How shareware VPN providers sell your data

How shareware VPN providers sell your data


Hi, Habr.

We are with the news: there is no free VPN. You always pay - viewing ads or your own data. For apologists of the basic idea of ​​anonymity on the Internet, the latter method of payment is especially unpleasant. The problem is that you yourself allow to sell or transfer information about you to third parties.

image

User agreements are everywhere, but who reads them? In the summer of 2017, 22,000 Britons agreed to clean the public toilets by going online via the public Wi-Fi network (I wonder what we agree to by connecting to Wi-Fi in the Russian metro). The Best VPN Services non-profit project conducted a research and found out that some VPN providers are sharing user data “Legally” - this is spelled out in the User Agreement even for the most popular ones. Today is exactly one year since the publication of that material, and we decided to see if the information remained relevant in the study.

According to the article The Best VPN Services, some VPN services transfer information about users to provider-related companies or to those who simply pay more. In addition, many services do not tell users how to earn money on them, or talk about it opaquely: here you can read the complaint of the American Center for Democracy and Technology (CDT) on the work of shareware Hotspot Shield Free VPN, addressed to the Federal Trade Commission. It turned out that the service violated its own privacy policy and collected MAC addresses, IMEI, wireless network names and other user information. After reverse engineering the client application, the researchers found five different libraries that could be used for de-anonymization.

And here you can find out that the Scientific and Industrial Research (CSIRO) thinks about VPN applications from Google Play: 84% of them contribute to traffic leaks. Another feature of shareware VPN services is the distribution of links to the websites of certain companies and intrusive advertising.

What does the VPN Devil deal look like


Researchers from The Best VPN Services made a rating of the 10 most popular VPN providers that can sell your personal data to other companies and people:


We assume that such services are actually much more. But the above providers at least do not hide it - just no one reads their user agreement.

Let's focus on the most interesting “discoveries” of The Best VPN Services project and consider the three largest VPN providers. A review of each of the ten selected services can be found at research , adjusted for what it is was published in may 2018. We will tell about the updated data.

Hola and the sale of your data "only good customers"


Hola is a browser-based VPN with more than 150 million users. The company exploits the idea of ​​“community-supported freedom”: the VPN is free, but you can donate to the service.

After a DDoS attack on a board of 8chan in 2015 (this is an article on Habré), it turned out that Hola is selling users' online channels third parties: in particular, user data fall into the commercial network Luminati. This information caused a great resonance in the Internet community, and a group of activists created the site Adios, Hola! , which reveals the vulnerabilities of the extension.

Hola's official response: “We are an innovative company. Skype also used your traffic. We sell Luminati only to decent customers (and not like Tor). Everyone has vulnerabilities: Apple iCloud, Snapchat, Skype, Sony, Evernote, Microsoft .

Let's look at the Hola user agreement, which was relevant in 2018:

image

The provider honestly names its goals: research, analysis and marketing. But it looks bad on anonymity. Fresh agreement looks like this:
image
Source: hola.org/legal/privacy (2019)

Collecting data for "improving quality or for providing services" is a frequent item of many VPN services. But here again the provider openly reports that it is sharing user data with other companies. At the same time, Hola stores user data forever - as long as they are needed to ensure the operation of the service:

image
Source: hola.org/legal/privacy (2019)

Previously, the provider did not hide the fact that information about the user goes to the commercial network Luminati. In other words, access to your computer before could be sold to people who pay for it. It is not known whether Hola does something like this today: the wording in privacy is now rather blurry.

Here is a fragment from the old Privacy Policy:

image
Source: hola.org/legal/privacy (2018). Now there is no such information on Hola

Hola Earnings Ways:

  • The provider may transfer your personal information to third parties.
  • The provider uses the user device as a network node and accesses it until you use a VPN (promises to keep personal information safe and use the gadget only as a router).

According to Hola, in fact they do not pass on information to third parties. They have a paid version used by companies and corporations. They use "a small portion of your computer's resources when they are not used (so that we never slow down you) for the benefit of the network" .

image
Source: hola.org/faq

Betternet and drain your browser history


Betternet is another large VPN service with free and premium versions that has more than 38 million users. On the official website, the provider is trying to honestly answer the question about from where it takes money : users are invited to install third-party applications of partners and watch the promotional video. Or buy a subscription to get the "highest level of service." Does this mean that your data do not sell? It seems not.

"We can share your location (at city level)" ...
image
Source: www.betternet.co/privacy-policy

Also CSIRO note that Betternet has a large-scale library with user data. In 2018, their privacy policy looked different: Betternet stated that advertisers can access the user's browser history.

image
Screenshot from the past Privacy Policy (2018)

How Betternet makes money on users today:

  • Advertisers have access to an approximate location of the user (at the city level).
  • Advertise.

Opera Ghost VPN


Honest and free VPN could be a great way to popularize the Opera browser. In the spring of 2018, the Opera VPN mobile application reported about the termination of work, and now the old site is no longer available. But the free VPN in Opera since 2016 has not gone away. At the same time, the privacy policy that can be found on the website is the same for all products: Opera may collect your personal data. Including for marketing campaigns. Privacy Policy allows the provider to provide information to third parties and track your data.

image
Source: www.opera.com/privacy

“When you install Opera, a random installation ID is generated. We may collect this identifier, as well as your device identifier and hardware specifications, operating system and environment configuration, usage data. We use this information for certain legitimate business purposes:

  • To better understand how people interact with our applications and services;
  • To change, personalize, or otherwise improve our applications and services;
  • Determine the effectiveness of advertising campaigns and advertising;
  • Detect, debug, and fix crashes in our applications and services;
  • To prevent security breaches and abuse.

This information helps us improve our products and services. We have no practical way to use this information to identify you personally. We can store this data for up to three years ... "


image
Source: www.opera.com/privacy

Polish researcher Mikhail Shpachek thinks that this is not a VPN at all, but a very ordinary proxy. Proof of Caps opublikoval on GitHub, is his comment:

“This“ VPN ”Opera is essentially just a reconfigured HTTP/S proxy, which only protects traffic between Opera and the proxy, nothing more. This is not a VPN. In the settings, they themselves call this feature “secure proxy” (and also call it VPN, of course). ”

Browser Development Response:

“We call our VPN a“ browser VPN ”. Under the hood of this solution - secure proxies that work in different parts of the world, through which all browser traffic passes, in a properly encrypted form. [Our solution] does not work with traffic from other applications, like system VPNs, but in the end, this is just browser VPN. ”

How Opera earns you:

  • Providing information about you to commercial partners.
  • Permission (commercially) to track information about you.

Comment by Stanislav Shakirov, Technical Director, RosKomSvoboda :

“Collecting metadata and selling it to marketing agencies is standard practice for many Internet services, not just for VPN. This is often spelled out in User Agreements, but usually no one reads it. As for VPN-services, then, of course, it is better to choose those that do not do it: it is not known how the information, even if impersonal, will be processed later, because you can also draw conclusions from it that can harm the user.

VPN is a business that operates within a particular jurisdiction. Therefore, yes, it is absolutely legal to collect and transfer data, notifying the user of this in User Agreements. If User Agreements does not say anything about this, the VPN provider is not allowed to transfer anything to a third party. But whether this is de facto is unknown: the service also needs to live on something, if it is free.

When we begin to use any service, it is better to immediately think about exactly how it earns. If the service is free and does not sell your metadata, then it probably inserts its advertisement or intercepts your sensitive data, such as logins, passwords, bank card data. It happens that large and decent VPN-services make free promotional rates, but they are usually limited in speed or traffic. You also need to understand how the service itself works. Remember the nasty story with the Hola plugin, which supposedly gave free VPN, but it turned out that when using the plugin, other users could access the network through your computer. If the actions of such persons on the network are unlawful, the police will come to the computer’s owner. ”

Instead of an epilogue


On the basis of many years of personal experience, we can responsibly declare: a private VPN service is very expensive for owners. Provider must pay:

  1. Content of a network of servers in various countries;
  2. Traffic, which for such services is never free and unlimited due to the huge volumes of user consumption;
  3. Round-the-clock technical support, monitoring and software development.

This does not include user support, funds for development and at least some advertising.

On the altruistic-free basis, the existence of such a service in our universe under a lot of questions. What is it for the owners? What funds are reimbursed for expenses? What is asked of the user in return? These questions are useful to ask not only free VPN-services, but any other shareware services on the Internet.Especially those that work with sensitive user data.

Source text: How shareware VPN providers sell your data