Who Owns, Operates, and Develops Your VPN Matters

Virtual Private Networks (VPNs) are a critical security and privacy infrastructure used by people globally to circumvent repressive censorship and surveillance and protect their privacy and connections on public WiFi. They have grown significantly in popularity as more authoritarian governments censor the free and open Internet. 

Commercial VPN providers operate with varying degrees of transparency, and users must determine whether they value transparency more than anonymity when choosing a provider, as there are trade-offs with each.

Recently, my colleagues and I found that eight providers of popular, commercial VPN applications appear to hide their services’ ownership and operations. These services contain serious privacy and security issues that put more than 700 million users at risk of authoritarian surveillance.

Transparency vs. Anonymity in the VPN Ecosystem

VPNs are not designed for truly anonymous communications. When selecting a VPN provider, users implicitly transfer trust from their Internet service provider to the VPN provider. This transfer—despite often being overlooked or ignored—carries significant security implications, given the provider’s access to the user’s data.

The benefit of a transparently operating VPN provider is that users know who can view their communications. The limitation of such a provider is that it can be identified easily by authorities and subpoenaed or targeted by cyber criminals, which could put users at risk.

A VPN provider that operates anonymously (so less transparently) cannot be easily targeted by censors or cyber criminals, or subpoenaed by authorities, providing a level of protection to users. The downside is that users do not know who can view their communications, which could increase their risk of surveillance or exploitation.

Information about a provider’s operations, ownership, and development is key for users to make informed decisions, but these details are often hard to find. In addition, some VPN providers—particularly the free services that monetize user data and serve ads—use ethically questionable practices when developing, marketing, and operating their VPNs. They exploit legal loopholes and attempt to hide who controls their services. For example, some VPNs cite Singapore (a country with strong privacy laws) as their country of origin on app stories—yet they are actually linked to China (a country with highly invasive privacy laws).

When VPN provider information such as this is not easy to find or the provider actively tries to hide it, users risk entrusting their data to a provider they might not have chosen otherwise. In contexts where individuals are prosecuted for expressing themselves online or accessing information that authorities block, these VPNs put their users at great risk. 

Analysing Transparency vs. Anonymity in the VPN Ecosystem, and Implications for Users

In an effort to bring greater visibility into the VPN ecosystem, I collaborated with Dr. Jeffrey Knockel of Bowdoin College and Dr. Jedidiah R. Crandell of Arizona State University as part of my Information Controls Fellowship Program (ICFP) to uncover who owns, operates, and develops 32 popular VPNs on the Google Play Store (with more than one billion downloads, collectively). Twenty-one seemingly distinct VPN providers distribute these VPN apps and serve users in India, Indonesia, Russia, Pakistan, Saudi Arabia, Turkey, UAE, Bangladesh, Egypt, Algeria, Singapore, and Brazil.

We assigned the providers a multi-factor “transparency versus anonymity” score, with the goals of:

1. Helping users make more informed decisions when selecting a VPN provider; and
2. Encouraging app stores to clearly identify apps that operate transparently and those that do not.

We also examined whether there is a link between less transparency and security vulnerabilities.

Below are three significant findings from our research:

Two clusters of VPN providers—whose apps have more than 700 million downloads, collectively—have transparency offenses

Two groups of providers do not disclose that they are related or operate together, and appear to hide the ownership and operations of their services.

Previous research found that the first cluster—INNOVATING CONNECTING LIMITED, AUTUMN BREEZE PTE. LIMITED, and LEMON CLOVE PTE. LIMITED— are operated by the same Chinese nationals and have links to the Chinese cybersecurity firm Qihoo 360 and the PLA by examining their privacy policies and copyright filings. We dug deeper by manually analyzing their most popular VPN apps and found that they also share code and infrastructure, and even stronger connection indications.

The second cluster of concerning VPN providers, which previous research has not investigated, includes MATRIX MOBILE PTE. LTD., ForeRaya Technologies PTE LTD, Wildlook Tech Pte Ltd., Hong Kong Silence Technology, and Yolo Technology Limited. While connections to Qihoo 360 could not be identified for these entities, their operational characteristics are similar to the first cluster (which does have ties to the Chinese cybersecurity firm). For example, their privacy policies reference Innovative Connecting. In addition, their apps share infrastructure and code.

Both clusters have several security vulnerabilities

The vulnerabilities include:

• The use of Shadowsocks for tunneling: Shadowsocks (an open-source proxy project designed to bypass Internet censorship and geo-restrictions) was designed for access to the open Internet only, not for confidentiality. This is problematic as these apps are advertised as providing user security. 
• Hard-coded passwords in their configuration that are shared across all users: The password is embedded within the source code, instead of being stored securely elsewhere and retrieved at runtime. The fact that the password credentials are in the app code itself makes them easily accessible to anyone who can view the code. An attacker who knows the password can decrypt the VPN’s encryption for all users, exposing the content they are accessing. This significantly compromises user security and privacy.
• Susceptibility to blind-in/on-path client/server-side attacks (client side confirmed, server side implied): An attacker can intercept and even modify communication without the user’s knowledge, a serious violation of their privacy and security. 
• Extraction of user location information, despite claiming that this is not collected.

These software issues are alarming, especially for the providers with links to the Chinese cybersecurity firm Qihoo 360. It calls into question the providers’ intentions when they connect to the biggest cybersecurity firm in China, yet offer security-critical applications with glaring vulnerabilities.

Free commercial VPN apps are riskier than paid ones

While not all free commercial VPN apps operate in poor faith, using products such as TurboVPN, VPN Proxy Master, and Snap VPN (supplied by the first cluster of providers) presents far more risk to user security and privacy than a paid VPN app. This is because free commercial VPNs tend to capitalize on their users’ data, potentially using ethically questionable practices in their development, marketing, and operations.

Read the full report and access the in-depth technical report.

Adapted from the original post first published by the Open Technology Fund.

Benjamin Mixon-Baca is a Security Researcher and Co-founder at Breakpointing Bad. This research was conducted as part of his ICFP Fellowship.

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of the Internet Society.