The cost of a ‘free’ VPN: When cheap is expensive

Polygonal vector illustration of the virtual private network's shield reading VPN and world map on the background
(Image credit: Shutterstock)

The Covid-19 pandemic has become a game changer for the VPN industry, with many discovering the service for the first time. Between 2019 and 2022, the global VPN market has nearly doubled. While only about 22.9% of Americans used a VPN at home in 2019, the number swelled to 78% in 2021. 

Having left geek territory and become a household name, VPNs are not fading back into relative obscurity. The dramatic increase in popularity VPNs have experienced can be explained by the demands of remote work, but with VPNs - it has not and will never be strictly about business. 

People use VPNs for a variety of reasons, from work to entertainment. Privacy-conscious users take advantage of VPNs’ obfuscating features to stop their internet service providers (ISP) from tracking them. Some are using VPNs to protect their data from being intercepted in public Wi-Fi hacks. With a VPN, one can break office and college firewalls, bypass geo-restrictions and outmaneuver censors. 

When it comes to choosing the best VPN services, options are seemingly endless. There are scores of both paid and free products that claim to do exactly the same. So why pay more or, rather, pay at all?

What do VPN providers need money for? 

Many ‘free’ products are either ‘free’ with an asterisk* or come with heavy strings attached. As we know, free stuff often carries a hidden cost, and in the case of ‘totally’ free VPNs users might end up paying dearly with their data. 

The thing is that sustaining a proper VPN often takes a lot of money and providers need to get it somewhere. But what do they need this money for exactly? Let’s break down the costs.

To function properly a VPN provider needs to rent multiple servers with a lot of bandwidth (usually from a colocation provider). Bandwidth is the maximum rate of data transfer over a specific connection in a given amount of time. The bandwidth itself does not come cheap if we take into account that a single VPN provider might need to cater to hundreds of thousands of users at a time. Indeed, it is such a prized commodity that some passive income services allow people to sell their unused bandwidth, charging buyers as much as $1.00 a GB. 

The server network needs to be maintained, scanned for vulnerabilities and upgraded. This requires a dedicated development and support team, which, ideally, should work round-the-clock to address issues in real time and respond timely to clients in different time zones. That in turn leads to office expenses and staff salaries.

Most popular VPN apps do not run only on one platform. To meet the expectations of those who use multiple devices with different operating systems at once (that is the majority of us), VPN providers need to customize their apps for different platforms. Thus, they need to invest money and effort in creating and updating VPN apps for Windows, macOS, iOS and Android. 

Some providers are even going beyond that.

Representational image depecting cybersecurity protection

(Image credit: Shutterstock)

A VPN can offer excellent user support, great coverage and unlimited bandwidth, but if nobody has ever heard about it, then its star is unlikely to rise on the privacy horizon. What is most likely to happen is that it’ll die an untimely death. So one has to factor in marketing and promotional expenses, including building a user-friendly website.

Some corners may be cut here and there, but not all and not everywhere. That begs the question: just how ‘totally free’ VPNs are able to operate if they do not make money from subscriptions? And then another one: what are they actually making money from?

There can be several possible answers to this question. But it ultimately boils down to this: VPNs either jeopardize their clients’ security or turn them into a commodity by sharing their data, or both.

What is the product? You are! 

It may be buried deep in their privacy policies but some free VPNs openly admit that they may collect and keep their clients’ personal data, and disclose it to third parties. 

Some free VPN apps, such as Psiphon, sustain themselves by partnering with advertisers. Psiphon says that it can share user data with partners, such as Facebook, who, in turn can track users and target them with ads. The data collected this way is subject to advertisers’ own privacy policies.

Menstrual tracking security on a phone held by a woman

(Image credit: Shutterstock)

Hotspot Shield offers both free and premium service. But if you want to use its VPN app for free, then it can “deliver third-party advertisements” to you.

There have been independent studies diving deep into how free VPNs make money. We have not set out to sift through each and every free VPN application here. For the purpose of this article, we wanted to give some examples of what strings VPN providers can attach to their free services. 

It must also be said that while some free VPNs don’t make a secret of how they make money - one just has to have enough patience to comb through their privacy policies and ToS - others may not be so open about it. And there is a good reason why: for those who use a VPN for privacy and security the fact that it shares data with third parties might become a deal-breaker. 

Suspicious permissions 

The level of permissions that free VPN apps require is another thing worth paying attention to. VPN apps may ask intrusive permissions to better advertise to users, or for malicious purposes, — the risk is, perhaps, too high to find out which case is yours. 

So if an app, for example, asks for full access to your phone, it should raise a red flag with you. The VPN apps that we’ve mentioned earlier all ask permission to READ_PHONE_STATE. Once granted, it enables the developer to get access to the user’s current cellular network information, the status of any ongoing calls and all phone accounts registered on the device. As such, it can reveal the user’s phone number and their device ID, which both could be leaked if a VPN logs data. 

You should also be concerned if a VPN app has any in-built trackers. We explained in detail why a VPN app is no place for trackers and how you can check a VPN app for trackers yourself not so long ago. In short: by building trackers into their apps, VPN providers leave themselves loopholes to collect user data. 

Laptop with mechanical eyes coming out from screen

(Image credit: Shutterstock)

Secret log-keeping and lackluster security 

This brings us to another problematic aspect of free VPNs - some of them keep logs (even if they say they don’t). And, since free VPNs do not usually boast robust security infrastructure, that means that the user’s personal data can be exposed in hacks and leaks, and, potentially, de-anonymized.

It’s more often than not that users of free VPN apps remain in the dark about these inherent risks to their privacy or learn about them from the media when it’s too late and their data has already been compromised. There are numerous examples of that, we will list just a few.

Several years ago, seven different free ‘no-log’ VPNs - all linked to the same developer - were caught red-handed storing users’ personal data on an unsecured server. Interestingly, this group of VPNs claimed to offer military-grade security features. However, the researchers from VPN Mentor found the users’ email addresses along with their passwords, in clear text in a leaked database. 

But, not only that: the VPNs also logged names, origin IP addresses, actual location, Internet Service Provider (ISP), device ID and even the sites their customers visited. What’s more, the VPN providers ignored the researchers’ attempts to contact them, and the base continued to leak for almost two weeks before the server was secured. 

The leak potentially exposed the sensitive data of up to 20 million users, including those who connected to VPN servers from the regions where using a VPN could land one in trouble with the law.  

Hacked data on screen

(Image credit: Image Library)

In another major incident last year, the personal data of more than 21 million users was put up for sale after it was stolen from three free VPN apps with over 100,000 million total installs. 

The data contained detailed user credentials, such as full names, usernames, country names, email addresses, payment-related data, device serial numbers and device IDs. The malefactor claimed that they were able to scrape publicly available databases, because VPN providers had allegedly left “default database credentials in use”.

Most recently, a free VPN app catering predominantly to Chinese users, was caught leaking personal data, including IP addresses, IDs and domain names. In July 2022, researchers at Cybernews came across a database containing 626GB connection logs belonging to the VPN. The data leaked could be used to de-anonymize the users. Moreover, the VPN’s Android app was requesting access to camera, audio recording and contacts and could potentially function as “spyware,” according to the researchers.  

The fact that a VPN is logging data may not be spelled out in its privacy policy. Moreover, even if a VPN claims that it has a strict no-log policy it does not mean that it follows it. Ultimately, it all comes down to whether a developer is trustworthy enough for you to believe its marketing pitch.

Malware and fakes 

If you thought there are no more lows for unscrupulous apps to stoop to, then you’re wrong. In addition to leaking your data they were not even supposed to be logging, some free VPN apps may potentially infect your smartphone with malware, or, even worse, squeeze you dry.

Several years ago, researchers discovered a fake VPN that could be downloaded through a spoof website designed to look exactly like the real deal. The app was in fact a data-stealing malware that could steal user credentials and cryptocurrency, among other things.

Independent studies have also shown that threat actors can bypass moderation in trusted app stores and plant fake VPNs there. Researchers have recently discovered another fake VPN app that was available for download on Google Play Store and was attributed to a known hacker group. The app was allegedly created for a phishing scam, and was designed to resemble the legitimate app of the same name.   

Attention warning attacker alert sign with exclamation mark on dark red background.Security protection Concept.

(Image credit: Shutterstock)

Free and safe VPNs do exist 

All the above does not mean that there are no free and safe VPNs whatsoever. Some reputable developers of paid VPN do offer free options, however, they usually come with limited functionality and are known as “freemium.” There can be a cap on the number of devices, as well as on servers and bandwidth available. 

While this is a great way to test a VPN out, it’s hardly a long-term solution unless you use a VPN very sporadically. For instance, you can use AdGuard VPN on 2 devices at the same time for free, but the speed limit will be set to 20 Mbps and the traffic will be capped at 3 GB a month.

Since the number of servers that are available for free is also usually strictly limited, they can be too crowded at any given time to accommodate everybody with a reasonable speed. Therefore, connection may be lagging.

How to make sure you’re on the safe side 

If you are not ready to buy a subscription just yet, here are several rules to follow when choosing a free VPN. 

  • Use a VPN app from a trusted developer
  • Read a VPN’s privacy policy and Terms of Service (TOS) before downloading it
  • Remember: a huge number of downloads and positive reviews do not necessarily mean that a particular VPN is safe - most users have low expectations for free VPNs and are already satisfied if they allow them to access some geo-blocked content without throttling their internet connection too much. Moreover, some of the most popular free VPNs are known to have been sharing user data with third parties, which has done little to curb their popularity 
  • Pay attention to the permissions required by the app. Normally, a VPN does not need access to your contacts, and if it does - then something may be phishy. 
  • Check a VPN app for trackers. They may be rather benign or not. You can follow instructions in our previous article to check a VPN app for trackers on your own.

However, if you need a VPN on a more or less regular basis, then we recommend investing into a paid VPN service. 

Andrey Meshkov is co-founder and CTO of Adguard.