Precautions should be taken because many of the highly-rated “best VPNs” do not live up to their privacy claims.
VPNs have been known to take advantage of their users’ confidence and leak their personal information. The topics covered in this article include a number of privacy-related situations in which VPN companies failed to live up to their privacy promises.
Anyone who wants to increase their online privacy and security should consider using a virtual private network (VPN). To be effective, however, using a VPN demands a great amount of faith in the VPN provider that manages the servers and develops the program. Occasionally, such trust is abused, and users’ personal information is made public. The topics covered in this article include a number of privacy-related situations in which VPN companies failed to live up to their privacy promises.
Customers’ confidence is eroded by incidents like the ones described above. While a large number of VPN companies have shown to be reliable, there is no shortage of critics who denounce the sector as a whole for the inherent flaws that allow for such wrongdoing to take place.
Despite the fact that all of the VPNs featured in this article have had major privacy flaws uncovered, several of them continue to be listed as ‘highly recommended’ or ‘Editor’s pick’ on well-known tech sites, where they spend thousands of dollars on advertising. You should first read this post before signing up for one of the best VPN services available.
Logging was discovered.
The data transmitted over the internet while you are connected to a VPN is encrypted on your device, then routed to the VPN server, where it is decrypted before being transmitted to its final destination on the internet. Your unencrypted internet traffic is exposed to the VPN provider during the decryption process on the server, which gives them the opportunity to monitor your online activity. Because this is the situation for every VPN provider at the present time, there is no other option than to simply trust that the provider will not log this information.
Nowadays, every VPN service worth its salt prominently displays the phrase “no logs” or something similar across the homepage of its website. During the time that a user is connected to a VPN, a logless VPN provider does not keep track of their activities. A common misconception is that the phrase “no logs” refers only to traffic logs, which contain the actual contents of internet traffic, such as websites visited, messages sent, emails received, purchases made, searches performed, and so on.
However, many VPN services that market themselves as log less in reality record and keep information on their users in addition to traffic logs. Connection logs, also known as diagnostic or usage logs, contain details such as the timestamps of when you connect and disconnect, how much data you transmit, and which VPN server you were last connected to when you created the log entry.
The majority of this data is quite harmless and is only utilized for diagnostic purposes, but some of it can be used to track down and identify a specific user’s activities. IP addresses, in particular, are frequently included in connection logs since they are unique to each device that connects to the internet and are used to identify the device. Furthermore, logs that link account IDs to email addresses and connection details can be utilized to corroborate the activity of a specific individual user’s account.
HideMyAss
After handing over evidence that led to the arrest of one of its users in 2011, HideMyAss, situated in the United Kingdom, shot to national prominence in 2011. Cody Kretsinger attempted to conceal his involvement in an attack on Sony Pictures and the PlayStation Network by claiming to be a member of the HMA. When authorities approached HMA with a court order, the company complied by providing over material that eventually led to Kretsinger’s detention and arrest.
Despite the fact that HideMyAss claims it never logs internet traffic, the company admits that it did log the IP address of Kretsinger’s device as well as the timestamps of when he connected and disconnected from the VPN. This evidence was sufficient to support the FBI’s case against him, and the logs were eventually destroyed.
There is no question that HMA complied with law enforcement, but there is a question over whether or whether it recorded those logs in the first place. The episode unquestionably harmed HMA’s brand and company, and it is likely to continue to do so for years to come. Despite the fact that they established an industry-wide precedent, many VPN providers continue to maintain logs in a similar manner today.
PureVPN
Following the arrest of one of its users, Ryan Lin, in October 2017, PureVPN, based in Hong Kong, received a great deal of negative attention. Cyberstalking a woman, hacking into her accounts, and spreading her personal images and sensitive information to hundreds of others was the work of Lin, a true scumbag. Lin attempted to conceal his activity by utilizing PureVPN.
PureVPN is mum on the specifics, but suffice it to say that the business provided two IP addresses coming from Lin’s residence and place of employment. PureVPN’s compliance with the law, despite the company’s claims to be a “no-logs” service, resulted in Lin being arrested.
Certainly, Lin’s behavior is deplorable, but detectives were able to corroborate information from Gmail and build a case against him because of PureVPN’s recording of IP addresses. In addition, this is inappropriate.
IPVanish
In 2016, the parent firm of IPVanish, which is situated in the United States, handed over logs that led Homeland Security to one of its users, Vincent Gevertz, who was involved in child pornography. Homeland Security requested information about a user who was hiding behind an IP address that belonged to Highwinds Network Group, which at the time owned IPVanish. Highwinds eventually responded with the request, despite the fact that it claimed to be a no-logs provider with no usage information at the time of the request.
Highwinds provided investigators with an IP address that belonged to Comcast, which led them to Gevertz. We do not condone Gevertz’s activities in any way, but his actions serve as an example of why it is critical to avoid VPNs that collect IP addresses when possible. It may also discourage consumers from using virtual private networks (VPNs) based in the United States.
IPVanish has subsequently been acquired by StackPath, which is currently the company’s owner. The CEO of StackPath responded to the event by stating that he cannot comment for what transpired because it occurred on someone else’s watch. According to what he posted on Reddit: “Without exception, IPVanish does not, has not, and will not monitor or store logs of our users in our capacity as a StackPath firm.”
VyprVPN
Switzerland-based In addition, VyprVPN retains the user’s source IP address, the VPN server address that they connect to, the times that they connect and disconnect, and the amount of data that they consumed. This information is retained for a period of 30 days. I’ve never heard of any of these logs being used to bring anyone to justice, but customers have certainly complained about them in other ways.
The logs have prompted many VyprVPN users to express their dissatisfaction, claiming that the service can detect and penalize users who torrent. Some users have reported that their accounts have been suspended or even canceled in order to comply with DMCA claims that have been received by the organization.
EarthVPN
At the beginning of 2014, Dutch police apprehended a man who had made bomb threats against his school. According to the investigation, the man attempted to conceal his identity by connecting to EarthVPN. In accordance with a court order, the police confiscated an EarthVPN server. According to an EarthVPN spokesman, the company did not keep any identifying logs, but the data center where the server was seized did keep IP transfer logs, which were later discovered.
While we are unable to verify this claim, it serves as an excellent illustration of how simple ignorance or ineptitude may run counter to a VPN’s privacy policy. VPN providers are responsible for thoroughly assessing the data centers in which their servers are housed, including the data center’s logging policy, before allowing their servers to operate there. If the report is accurate, EarthVPN should have conducted a more thorough investigation.
Tracking, ad injection, and malware are all examples of cybercrime.
Ad and cookie injection are two methods of generating revenue from advertising that are most frequent among free VPN services. A virtual private network (VPN) can store cookies on your computer and push advertising directly into online pages. The cookies are persistent, which means that they remain active and continue to gather surfing data even if you navigate away from the website from which they were obtained. The injected advertisements read the cookie data, submit it to an ad exchange (which is most likely operated by a third party), and update their content appropriately.
The mining of personal data through cookies is a blatant violation of the privacy-oriented approach that VPNs should use.
Some VPN apps either include malware payloads or are malware in and of themselves, depending on the situation. As previously said, this is particularly popular with free VPN software because there is nothing to lose. This is done with the intention of infecting the user’s device with malware, which will cause it to do an undesired activity.
Malware can be classified according to its nature and specialized goal, which might be virtually anything. When over 300 Android VPN apps were tested in 2017, 38 percent of them had malware or malicious advertising, according to a 2017 study (PDF).
Betternet
However, while Betternet does not maintain any records, the company’s privacy policy implies that the VPN makes use of tracking libraries to monitor customers’ online activity. The Betternet Android app received an AV rank of 13, which means that 13 antivirus systems discovered dangerous activity in the app, according to recent research (PDF). This places it as the fourth most harmful app out of 283 examined, according to the report.
Hola
Despite the fact that Hola is one of the most blatant offenders of poor VPN security policies, it continues to be one of the most popular free proxies on the internet. First and foremost, the organization does not maintain centralized VPN servers. As an alternative, users connect through each other’s devices, taking advantage of each other’s excess bandwidth. Because the free version is not encrypted, users may find themselves being accused of participating in the criminal activity carried out by other users.
Earlier this year, Hola converted its vast user base into a weapon, creating a massive botnet that was used to carry out attacks that overwhelmed servers, a technique known as Distributed Denial-of-Service (DDoS) attack. In the absence of monitoring, Hola offered access to the botnet and users’ bandwidth, allowing it to be exploited for malevolent purposes.
Hotspot-Shield
An official complaint with the Federal Trade Commission was filed in 2017 by a privacy advocacy group stating that the VPN provider Hotspot Shield collects data and intercepts users’ communications despite its claims to provide “total anonymity.” Without the user’s knowledge, the software installs tracking cookies in their browser’s history. These tracking cookies enable marketers to provide targeted advertisements to users depending on the information they have acquired about them.
Adding insult to injury, the complaint alleges that Hotspot Shield intercepted valid HTTP queries to specific e-commerce websites. The VPN drove users to partner websites where AnchorFree, the firm that owns Hotspot Shield, stood to profit from their purchases.
As of the time of this writing, the FTC had not reached a decision on the complaint.
Inadequate safety measures
Numerous virtual private networks (VPNs) employ weak, outdated, or deprecated security mechanisms, while others are completely devoid of protection. VPN security is comprised of a number of features, including encryption and leak protection.
84 percent of Android VPN apps leaked users’ online traffic, and 18 percent did not encrypt data at all, according to the same study that revealed malware in more than one-third of Android VPN apps.
Security by encrypting data (or lack thereof)
A virtual private network (VPN) encrypts all internet data between the end-user device and the VPN server. Virtual private network (VPN) encryption is composed of three primary components: channel encryption, authentication, and key exchange. VPN service companies frequently just advertise the channel encryption, which should be at least 128-bit AES in order to be effective.
Authentication
Authentication and key exchange are less well-publicized, but they are equally crucial. Authentication ensures that all data provided and received is received in its original form and has not been altered in any way during transit. HMAC SHA1 or SHA2 (which includes SHA256 and SHA512) should be used for authentication; standard SHA1 is now considered outdated.
The exchange of keys
The key exchange contributes to the secure establishment of the VPN connection. Client and server both utilize it to communicate a shared encryption key between them. If this shared key is discovered, the entire session’s worth of data can be decrypted, making it extremely critical to maintain it safe at all times. VPN key exchanges should utilize RSA keys with a minimum size of 2048 bits. Some VPNs continue to employ the 1024-bit RSA encryption algorithm, however, this has been cracked and is no longer regarded as secure.
Protection against leaks
A survey published in late 2017 by Comparitech came to a similar conclusion: despite assertions to the contrary, the vast majority of VPNs leak personal data. The article investigated the effectiveness of VPNs in preventing various sorts of leaks, in which personal data is allowed to exit the encrypted tunnel. Most VPNs, as it turns out, have problems with WebRTC leaks, and many of them leak traffic when the connection is disturbed in some way. Even if the leaks only occur under specific conditions, the investigation demonstrates why we should not put our faith in VPNs that promise to be leakproof….
So, who can you put your faith in?
With all of this information at your disposal, you may be more skeptical of VPN providers. Indeed, it might be tough to determine who to put your trust in. Even if a VPN has not yet experienced a public privacy event such as those listed above, it does not rule out the possibility that it could in the future.
There’s no way to guarantee that a VPN won’t betray your confidence. Having said that, a few virtual private networks (VPNs) have been put to the test in the real world and have passed with flying colors. Law enforcement has already raided the servers of ExpressVPN, Perfect Privacy, and Private Internet Access, amongst other VPN service providers. Each and every one of them did not have any logs that may have led investigators to the exact individual they were seeking. As a result, the VPN is living up to its security and privacy claims, which is a positive sign.
A word about Netflix and virtual private networks (VPNs)
Although virtual private networks (VPNs) are the first and foremost tools for protecting privacy and security, they have also become a popular means of accessing streaming services that provide varied content depending on the location of the user. These so-called geo-restrictions can be circumvented by employing a virtual private network (VPN) to fake the user’s location. Netflix is the most well-known streaming service that uses geo-restrictions to limit access to its content.
Netflix consumers in the United States get access to a significantly larger collection of content than those who pay for the service in other countries. A virtual private network (VPN) can be used to alter a user’s IP address to one in the United States, allowing them to access the greater American Netflix repertoire from any place. Netflix, on the other hand, has restricted the usage of the majority of VPNs, so be cautious when purchasing a VPN for the purpose of streaming Netflix. This Netflix VPN study, which claims to have conducted over 5,000 tests to identify whether VPNs are compatible with Netflix, is a helpful resource to consult.
