How shareware VPN providers sell your data
Hi, Habr.
We are with the news: there is no free VPN. You always pay - viewing ads or your own data. For apologists of the basic idea of anonymity on the Internet, the latter method of payment is especially unpleasant. The problem is that you yourself allow to sell or transfer information about you to third parties.
')
User agreements are everywhere, but who reads them? In the summer of 2017, 22,000 Britons agreed to clean up public toilets by accessing the Internet via the public Wi-Fi network (I wonder what we agree to by connecting to Wi-Fi in the Russian metro). The non-commercial project The Best VPN Services conducted a study and found out that some VPN providers share user data “legally” - this is spelled out in the User Agreement even for the most popular ones. Today is exactly one year since the publication of that material, and we decided to see if the information remained relevant in the study.
According to the article The Best VPN Services, some VPN services transfer information about users to provider-related companies or to those who simply pay more. In addition, many services do not tell users how to earn money, or talk about it opaque: here you can read the complaint of the American Center for Democracy and Technology (CDT) about the work of the shareware Hotspot Shield Free VPN, addressed to the Federal Trade Commission. It turned out that the service violated its own privacy policy and collected MAC addresses, IMEI, wireless network names and other user information. After reverse engineering the client application, the researchers found five different libraries that could be used for de-anonymization.
And here you can find out that the Organization for Scientific and Industrial Research (CSIRO) is thinking about VPN applications from Google Play: 84% of them contribute to traffic leaks. Another feature of shareware VPN services is the distribution of links to the websites of certain companies and intrusive advertising.
Researchers from The Best VPN Services have made a rating of the 10 most popular VPN providers that can sell your personal data to other companies and people:
We assume that such services are actually much more. But the above providers at least do not hide it - just no one reads their user agreement.
Let's focus on the most interesting “discoveries” of The Best VPN Services project and consider the three largest VPN providers. An analysis of each of the ten selected services can be found on the research page with the amendment to the fact that it was published in May 2018. We will tell about the updated data.
Hola is a browser-based VPN with more than 150 million users. The company exploits the idea of “community-supported freedom”: VPN is free, but you can donate to the service.
After the DDoS attack on the 8chan board in 2015 (there is an article on Habré about this), it turned out that Hola sells users' online channels to third parties: in particular, user data falls into the Luminati commercial network. This information caused a great resonance in the Internet community, and a group of activists created the site Adios, Hola! where denounces vulnerabilities extensions.
Hola's official response: “We are an innovative company. Skype also used your traffic. We sell Luminati only to decent customers (and not like Tor). Everyone has vulnerabilities: Apple iCloud, Snapchat, Skype, Sony, Evernote, Microsoft . ”
Let's look at the Hola user agreement, which was relevant in 2018:
The provider honestly names its goals: research, analysis and marketing. But it looks bad on anonymity. A fresh deal looks like this:
Source: hola.org/legal/privacy (2019)
Collecting data for "improving quality or for providing services" is a frequent item of many VPN services. But here again the provider openly reports that it is sharing user data with other companies. At the same time, Hola stores user data forever - as long as they are needed to ensure the operation of the service:
Source: hola.org/legal/privacy (2019)
Previously, the provider did not hide the fact that information about the user goes to the commercial network Luminati. In other words, access to your computer before could be sold to people who pay for it. It is not known whether Hola does something like this today: the wording in privacy is now rather blurry.
Here is a fragment from the old Privacy Policy:
Source: hola.org/legal/privacy (2018). Now there is no such information on Hola site.
Hola Earnings Ways:
According to Hola, in fact they do not pass on information to third parties. They have a paid version, which is used by companies and corporations. They use "a small part of the resources of your computer when they are not used (so that we never slow down you) for the benefit of the network . "
Source: hola.org/faq
Betternet is another large VPN service with free and premium versions, which has more than 38 million users. On the official website, the provider tries to honestly answer the question of where the money comes from : users are invited to install third-party applications of partners and watch a promotional video. Or buy a subscription to get the "highest level of service." Does this mean that your data do not sell? It seems not.
"We can share your location (at city level)" ...
Source: www.betternet.co/privacy-policy
CSIRO also notes that Betternet has a large library with user data. In 2018, their privacy policy looked different: Betternet stated that advertisers can access the user's browser history.
Screenshot from the previous Privacy Policy (2018)
How Betternet makes money on users today:
Honest and free VPN could be a great way to popularize the Opera browser. In the spring of 2018, the Opera VPN mobile application reported that it had stopped working, and now the old site is no longer available. But the free VPN in Opera since 2016 has not gone away anywhere. At the same time, the privacy policy that can be found on the website is the same for all products: Opera may collect your personal data. Including for marketing campaigns. Privacy Policy allows the provider to provide information to third parties and track your data.
Source: www.opera.com/privacy
“Installing Opera generates a random installation ID. We may collect this identifier, as well as your device identifier and hardware specifications, operating system and environment configuration, usage data. We use this information for certain legitimate business purposes:
This information helps us improve our products and services. We have no practical way to use this information to identify you personally. We can store this data for up to three years ... "
Source: www.opera.com/privacy
Polish researcher Mikhail Shpachek believes that this is not a VPN at all, but a very ordinary proxy. Shpachek published a proof on GitHub, here is his comment:
“This“ VPN ”Opera is, in fact, simply a reconfigured HTTP / S proxy, which only protects traffic between Opera and the proxy, nothing more. This is not a VPN. In the settings, they themselves call this feature “secure proxy” (and also call it VPN, of course). ”
Browser developer response:
“We call our VPN“ browser VPN ”. Under the hood of this solution - secure proxies that work in different parts of the world, through which all browser traffic passes, in a properly encrypted form. [Our solution] does not work with the traffic of other applications, like system VPNs, but in the end, this is just a browser VPN. ”
How Opera earns you:
Commentary by Stanislav Shakirov, Technical Director of RosKomSvoboda :
On the basis of many years of personal experience, we can responsibly declare: a private VPN service is very expensive for owners. The provider must pay:
This does not include user support, funds for development and at least some advertising.
On the altruistic-free basis, the existence of such a service in our universe under a lot of questions. What is it for the owners? What funds are reimbursed for expenses? What is asked of the user in return? These questions are useful to ask not only free VPN-services, but any other shareware services on the Internet. Especially those that work with sensitive user data.
We are with the news: there is no free VPN. You always pay - viewing ads or your own data. For apologists of the basic idea of anonymity on the Internet, the latter method of payment is especially unpleasant. The problem is that you yourself allow to sell or transfer information about you to third parties.
')
User agreements are everywhere, but who reads them? In the summer of 2017, 22,000 Britons agreed to clean up public toilets by accessing the Internet via the public Wi-Fi network (I wonder what we agree to by connecting to Wi-Fi in the Russian metro). The non-commercial project The Best VPN Services conducted a study and found out that some VPN providers share user data “legally” - this is spelled out in the User Agreement even for the most popular ones. Today is exactly one year since the publication of that material, and we decided to see if the information remained relevant in the study.
According to the article The Best VPN Services, some VPN services transfer information about users to provider-related companies or to those who simply pay more. In addition, many services do not tell users how to earn money, or talk about it opaque: here you can read the complaint of the American Center for Democracy and Technology (CDT) about the work of the shareware Hotspot Shield Free VPN, addressed to the Federal Trade Commission. It turned out that the service violated its own privacy policy and collected MAC addresses, IMEI, wireless network names and other user information. After reverse engineering the client application, the researchers found five different libraries that could be used for de-anonymization.
And here you can find out that the Organization for Scientific and Industrial Research (CSIRO) is thinking about VPN applications from Google Play: 84% of them contribute to traffic leaks. Another feature of shareware VPN services is the distribution of links to the websites of certain companies and intrusive advertising.
What does the VPN Devil deal look like?
Researchers from The Best VPN Services have made a rating of the 10 most popular VPN providers that can sell your personal data to other companies and people:
We assume that such services are actually much more. But the above providers at least do not hide it - just no one reads their user agreement.
Let's focus on the most interesting “discoveries” of The Best VPN Services project and consider the three largest VPN providers. An analysis of each of the ten selected services can be found on the research page with the amendment to the fact that it was published in May 2018. We will tell about the updated data.
Hola and the sale of your data "only decent customers"
Hola is a browser-based VPN with more than 150 million users. The company exploits the idea of “community-supported freedom”: VPN is free, but you can donate to the service.
After the DDoS attack on the 8chan board in 2015 (there is an article on Habré about this), it turned out that Hola sells users' online channels to third parties: in particular, user data falls into the Luminati commercial network. This information caused a great resonance in the Internet community, and a group of activists created the site Adios, Hola! where denounces vulnerabilities extensions.
Hola's official response: “We are an innovative company. Skype also used your traffic. We sell Luminati only to decent customers (and not like Tor). Everyone has vulnerabilities: Apple iCloud, Snapchat, Skype, Sony, Evernote, Microsoft . ”
Let's look at the Hola user agreement, which was relevant in 2018:
The provider honestly names its goals: research, analysis and marketing. But it looks bad on anonymity. A fresh deal looks like this:
Source: hola.org/legal/privacy (2019)
Collecting data for "improving quality or for providing services" is a frequent item of many VPN services. But here again the provider openly reports that it is sharing user data with other companies. At the same time, Hola stores user data forever - as long as they are needed to ensure the operation of the service:
Source: hola.org/legal/privacy (2019)
Previously, the provider did not hide the fact that information about the user goes to the commercial network Luminati. In other words, access to your computer before could be sold to people who pay for it. It is not known whether Hola does something like this today: the wording in privacy is now rather blurry.
Here is a fragment from the old Privacy Policy:
Source: hola.org/legal/privacy (2018). Now there is no such information on Hola site.
Hola Earnings Ways:
- The provider may transfer your personal information to third parties.
- The provider uses the user's device as a network node and accesses it until you use a VPN (promises to keep personal information safe and use the gadget only as a router).
According to Hola, in fact they do not pass on information to third parties. They have a paid version, which is used by companies and corporations. They use "a small part of the resources of your computer when they are not used (so that we never slow down you) for the benefit of the network . "
Source: hola.org/faq
Betternet and draining your browser history
Betternet is another large VPN service with free and premium versions, which has more than 38 million users. On the official website, the provider tries to honestly answer the question of where the money comes from : users are invited to install third-party applications of partners and watch a promotional video. Or buy a subscription to get the "highest level of service." Does this mean that your data do not sell? It seems not.
"We can share your location (at city level)" ...
Source: www.betternet.co/privacy-policy
CSIRO also notes that Betternet has a large library with user data. In 2018, their privacy policy looked different: Betternet stated that advertisers can access the user's browser history.
Screenshot from the previous Privacy Policy (2018)
How Betternet makes money on users today:
- Advertisers have access to the approximate location of the user (at the city level).
- Display advertising.
Ghost VPN in Opera
Honest and free VPN could be a great way to popularize the Opera browser. In the spring of 2018, the Opera VPN mobile application reported that it had stopped working, and now the old site is no longer available. But the free VPN in Opera since 2016 has not gone away anywhere. At the same time, the privacy policy that can be found on the website is the same for all products: Opera may collect your personal data. Including for marketing campaigns. Privacy Policy allows the provider to provide information to third parties and track your data.
Source: www.opera.com/privacy
“Installing Opera generates a random installation ID. We may collect this identifier, as well as your device identifier and hardware specifications, operating system and environment configuration, usage data. We use this information for certain legitimate business purposes:
- To better understand how people interact with our applications and services;
- To change, personalize or otherwise improve our applications and services;
- Determine the effectiveness of advertising campaigns and advertising;
- Detect, debug and fix failures in our applications and services;
- To prevent security breaches and abuse.
This information helps us improve our products and services. We have no practical way to use this information to identify you personally. We can store this data for up to three years ... "
Source: www.opera.com/privacy
Polish researcher Mikhail Shpachek believes that this is not a VPN at all, but a very ordinary proxy. Shpachek published a proof on GitHub, here is his comment:
“This“ VPN ”Opera is, in fact, simply a reconfigured HTTP / S proxy, which only protects traffic between Opera and the proxy, nothing more. This is not a VPN. In the settings, they themselves call this feature “secure proxy” (and also call it VPN, of course). ”
Browser developer response:
“We call our VPN“ browser VPN ”. Under the hood of this solution - secure proxies that work in different parts of the world, through which all browser traffic passes, in a properly encrypted form. [Our solution] does not work with the traffic of other applications, like system VPNs, but in the end, this is just a browser VPN. ”
How Opera earns you:
- Providing information about you to commercial partners.
- Permission (commercially) to track information about you.
Commentary by Stanislav Shakirov, Technical Director of RosKomSvoboda :
“Collecting metadata and selling it to marketing agencies is standard practice for many Internet services, not just for VPN. This is often spelled out in User Agreements, but usually no one reads it. As for VPN-services, then, of course, it is better to choose those that do not do it: it is not known how the information, even if impersonal, will be processed later, because you can also draw conclusions from it that can harm the user.
VPN is a business that operates within a particular jurisdiction. Therefore, yes, it is absolutely legal to collect and transfer data, notifying the user of this in User Agreements. If User Agreements does not say anything about this, the VPN provider is not allowed to transfer anything to a third party. But whether this is de facto is unknown: the service also needs to live on something, if it is free.
When we begin to use any service, it is better to immediately think about exactly how it earns. If the service is free and does not sell your metadata, then it probably inserts its advertisement or intercepts your sensitive data, such as logins, passwords, bank card data. It happens that large and decent VPN-services make free promotional rates, but they are usually limited in speed or traffic. You also need to understand how the service itself works. Remember the nasty story with the Hola plugin, which supposedly gave free VPN, but it turned out that when using the plugin, other users could access the network through your computer. If the actions of such persons on the network are unlawful, the police will come to the computer’s owner ”.
Instead of an epilogue
On the basis of many years of personal experience, we can responsibly declare: a private VPN service is very expensive for owners. The provider must pay:
- Contents of a network of servers in various countries;
- Traffic that for such services is never free and unlimited due to the huge volumes of user consumption;
- Round-the-clock technical support, monitoring and software development.
This does not include user support, funds for development and at least some advertising.
On the altruistic-free basis, the existence of such a service in our universe under a lot of questions. What is it for the owners? What funds are reimbursed for expenses? What is asked of the user in return? These questions are useful to ask not only free VPN-services, but any other shareware services on the Internet. Especially those that work with sensitive user data.
Source: https://habr.com/ru/post/450416/
All Articles