Last week it was revealed that Facebook was using a virtual private network—a VPN—to collect data on some of its users. These users willingly installed software that monitored all their phone activity, including web and app use, and fed it back to the social network for analysis. Although participants were paid to let Facebook’s VPN spy on them, the practice goes against Apple’s policies: Apps aren’t allowed to install anything on users’ phones that is meant to collect data for business purposes and sell it to third parties. It’s yet another bad PR moment for Facebook, but also a welcome reminder just how nefarious VPNs can be. Their ostensible purpose is to shield consumer behavior from service providers, but oftentimes companies that provide VPNs collect data for themselves along the way.
For starters: A VPN is software that acts as a wall between users and internet service providers (ISPs). It’s like an invisible shield; before a user’s internet activity hits the ISP, it’s encrypted by the VPN. Basically, the VPN knows what you’re doing, but the ISP doesn’t. The whole point is to conceal user data from an ISP. In some cases this is for illicit purposes (think shopping on the Dark Web); in others, it’s totally innocent (for example, I used a VPN when I lived in the Caribbean so I could watch Netflix). The catch is that VPNs—as in the case of Facebook’s—can be used to hoard users’ information for their own purposes.
Facebook tried this when it purchased a company called Onavo and created an app called Onavo Protect. The app was a VPN that promised to encrypt user data; in reality, Onavo Protect routed all user activity to Facebook’s servers. The company line, of course, is that Facebook can use this information to improve its services—but Facebook is, by and large, a targeted advertising network and such information clearly aids these purposes. Apple pulled Onavo from the App Store last August, so Facebook then took the direct VPN route.
“There are very few free VPNs that are actually safe to use,” says Ariel Hochstadt, a former Google employee who cofounded VPN review service vpnMentor. “As a general rule, if it’s free, they make money off of you, one way or another.” Hochstadt points out that the Chinese government creates and offers consumers free VPNs—which, of course, are used to spy on their internet activity. That doesn’t mean VPNs based stateside are necessarily more secure, though. If you Google “free VPN,” you will find pages and pages of options, but before installing anything, look at the site’s or app’s terms of service or privacy policies to make sure it says, in no uncertain terms, that the VPN provider is not logging user data. “If they don’t specify that they have a no-logs policy, stay away,” says Hochstadt.
Unfortunately, sometimes even digging into the legalese can’t reveal whether a VPN is shady or not. “Some companies actually admit to collecting your data for advertising purposes, but this is pretty rare,” says John Mason, the cofounder of another VPN review site called The Best VPN. “Even if they don’t, you may discover this yourself if you start to notice certain ads are following you despite having the VPN active.” Mason says one way to know whether a VPN is secure or not is to find out if its provider is based in a “14-eyes country,” a popular term in the security and privacy industry referring to a global surveillance pact enabling member countries to share collected data across borders. The Five Eyes countries are more well known: The treaty among Australia, Canada, New Zealand, the U.S., and the U.K. dates back to the 1940s, but wasn’t confirmed until 2010. The Five Eyes expanded since its origin, growing to 14. The 14-eyes countries are Australia, Canada, New Zealand, the U.K., the U.S., Denmark, France, the Netherlands, Norway, Germany, Belgium, Italy, Sweden, and Spain. If a VPN provider is based in one of these countries, it’s likely it collects and shares user data. (There are many privacy websites that can tell you where a VPN provider is based and whether it’s in a 14-eyes country.)
This is likely surprising to some consumers, who associate U.S.-made software with security; it’s more easily identifiable and looks like other “safe” websites. “With some products, American or German headquarters indicate a high-quality company,” says Hochstadt. “This isn’t true of VPNs, though. Some countries, including the U.S., have signed treaties that oblige them to share user data with other countries. ISPs must therefore comply with those laws.” According to Hochstadt, a U.S.-based VPN would legally be required to share user information with another country if a user is doing something considered illegal in another country, even if it isn’t illegal in the U.S. So where should you get a VPN from? Hochstadt recommends VPNs based in the British Virgin Islands, Panama, Switzerland, and anywhere else not on the above list.
Of course, in the case of Facebook’s VPN, users weren’t actively looking for a network to block their activity from service providers—Facebook just up and offered them one. In fact, the social network paid them to use it. And maybe that’s the most obvious sign of a shady service.