-configured application permissions

So which of the top free VPNs from Google Play and the App Store were found to have some – or all – of these data privacy issues?

The top 20 free Android VPNs and how they use your data

To see which of the top 20 free Android VPNs from Google Play Store offer the best security and performance, we analyzed six categories:

  • Criticality of the permissions requested by the app: What level of access does the app require to your device and/or data. I.e., does it only need access to non-data-specific features, such as your network settings, or does it want full access to your contacts?
  • # of trackers: Some trackers only collect data that helps the VPNs improve their services while others will track personal information that could leave your data vulnerable to abuse. We conducted a MobSF static analysis to find out the number of trackers in each app.
  • Advertising: The majority of free VPNs use adverts to fund their services – but some may go one step further and sell your data to make money.
  • % of speed lost (according to Speedtest.net): Most VPNs will reduce your connection speed but some can dramatically reduce the speed by over 90%, severely disrupting your internet usage.
  • Location sharing: VPNs shouldn’t require access to your specific location as this isn’t necessary to perform the service.
  • Logging policy: What logs does your VPN store? None or aggregated data only (low risk)? Connection and/or IP address logs that have some risk of being tied to you as a user (medium risk)? Or traffic logs that are invasive and privacy-violating (high risk)? VPNs that provide no clarification of the logs they do/don’t store are omitted in this section but should be treated with caution due to their lack of clarity. Equally, if a privacy policy indicates that a VPN service has the ability to track and monitor traffic logs from a specific IP address (e.g. for law enforcement purposes), the logging policy has been deemed high risk as your internet browsing history may be compromised.

Where we have indicated that a category is “low”, “medium” or “high,” this is what we consider to be the risk level for that category, taking into account the factors outlined above.

The top 20 free iOS VPNs and how they use your data

So how do the top 20 free iOS VPNs on the App Store hold up?

Due to the iOS platform being more difficult to analyze, our comparison of the top 20 free iOS VPNs does differ slightly, but our research covered:

  • Criticality of the permissions requested by the app: What level of access does the app require to your device and/or data. I.e., does it only need access to non-data-specific features, such as your network settings, or does it want full access to your contacts?
  • Logging policy: What logs does your VPN store? None or aggregated data only (low risk)? Connection or IP address logs that have some risk of being tied to you as a user (medium risk)? Or traffic logs that are invasive and privacy-violating (high risk)? Equally, if a privacy policy indicates that a VPN service has the ability to track and monitor traffic logs from a specific IP address (e.g. for law enforcement purposes), the logging policy has been deemed high risk as your internet browsing history may be compromised.

As you can see from our findings, no app on Google Play offers what we consider to be a full set of safety features and only a handful on the App Store provide what we consider to be good protections. To understand more about how each of these areas decreases the safety of a VPN, let’s explore them in more detail below.

What permissions might an app request?

Most mobile applications require some permissions. For example, Google Maps requests access to your location, WhatsApp requests access to your contacts, and so on. However, in some cases, the permissions required can be complex and confusing, meaning we’re not sure exactly how they work. This can lead to us accepting permissions that we’re not aware of, potentially putting our data and devices at risk.

Normal permissions

These don’t place your device at risk and shouldn’t violate your privacy. Examples include:

  • ACCESS_NETWORK_STATE – This allows an application to access information about networks
  • SET_ALARM – This allows an application to set an alarm for the user
  • SET_WALLPAPER – This allows an application to set the wallpaper

Signature permissions

These permissions give more access to your device but shouldn’t pose a direct threat to your data. Examples include:

  • WRITE_SETTINGS – This allows an application to read or write the system settings
  • MANAGE_EXTERNAL_STORAGE – This allows an application broad access to external storage

Dangerous permissions

These permissions use your data in some form. Typically, this information is a list of user contacts, access to the camera, etc. Examples include:

  • CAMERA – Allows an application to access the camera device
  • SEND_SMS – Allows an application to send SMS messages
  • READ_CONTACTS – Allows an application to read the user’s contacts data

To see how severe the permissions each free VPN requests, we placed them into three categories:

  • Low permissions level: These permissions don’t lead to the loss of your data and tend to include “normal” permissions.
  • Medium permissions level: This includes some unnecessary permissions, giving the VPN provider access “signature” permissions. However, they don’t pose a direct threat to your data.
  • High permissions level: This indicates that the app has at least one “dangerous” permission, indicating that there is a high risk that you’ll lose some of your data.

Are there trackers implanted within your VPN?

Some VPN providers will try to track your online activity through tracking cookies. Sometimes, this will be under the guise of helping the VPN to improve its services. But the collection of any of the following data is a cause for concern and may compromise your privacy:

  • Information about other applications you have installed and how you use these
  • Your GPS information or residential address
  • Information about the websites you visit (browser history)
  • The body and headers of requests or responses that you send or receive over the network, respectively
  • Any personally identifiable information – e.g. your email or phone number – that’s not necessary to connect to a remote VPN server

We conducted a MobSF analysis to obtain the number of trackers in the top 20 free Android VPNs.

Number of trackers Android apps

The total number of advertising trackers found in 108 analyzed applications

  1. Google (55% of all trackers, 61 of 111)
  2. Facebook (21% of all trackers, 23 of 111)
  3. Others (9% of all trackers, 10 of 111)
  4. Flurry (4.5% of all trackers, 5 of 111)
  5. Moat (3.5% of all trackers, 4 of 111)
  6. AppsFlyer (3.5% of all trackers, 4 of 111)
  7. Unity3d Ads (3.5% of all trackers, 4 of 111)
Hotspot Trackers Screenshot
An example of the trackers detected in one of the free VPN services.

Does the free VPN display adverts?

While data collection will often help VPN providers improve their services, there is, unfortunately, a flip side to this — the most popular way for free VPN providers to make money is advertising. And the most profitable form of advertising is the sale of your data to other network services.

However, as nothing is truly free, many of these free VPNs will show adverts as this helps the developers generate revenue on their products. If you pay for a VPN (or upgrade to a paid version from a free VPN), you’ll likely find that any adverts are switched off.

What percentage of speed is lost when using your free VPN?

When using a VPN it is normal to have to sacrifice some internet speed. This is due to factors like how far you are from the server, the method of encryption used, and the load on the server. You can check the VPN’s speed with a speed checker like speedtest.net, running a test before and after you switch your VPN on.

As our results from speedtest.net indicate, the majority of free VPNs from the Google Play Store reduce your connection speed by over half, with a large number also strangling it to over 70 percent.

However, it’s important to note the limitations of any speed test due to the inherent volatility of the internet, plus other variables, e.g. how close the VPN server you connect to is, the time of test, any issues with your ISP or the VPN provider, an overload of the test server, and the protocol used. It also won’t account for any new changes that may occur after the test is conducted, e.g. the VPN provider upgrading their bandwidth to offer better speeds or a sudden influx of new customers which put added strain on the service.

See also: Free VPNs for Firestick

Does your VPN share your location?

As we’ve already mentioned, some apps need your location in order to be able to perform the services on offer/that you want to access. Others, however, shouldn’t need your location at all – i.e. your VPN.

What type of logging policy does your VPN have?

VPN logs are the data that the provider retains to “help” provide its service. Often, VPN services will say they offer a “zero-logs policy” but may fall short of this declaration in some areas, particularly IP address logs.

The types of logs a provider may have are:

  • Connection logs which store metadata, i.e. timestamps of when you’re using the service. Aggregated data of this type shouldn’t cause much concern but if these connection logs are tied to you as a user this can be problematic (especially if you’ve handed over personally-identifiable data when signing up).
  • IP address logs can be easily attributed to you as a user. These logs include the IP address of your device and/or the IP address of VPN servers to which you connect. If your IP address is logged and stored, it could be exposed to third parties, e.g. advertisers who want to profile you, or, worse still, it may fall into the wrong hands, e.g. hackers, government agencies, or copyright trolls. As one of the main criteria for a VPN is to conceal your IP address, one that has an IP address logging policy is perhaps worth avoiding.
  • Traffic logs are the worst form of logs from a privacy perspective as they include a whole host of information, such as your internet browsing history, downloads, software used, messages, and more. A VPN that has this type of logging policy should be avoided as it’s directly violating what you’re trying to protect – your privacy.
VPN Privacy Policy Example
An example of a privacy policy that details how the VPN provider can gain access to IP addresses and traffic data upon request.

You can find an even more comprehensive look at over 100 VPNs’ logging policies here.

Are free VPNs safe?

Unfortunately, our research highlights that a large number of free VPNs come with worrying permissions and invasive policies that have the potential to compromise the security of your personal data. But by being aware of these potential pitfalls in free VPNs, you can select one that puts your privacy first while providing you with a fast and reliable VPN service.

How to find a safe VPN

When using a VPN, there are a few things to bear in mind:

  • Is your data private? The beauty of using a trusted VPN is that it should give you the freedom to use the internet without fear of being tracked. So, you shouldn’t have to worry that your VPN is collecting any personally identifiable information about you. Always check the VPN’s privacy policy to see what information it uses – if any.
  • How is this “free” VPN making money? As we’ve already mentioned – nothing rarely comes for free. So look into how this free VPN makes its money.
  • What logging policy does the VPN have? VPN logs aren’t always a huge no-no. Many reputed VPN providers will log certain data (in aggregated form) and analyze it to help improve the speed and functionality of the VPN, check for vulnerabilities, and ensure optimized connections. Any VPN that logs anything outside of this, e.g. internet history, should be avoided.

See also: