A Large Number of Top Free VPN Apps Either Have Chinese Ownership or Are Based in China (hackernoon.com) 92
William Chalk, reporting for HackerNoon: After big names like Whatsapp, Snapchat, and Facebook, VPNs are the most searched-for applications in the world. "VPN" is the second-highest non-branded search term behind "games", and free apps completely dominate the search results. The most popular applications have amassed hundreds of millions of installs between them worldwide, yet there seems to be very little attention paid to the companies behind them, and very little scrutiny done on behalf of the marketplaces hosting them. We investigated the top free VPN apps in the App Store and Google Play Store. We found that very few of these hugely popular apps do anywhere near enough to deserve the trust of those looking to protect their privacy online. We recorded the top 20 free apps in the search results for "VPN" in the App and Play Store for UK and US locales. In total, these applications have been downloaded 80 million times from Google and 4 million times each month from Apple. Our investigation discovered that over half of the top free VPN apps either have Chinese ownership or are actually based in China, which has aggressively clamped down on VPN services in recent years and maintains an iron grip on the internet within its borders. Furthermore, we found the majority of these apps have insufficient formal privacy protections and non-existent user support.
Obviously cannot be t'rusted' (Score:5, Insightful)
No Chinese software can be trusted. None. And 'Free VPN' software cannot really be trusted.
Actually, thinking it over, no software can be 'trusted'. Not any more. At best they sell whatever they can to whoever they can. At worst, they sell out to LE or intelligence agencies because if they don;t they will have their franchise revoked, or distribution severed, or be found committing suicide with a bullet in the back of the head.
No software or hardware an be trusted. Ever. Again.
Re: (Score:2)
It matters why?
Re:Obviously cannot be t'rusted' (Score:5, Insightful)
The UK Government have recently decided, in their great, mighty and beneficent wisdom, that they shall do something to "protect children from internet pornography". Their Cunning Plan is to force all adult-themed websites to verify that users are of adult age, using one of a number of age verification services, some of which may well be UK government-sponsored. Needless to say, very few people actually care to self-register on what amounts to a register of masturbators, nor would many people care to have a list of which sites they visit available for a vast array of Government agencies, prodnoses and tabloid journalists to see. UK civil servants have a long-standing record for being quite incredibly bad at keeping sensitive information under wraps. Tricks such as encrypting data on a CD (because regulations say they must) and writing the password on the CD (because whoever wrote the regulations did not foresee such creative stupidity) have been seen in the past.
Furthermore, the age-clade of 13-18 year olds (mostly males) will also wish to view such sites and will for the most part be unable to do so, not being able to lay hands on hacked age verification credentials. So, both people who value their privacy, and adolescents who cannot obtain the age verification tokens, will be looking to use VPNs to get at the, err, reading materials.
People are for the most part cheapskates. A free VPN would seem like a wonderful gift to them, but a logged Chinese VPN is very much a poisoned chalice, especially when those doing the logging realise what a wonderful source of blackmail material they have on their hands.
Re: (Score:2)
And your argument is that being compelled by law is somehow different from 'selling out'.
Well, yes, I suppose it is, if you care what the reason is that they give your data out without your knowledge. I don't, much. Really doesn't matter to me to which agency, nor why. We already know that in the US, in the past, AT&T willingly provided the US Government with taps on Internet transmission lines that permitted virtually total surveillance. of Internet traffic in the US. No law was apparently compelling
Re: (Score:2)
Exactly, hence the issue with where they are located.
Re:Obviously cannot be t'rusted' (Score:4)
I don't know what t'rusted' is, but Chinese citizens are still heavy users of VPN services despite the ban. It's likely the reason their VPN companies are big enough to have global reach in the first place.
Fewer Chinese VPN Users (Score:2)
I think that you will find that the number of Chinese using VPNs is reducing. The government is cracking down. Would you really want to risk your treasured social credit score just to read a few western articles and a bit of porn? Most do not.
Also, if critical apps like WeChat (critical if you are in China) detect a VPN on the phone they seem to close the account.
Re: (Score:2)
Hence the need to expand into the US market...
Re: (Score:1)
Opera is out. Chinese owned
Re: (Score:2)
As in how the service is delivered?
Re: (Score:1)
Through their own corporate-owned and public-facing hardware, which would be fundamentally different from if you were running a VPN through your own private servers to which nobody else has authentication credentials.
Re:Obviously cannot be t'rusted' (Score:5, Insightful)
Open source software can be "trusted" to a fair extent. At least then, experts can look at the code and see what it's doing.
Of course there are still risks. Open source software can still have bugs. Malicious code can be obfuscated. Compiled binaries might be different from the source. Hosted services based on FOSS can still be used by the host for malicious purposes. And I don't think it can count as "open source" in situations like Android phones, where you have to run the OEM's version that has unknown alterations, and you can't just wipe it and install your own version.
Still, any real hope for trusting our hardware and software would be for us to have control of it and know what it's doing.
Re: (Score:1)
Get back control of the hardware. https://puri.sm
Re: (Score:2)
Open source software can be "trusted" to a fair extent. At least then, experts can look at the code and see what it's doing.
This is what irritates me about the software world. Open source is often reviewed to a much higher extent than closed. And people wonder why windows/ie is buggy and riddled with CVE.
Of course there are still risks. Open source software can still have bugs. Malicious code can be obfuscated.
Do you have examples? Are the projects still around? I'm surprised if code that terrible was merged.
Compiled binaries might be different from the source. Hosted services based on FOSS can still be used by the host for malicious purposes. And I don't think it can count as "open source" in situations like Android phones, where you have to run the OEM's version that has unknown alterations, and you can't just wipe it and install your own version.
Still, any real hope for trusting our hardware and software would be for us to have control of it and know what it's doing.
I don't think you can really. Maybe the best you can hope for is not to have an IP route to the internet for all your devices. I don't know how well malware copes with gateway proxies, presumably it needs to call home at some poin
Re: (Score:2)
Do you have examples? Are the projects still around? I'm surprised if code that terrible was merged.
I don't know of any cases where obfuscated malicious code was found in a live project, but it's a valid concern. It's certainly possible to obfuscate the true purpose of code, and there are even contests [wikipedia.org] to come up with cleverly obfuscated code.
Re: (Score:2)
You have to trust something, unless you intend to run all your software on a Z80 that you have previously inspected with an electron microscope to confirm it's fidelity.
Would that be possible with RISC V? I think the equipment needed to do a complete manufacturing verification on such a CPU would be difficult/expensive to get hold of, but I'm not an expert.
Re: (Score:2)
I think the equipment needed to do a complete manufacturing verification on such a CPU would be difficult/expensive to get hold of, but I'm not an expert.
If you don't build the equipment, how do you trust it?
At some point, you've got to trust someone.
How do we structure society such that untrustworthy people are removed from positions of power in a timely fashion? Because I don't want to go back to an antique CPU, and I also don't want to have to make my own CPU from artisanal sand.
Re: (Score:3)
Re: (Score:2)
I have problem trusting a VPN that I have set up myself, so when I can't review the remote end how should I be able to trust that VPN?
Re: (Score:2)
VPN software definitely can't be trusted. It doesn't mask your identity, these services can't operate without logging that information.
The only purpose for these services is to mask your traffic to avoid detection by your ISP. In the end correlating your activities with the VPN service adds additional verification of your identity and evidence of intent.
If you are going to run your traffic through a VPN at least pay for a hosted server and set up a VPN yourself.
Re: (Score:3)
The only purpose for these services is to mask your traffic to avoid detection by your ISP. In the end correlating your activities with the VPN service adds additional verification of your identity and evidence of intent.
That is a pretty good reason to run your traffic through VPN alone. Most of the spying is going to be done at that level. I don't want my ISP knowing anything about what I'm doing online. I don't want them knowing if I've surfing /., watching Netflix, or browsing Piratebay. If they don't then they can't shape my traffic to fit their purposes. Granted, my VPN provider could do the same but they have far less reasons too than my ISP does.
I have no delusions that a VPN protects me from any government s
Re: (Score:2)
"Granted, my VPN provider could do the same but they have far less reasons too than my ISP does."
They've got the same reasons. Especially when they are under the thumb of the Chinese government.
One of my worries (Score:5, Insightful)
One of my worries about VPN apps (those used for privacy) is that, although they protect your privacy against your ISP, they hand over control to the VPN provider. They can say they'll keep your information private and they won't keep logs, but you're placing a lot of trust in that provider. If they have malicious intentions, or even if their security is bad and there's a method of compromising people's privacy that they're unaware of, then you're making it very easy for your privacy to be violated.
In fact, it can be worse than whatever spying your ISP can do. With a VPN app, they'd be able to monitor your traffic anywhere you go, all tied to a specific identity, tied back to whatever credit card you've used to pay for it.
Re: (Score:1, Informative)
Re:One of my worries (Score:5, Interesting)
I tend to trust my VPN provider more than I trust my ISPs, especially the mobile ones. There is also value in routing your traffic to a different legal jurisdiction, because it makes it much harder for law enforcement to bypass due process.
Re: (Score:2)
"I tend to trust my VPN provider more than I trust my ISPs"
That's a bit like saying you'd rather your body be hacked up with a chainsaw than a wood chipper. Either will sell you out faster than a $2 hooker offered a rock.
"There is also value in routing your traffic to a different legal jurisdiction"
Not really. There are networks of cooperative agreements in place because that loophole has been well known for 20 years.
The reality is the VPN ultimately provides additional evidence of your identity beyond IP (
Re: (Score:2)
"There is also value in routing your traffic to a different legal jurisdiction"
Not really. There are networks of cooperative agreements in place because that loophole has been well known for 20 years.
It raises the cost of a compromise. They actually have to go get the data, they don't already have it on file. Your ISP will (happily or unhappily) log all your traffic and turn the data over to the government on legal request. Some foreign VPN operator might not be so forthcoming. And if they're sufficiently fly-by-night, they might well go out of business before they get around to fulfilling any requests.
Re: (Score:2)
True.
"And if they're sufficiently fly-by-night, they might well go out of business before they get around to fulfilling any requests."
Agreed. That's something I even suggested exploiting but if you actually run your traffic through such a service you should probably pay careful attention to what you do for other reasons. Selling your data on the black market is just as viable as the grey market run by traditional tech companies.
Re: (Score:2)
Alternatively set up an image for a VPN linux node on AWS or some other cloud. Provision in the morning, use its VPN one day and delete the machine afterwards. But you're absolutely right, signing up for a VPN provider will probably lead to extra checks when flying.
Re: (Score:2)
That works too. With a little more effort you can use any of the automation frameworks to put together and image that configures itself on a fresh cloud vm each day. Of course that will have a consistent fingerprint but so will doing it manually.
Re: (Score:2)
I tend to trust my VPN provider more than I trust my ISPs, especially the mobile ones.
I'm not trying to argue necessarily, but I don't really see any reason why I should trust a random VPN provider over a random ISP. I wouldn't trust either to have my best interests at heart. If anything, VPNs have more reason to snoop because they have more reason to believe that the traffic going through them is sensitive.
There is also value in routing your traffic to a different legal jurisdiction, because it makes it much harder for law enforcement to bypass due process.
True, but there's also danger in routing your traffic to a different legal jurisdiction, for a couple of reasons:
1) Though arguably it's harder for the government to bypass due process
Re: (Score:2)
I select my ISP based on availability and then on performance. I select my VPN provider based on privacy and security. So at least privacy is the main factor with a VPN.
Re: (Score:2)
Right. So you select a VPN provider that you believe you can trust. Still, that doesn't change the fact that you're putting a lot of trust in that company, and if the trust is misplaced, they could violate your privacy as badly as your ISP. Or even worse.
Re:One of my worries (Score:4, Insightful)
Don't forget to that technical issues aside in a lot cases people are trading one possible threat, local law enforcement and their own ISP where they have some contractual, statutory, and constitutional/lawful recourse against if "something" was done to them for some actor(s) in a foreign country where:
1) you may or may not be granted legal rights and protections
2) exposes you to foreign surveillance powers by own own government since your traffic is no longer domestic
3) generally face a more costly and difficult process for accessing any legal remedy
Basically the VPN guys can pretty much abuse you in any way they like. Sure you can quit using their VPN more easily than you can quit your ISP. You have the lever so if they start spamming your with ads and stuff you have control there. If they are more subtle than that and more nefarious and do something to you that isn't obvious though, chances are good there is NOTHING at all you can do about it; and they know that! Consider the incentives and disincentives. While I am not making a "if you have nothing to hide argument here" I am going to suggest that if whatever your reasons for wanting additional privacy fall short of criminal you might just be better off trusting your ISP and simply practicing good hygiene. IE - use the incognito mode in your browser as appropriate, patch your system, if you have to use 'sketchy sites' use a VM and revert the snapshot when you are done, be smart/think before your click.
Re: (Score:2)
You can't buy security or privacy. It is not an issue of price, it simply can't be sold as some sort of inventory or commodity. You can spend all you want on people who assure you that is what the have to sell you, but whatever it is that you just bought in no way can be measured by anything more than how you feel and what you believe. It is impossible to know if your privacy or security have improved or not. Either way, you'll never really know until its lost, at which point you realize that you paid
Re: (Score:2)
isn't this good? (Score:1)
Isn't it good for us in the western world who uses that VPN? Chinese wouldn't be so much obliged to cooperate with anybody.
Re: (Score:2)
Who do you trust more, Comcast, or China?
Seems like an easy choice. Harder if your ISP isnt such a dreadful company. My town wont let them in because the voters spoke up over decade ago on the matter of cable internet franchises. The country phone infrastructure is terrible and basically cant be fixed without a monumental investment that wont see an ROI in 50 years (still twisted pair from the early 80's on the poles / going into homes) so we didnt take it kindly when the local small cabl
Simple (Score:2)
And yeah, a lot of people aren't much more savvy than hearing "VPN's are secure!" so when you have the combination of wanting to have privacy fro some reason, and lack of savvy, you have a ripe spying market that thinks it is secure and more likely to share stuff.
Especially when it's free.
Rule number two is that there is no such thing as security on the internet.
Re: (Score:2)
Rule number one is that someone using a VPN probably has a reason for that.
True but it isn't necessarily anything nefarious. For example I don't like being tracked by advertising companies. The reason to use one doesn't have to be anything greater than valuing privacy.
Especially when it's free.
Yeah if something is "free" the first thing you should be questioning is why. Nothing is truly free. Nothing. These services aren't provided because someone is being generous so it if is free you need to understand their motivations.
Rule number two is that there is no such thing as security on the internet.
Not true at all. Security is always a relative state and as such there is reaso
Re: (Score:2)
Rule number two is that there is no such thing as security on the internet.
Not true at all. Security is always a relative state and as such there is reasonable security possible. Security becomes more difficult against focused, experienced, and/or well financed attackers but even then it's possible. Perfect security against all conceivable threats is impossible but that's like saying we shouldn't lock our doors because someone might own a battering ram. Security is always relative to the circumstances and likely threats one might face.
Well, if you insist. Perhaps I'm paranoid or just don't know as much as I think I do. That happens. I'm still not putting anything there that I don't consider public.
Re: (Score:3)
Rule number two is that there is no such thing as security on the internet.
There's no such thing as safety while driving a car so why wear a seatbelt? Why have airbags?
There's no such thing as security at home so why have locks on the doors? Why have security systems?
It's pretty simple. Almost no one is trying to run in to me.
But there are a lot of people and groups out there on the intertoobz that do have harmful intent, are mining you, or at best, simply trying to figure out who's saying what. It's an inherently insecure medium.
Want to get yourself noticed and considered interesting really quick? Run Tor.
If for some reason I wanted to commit crimes, the intertoobz is the last place I would have any activity related to the crime. I have my system battened do
The right tool at the right time (Score:2)
Whether the PRC having access to your surfing habits is a problem depends mostly on why you use their VPN to access something. If your reason to use it is that you don't want the US or Europe to know where you're surfing, you should be doing ok.
Re: (Score:2)
Whether the PRC having access to your surfing habits is a problem depends mostly on why you use their VPN to access something. If your reason to use it is that you don't want the US or Europe to know where you're surfing, you should be doing ok.
Anecdotally speaking, around here most people use VPNs to avoid the attention of the copyright popo. The Chinese don't give a shit if you are downloading the latest Game of Thrones or Drake album, so you should be fine.
If you are using it to exchange industrial trade secrets maybe not so much.
Re: (Score:2)
If you are using it to exchange industrial trade secrets maybe not so much.
Are you kidding? Sounds like something that China would offer to pay you to keep doing.
Owned by China (Score:2)
A large number of the largest ________ are owned by China.
It's not just VPN it's anything. Partially because they are a large country with a large population (and large companies tend to form in large markets). Partially because state sponsorship and the government TRYING to make large companies; and partially because the government restricts competition from foreign companies in some situations that an alternative will always be found domestically.
It's no surprise large VPN-companies are found in China.
Chinese VPN's are more secure than European (Score:4, Interesting)
UK and Europe based VPNs mean they don't need a search warrant to look at your traffic. Using a UK VPN is the worst thing you can do, since they cooperate closely with our law enforcement, but don't have to use warrants to spy on US citizens. The Chinese might be spying on you while you buy weed on the darkweb and torrent pornos, but the Chinese aren't going to cooperate with the US authorities.
Re:Chinese VPN's are more secure than European (Score:4, Insightful)
but the Chinese aren't going to cooperate with the US authorities.
That's true today. Who knows what the political climate will be in 5 years, 10 years... etc. You can't really trust anyone to keep your data private. You have to assume everything you do online is being stored as data by someone, somewhere, and may never be deleted.
Roll your own (Score:2)
Re: (Score:2)
I was gonna say the same (although I haven't) - I had some fun with https://github.com/StreisandEf... [github.com] a while back - it's very good :-)
As for TFA - the list of VPNs is here: https://www.top10vpn.com/free-... [top10vpn.com] I can't say I'd heard of any of them.
Re: (Score:2)
Comment removed (Score:4, Insightful)
Ancient Chinese Fable (Score:2)
Many years ago, the guardians of the Emperor's palace became very alarmed.
"Your Majesty, forgive our intrusion, but we must caution you immediately!"
The serene supreme calmly sighed, "there, there, what has upset you so?
"The Mongolians has invaded from the north - They have come n great multitude with soldiers and weaponry. They have pillaged the villages and rice paddies, raped the women, killed the farmers and burned the homes of all who resist their despotic wrath - what should we do?"
The Emperor compla
Re: (Score:3)
" killed the farmers and burned the homes of all who resist their despotic wrath - what should we do?"
The Emperor complacently shrugs."
We will build a beautiful wall.
Re: (Score:2)
The Emperor complacently shrugs."
We will build a beautiful wall.
...Even Kissinger never saw that one coming.
Comment removed (Score:5, Insightful)
Re: (Score:2)
Foreigners? First, they want to log what the domestic users are doing. Foreigners are a second-tier priority.
Follow the money (Score:1)
Wait, you didn't pay for this? Wonder what the motive is of those who did.....
Where the simple fuck ... (Score:3)
... is the list?
Re: (Score:2)
I swear that showed up after I read TFA. Thanks.
Play store search results have a sort order? (Score:3)
Re: (Score:2)
One of the most frustrating things about the Play store is that there's no way to sort the search results. It seems like the more popular apps (based on number of reviews since it hides the exact number of downloads) are clustered near the top, but they're not in any order I've been able to determine.
It's probably a mixture of factors like all of google's search results. Ranking by score is their core competency. Age, review scores, cost (since they take a percentage), downloads...
Only VPN apps? (Score:4, Insightful)
This isn't new or limited to free VPN apps.
Just the other day we had a story about "free" GPS apps that were nothing but Google Map overlays that show ads. A few years ago there was a story about a bunch of long abandoned apps that had suddenly come alive again. It turned out that a Russian company bought the apps and their domains and had begun "updating" the app with new invasive code.
At times I feel like we're back in the late 80's / early 90's again downloading unknown cool sounding programs in the middle of the night off some guy's BBS. The difference is today the apps are surrounded in aura of legitimacy because they come from a "store".
Re: (Score:2)
indeed, people ask me to install app x or y, or show of this new app which is funny/entertaining/... (but mostly never really useful) and install just about anything.
i have a smartphone but install almost nothing, simply because i can't trust any of these apps. i do have some on there which have a paid subscription, but even those you can't be 100% sure that they are ethical enough to not mistreat your data.
Re: Only VPN apps? (Score:2)
A wonder why... (Score:2)
That was easy to figure out (Score:2)
Why China needs fake VPN products (Score:2)
China at this time does not have the direct networks into US and EU telco networks the way the NSA and GCHQ has.
How to detect a new network request deep in Chain to some random web site/service globally?
Is that a tourist, a business leader in a hotel using a VPN?
A CIA backed human rights network in China?
A MI6 agent working for a decade in China?
Someone with permission to work in China uploading a video