Considering a Chinese-owned VPN? Do your homework

VPN
(Image credit: OpturaDesign / Shutterstock)

How many of today’s top VPNs might be secretly owned by Chinese firms? Whilst it might be difficult to obtain a precise figure, it is clear that a significant number of well-known VPNs do come under Chinese ownership.

Perhaps Chinese citizens present the largest consumer base (globally) for VPN services? After all, they are unable to access the majority of websites due to heavy internet censorship. This could be a significant factor driving up the number of VPNs run by Chinese organizations.

So should you be concerned if your current provider is in fact run by a Chinese firm? Let’s take a look at some areas of concern.

About the author

Sebastian Schaub is CEO and co-founder of hide.me

Transparency

Who actually owns it? If a VPN is hiding its owners’ identities is it because they’re breaking laws? The owners could be masking their profile because they want to pitch their services at those people engaging in illegal activities, such as pirating content for example. We should be able to thoroughly investigate any VPN service so that the industry can boast the very strictest standards of integrity - a bit difficult to do so when it is unclear who actually owns and runs the service.

Is the VPN part of the i2Coalition? A very practical way in which the VPN industry as a whole can take massive strides towards a unification of moral and ethical interests, is to become part of an initiative such as the Internet Infrastructure Coalition (i2Coalition) and the VPN Trust Initiative (VTI) (a consortium of VPN providers tasked with improving digital safety for consumers).

Ultimately it seeks to address VPN concerns, and proactively solve associated challenges by: defining VPN best practices, reinforcing industry standards, providing accurate information to government officials and policy makers, promoting appropriate industry-led regulations and informing the wider technology industry. A huge step forward towards complete transparency.

Data collectors

Chinese owned firms tend to favor the “free-to-use” business model. Free is great right? Not if you ask yourself what China seeks to gain from such free VPN apps? Essentially they can gain access to the massive volumes of browsing data that flows through VPN networks. To frame it in another way, China gets hold of significant amounts of foreign intelligence data.

The ‘free’ VPN business model is almost always self-serving. The servers that all VPN services rely on represent a significant financial investment - to buy, to run and to maintain. VPN service providers are not charities. They have to provide customer support, pay staff to develop apps and the list goes on.

So if the free VPN companies have to pay for all of this how do they balance their books? Clearly, such VPN companies need to sell their user’s data - information regarding users’ online activity is more valuable than people understand. And this data is exactly what the ‘free’ VPN gets when you sign up to use their service. As one example, this data is worth a lot of money for advertisers who want to use the information to profile and target leads with ads, or they give away your email to their business partners for spamming purposes.

A more worrying (and very real) scenario is when this information is sold to criminal gangs who then try to steal your identity and gather sensitive (PII) personal and financial information.

Vulnerabilities

In theory, using a VPN should keep your connection safe from government snooping, since all of the data you’re sending and receiving is encrypted. But just how secure is your VPN really? If your Chinese-owned VPN isn’t doing enough to encrypt your connection (too weak) then the Chinese government could be listening in on your chosen VPN’s web traffic.

Only recently, Comparitech’s security research team reported on how Hong-Kong based VPN provider UFO VPN exposed a database of user logs and API access records on the web without a password or any other authentication required to access it. This exposed information included plain text passwords and information which could be used to identify VPN users and track their online activity.

If cybercriminals get their hands on such data then VPN users are exposed to several risks. For example, plain-text passwords here are particularly at threat - criminals can hijack VPN accounts, and potentially be able to carry out credential stuffing attacks on other accounts. Also, information such as IP addresses can be used to anticipate a user’s location and authenticate their online activity (bear in mind that VPNs are often used to hide users’ real locations and online activity).

The Chinese authorities have previously tightened restrictions to foreign websites. They deny access to content normally blocked by censors (the Great Firewall) and foreign news websites are often shut out for days ahead of the National People's Congress. Should you really be using a Chinese-owned VPN?

Sebastian Schaub

Sebastian Schaub, CEO, hide.me