19,122 views|
I write about security and surveillance.
More and more of us are turning to security apps to protect ourselves from online tracking and snooping. These virtual private networks, or VPNs, create a secure tunnel between our devices and safe internet servers, anonymising browsing and connections when using public WiFi access points or enabling us to access restricted content. Or so the theory runs. A new report published in November has warned of the dangers of installing the wrong kind of VPN. Instead of keeping users safe, one such VPN may actually put them at risk, collecting personal identities and locations and sharing that data with the Chinese authorities.
The staggering growth of VPNs
According to Top10VPN’s “Global Mobile VPN Report 2019,” a staggering 480 million mobile VPN apps have been downloaded in the last 12 months—up 54% on the year before. And while the use of virtual private networks in China, Russia and Iran makes headlines as citizens bypass restrictions to access censored websites or social media, there were almost 75 million VPN apps downloaded in the U.S.
The most popular mobile app in the U.S. was VPN – Super Unlimited—with 8 million installs in 12 months, it has grown a phenomenal 74o%. The developer behind the app is Mobile Jump, which claims “2 million active users per month” across the iOS App Store and Google Play. Mobile Jump “aims at redefining the way people interact with their mobile devices,” the company says. “We stay focused and create products that drive value to our users and make their life easier.”
All roads lead to China
Mobile Jump is based in Singapore, but according to Top10VPN, the company’s roots are in mainland China. And it’s the risk of user data being transferred to China that has prompted Top10VPN’s head of research Simon Migliano to issue a warning to U.S. users. “It’s certainly a surprise to see a Chinese VPN grow so rapidly in such a short space of time,” he told me. “There are two main risks. First, it collects unusually large amounts of personal information, including location data. Second, not only does it use that information for advertising, but it explicitly states it will share that data with authorities around the world, including those in China.”
In October, I reported on the major risks associated with mobile VPN apps from China, where “Google Android users install VPNs they believe to be popular and safe, when in fact if data is logged, if that data can be linked to the individual using the app, then the purpose of the VPN is undermined.” And this new warning replicates the last one, except that “VPN–Super Unlimited” has more iOS than Android users in the U.S. The primary issue across all these free VPN apps is user logging. “That’s the biggest red flag,” Migliano says. “Check the privacy policy and if there isn’t a VPN-specific logging policy, avoid.” He also warns that “free VPN services will make their money through advertising, which will likely come with significant privacy compromises.”
Check the small print
And, in fairness, Mobile Jump’s privacy policy should leave users in no doubt as to the risks being taken. For a VPN it’s extraordinary small print: “We regularly collect and use information that could identify an individual, in particular about your purchase or use of our products, services, mobile and software applications and websites… We use various technologies to determine [your] location, including IP addresses, GPS, and other sensors.” An app whose primary purpose is to anonymise users, collects and stores personal information that could identify and locate those users. And there’s worse. The company says it might share data with “regulators and law enforcement or investigation agencies in the EU, U.S., China, and around the world.”
“Given China’s naked hostility to a free and open internet,” Migliano warns, “that’s something most U.S. internet users will wish to avoid. There is very little publicly-available information about this developer. They have recently tried to appear more legitimate by launching a new website, suggesting they are based out of Singapore and fleshing out what was previously a very skeletal privacy policy.”
Ironically, that privacy policy has changed. “We do not store or retain any personal information that can be used to identify you,” the outdated version said. “We have no interest in housing and storing users personal information or data.” Whether or not there has been a change in the data management policies of the business or just a more transparent admission of the data that is collected and stored is impossible to say. Mobile Jump did not provide comments on these findings ahead of publication.
Free is free for a reason
There are countless free VPNs originating in China and being made available on the iOS App Store and Android Play Store to users worldwide. As I have warned many times before, these apps are free for a reason. If you’re not paying for the app, you’re paying in another way. “When I looked at the top 30 mobile VPN apps worldwide a year ago,” Migliano says, “almost 60% had strong links to mainland China. At least three more of the top 20 U.S. mobile VPN apps have Chinese ownership—X-VPN, TurboVPN and VPN Proxy Master. Others may have hidden Chinese ownership.”
My advice from October still stands. If you want to secure your device, data and online activity with a VPN, then invest in a paid app from a well known developer. Taking risks with free apps from obscure sources is always risky, doing so with security related apps takes those risks to an entirely different level. If you’re going to do that, you would almost certainly be better off not using a VPN at all.
Get the best of Forbes to your inbox with the latest insights from experts across the globe.
Follow me on Twitter or LinkedIn.
I am the Founder/CEO of Digital Barriers—developing advanced surveillance solutions for defence, national security and counter-terrorism. I write about the intersection
I am the Founder/CEO of Digital Barriers—developing advanced surveillance solutions for defence, national security and counter-terrorism. I write about the intersection of geopolitics and cybersecurity, as well as breaking security and surveillance stories. Contact me at zakd@me.com.