Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy China

A Large Number of Top Free VPN Apps Either Have Chinese Ownership or Are Based in China (hackernoon.com) 92

William Chalk, reporting for HackerNoon: After big names like Whatsapp, Snapchat, and Facebook, VPNs are the most searched-for applications in the world. "VPN" is the second-highest non-branded search term behind "games", and free apps completely dominate the search results. The most popular applications have amassed hundreds of millions of installs between them worldwide, yet there seems to be very little attention paid to the companies behind them, and very little scrutiny done on behalf of the marketplaces hosting them. We investigated the top free VPN apps in the App Store and Google Play Store. We found that very few of these hugely popular apps do anywhere near enough to deserve the trust of those looking to protect their privacy online. We recorded the top 20 free apps in the search results for "VPN" in the App and Play Store for UK and US locales. In total, these applications have been downloaded 80 million times from Google and 4 million times each month from Apple. Our investigation discovered that over half of the top free VPN apps either have Chinese ownership or are actually based in China, which has aggressively clamped down on VPN services in recent years and maintains an iron grip on the internet within its borders. Furthermore, we found the majority of these apps have insufficient formal privacy protections and non-existent user support.
This discussion has been archived. No new comments can be posted.

A Large Number of Top Free VPN Apps Either Have Chinese Ownership or Are Based in China

Comments Filter:
  • by rickb928 ( 945187 ) on Monday January 21, 2019 @09:31AM (#57995428) Homepage Journal

    No Chinese software can be trusted. None. And 'Free VPN' software cannot really be trusted.

    Actually, thinking it over, no software can be 'trusted'. Not any more. At best they sell whatever they can to whoever they can. At worst, they sell out to LE or intelligence agencies because if they don;t they will have their franchise revoked, or distribution severed, or be found committing suicide with a bullet in the back of the head.

    No software or hardware an be trusted. Ever. Again.

    • by omnichad ( 1198475 ) on Monday January 21, 2019 @09:38AM (#57995472) Homepage

      I don't know what t'rusted' is, but Chinese citizens are still heavy users of VPN services despite the ban. It's likely the reason their VPN companies are big enough to have global reach in the first place.

      • I think that you will find that the number of Chinese using VPNs is reducing. The government is cracking down. Would you really want to risk your treasured social credit score just to read a few western articles and a bit of porn? Most do not.

        Also, if critical apps like WeChat (critical if you are in China) detect a VPN on the phone they seem to close the account.

    • by Anonymous Coward

      Opera is out. Chinese owned

    • by nine-times ( 778537 ) <nine.times@gmail.com> on Monday January 21, 2019 @09:57AM (#57995570) Homepage

      Open source software can be "trusted" to a fair extent. At least then, experts can look at the code and see what it's doing.

      Of course there are still risks. Open source software can still have bugs. Malicious code can be obfuscated. Compiled binaries might be different from the source. Hosted services based on FOSS can still be used by the host for malicious purposes. And I don't think it can count as "open source" in situations like Android phones, where you have to run the OEM's version that has unknown alterations, and you can't just wipe it and install your own version.

      Still, any real hope for trusting our hardware and software would be for us to have control of it and know what it's doing.

      • by Anonymous Coward

        Get back control of the hardware. https://puri.sm

      • Open source software can be "trusted" to a fair extent. At least then, experts can look at the code and see what it's doing.

        This is what irritates me about the software world. Open source is often reviewed to a much higher extent than closed. And people wonder why windows/ie is buggy and riddled with CVE.

        Of course there are still risks. Open source software can still have bugs. Malicious code can be obfuscated.

        Do you have examples? Are the projects still around? I'm surprised if code that terrible was merged.

        Compiled binaries might be different from the source. Hosted services based on FOSS can still be used by the host for malicious purposes. And I don't think it can count as "open source" in situations like Android phones, where you have to run the OEM's version that has unknown alterations, and you can't just wipe it and install your own version.
        Still, any real hope for trusting our hardware and software would be for us to have control of it and know what it's doing.

        I don't think you can really. Maybe the best you can hope for is not to have an IP route to the internet for all your devices. I don't know how well malware copes with gateway proxies, presumably it needs to call home at some poin

        • Do you have examples? Are the projects still around? I'm surprised if code that terrible was merged.

          I don't know of any cases where obfuscated malicious code was found in a live project, but it's a valid concern. It's certainly possible to obfuscate the true purpose of code, and there are even contests [wikipedia.org] to come up with cleverly obfuscated code.

    • by AmiMoJo ( 196126 )

      You have to trust something, unless you intend to run all your software on a Z80 that you have previously inspected with an electron microscope to confirm it's fidelity.

      Would that be possible with RISC V? I think the equipment needed to do a complete manufacturing verification on such a CPU would be difficult/expensive to get hold of, but I'm not an expert.

      • I think the equipment needed to do a complete manufacturing verification on such a CPU would be difficult/expensive to get hold of, but I'm not an expert.

        If you don't build the equipment, how do you trust it?

        At some point, you've got to trust someone.

        How do we structure society such that untrustworthy people are removed from positions of power in a timely fashion? Because I don't want to go back to an antique CPU, and I also don't want to have to make my own CPU from artisanal sand.

    • Calm down Adama.
    • by Z00L00K ( 682162 )

      I have problem trusting a VPN that I have set up myself, so when I can't review the remote end how should I be able to trust that VPN?

    • by Shaitan ( 22585 )

      VPN software definitely can't be trusted. It doesn't mask your identity, these services can't operate without logging that information.

      The only purpose for these services is to mask your traffic to avoid detection by your ISP. In the end correlating your activities with the VPN service adds additional verification of your identity and evidence of intent.

      If you are going to run your traffic through a VPN at least pay for a hosted server and set up a VPN yourself.

      • by jwhyche ( 6192 )

        The only purpose for these services is to mask your traffic to avoid detection by your ISP. In the end correlating your activities with the VPN service adds additional verification of your identity and evidence of intent.

        That is a pretty good reason to run your traffic through VPN alone. Most of the spying is going to be done at that level. I don't want my ISP knowing anything about what I'm doing online. I don't want them knowing if I've surfing /., watching Netflix, or browsing Piratebay. If they don't then they can't shape my traffic to fit their purposes. Granted, my VPN provider could do the same but they have far less reasons too than my ISP does.

        I have no delusions that a VPN protects me from any government s

        • by Shaitan ( 22585 )

          "Granted, my VPN provider could do the same but they have far less reasons too than my ISP does."

          They've got the same reasons. Especially when they are under the thumb of the Chinese government.

  • One of my worries (Score:5, Insightful)

    by nine-times ( 778537 ) <nine.times@gmail.com> on Monday January 21, 2019 @09:32AM (#57995436) Homepage

    One of my worries about VPN apps (those used for privacy) is that, although they protect your privacy against your ISP, they hand over control to the VPN provider. They can say they'll keep your information private and they won't keep logs, but you're placing a lot of trust in that provider. If they have malicious intentions, or even if their security is bad and there's a method of compromising people's privacy that they're unaware of, then you're making it very easy for your privacy to be violated.

    In fact, it can be worse than whatever spying your ISP can do. With a VPN app, they'd be able to monitor your traffic anywhere you go, all tied to a specific identity, tied back to whatever credit card you've used to pay for it.

    • Re: (Score:1, Informative)

      Much like using Tor: the exit nodes are all monitored so it is even worse for privacy. It makes it easier for surveillance though: they just need to get the information from a single place.
    • Re:One of my worries (Score:5, Interesting)

      by AmiMoJo ( 196126 ) on Monday January 21, 2019 @10:08AM (#57995626) Homepage Journal

      I tend to trust my VPN provider more than I trust my ISPs, especially the mobile ones. There is also value in routing your traffic to a different legal jurisdiction, because it makes it much harder for law enforcement to bypass due process.

      • by Shaitan ( 22585 )

        "I tend to trust my VPN provider more than I trust my ISPs"

        That's a bit like saying you'd rather your body be hacked up with a chainsaw than a wood chipper. Either will sell you out faster than a $2 hooker offered a rock.

        "There is also value in routing your traffic to a different legal jurisdiction"

        Not really. There are networks of cooperative agreements in place because that loophole has been well known for 20 years.

        The reality is the VPN ultimately provides additional evidence of your identity beyond IP (

        • "There is also value in routing your traffic to a different legal jurisdiction"

          Not really. There are networks of cooperative agreements in place because that loophole has been well known for 20 years.

          It raises the cost of a compromise. They actually have to go get the data, they don't already have it on file. Your ISP will (happily or unhappily) log all your traffic and turn the data over to the government on legal request. Some foreign VPN operator might not be so forthcoming. And if they're sufficiently fly-by-night, they might well go out of business before they get around to fulfilling any requests.

          • by Shaitan ( 22585 )

            True.

            "And if they're sufficiently fly-by-night, they might well go out of business before they get around to fulfilling any requests."

            Agreed. That's something I even suggested exploiting but if you actually run your traffic through such a service you should probably pay careful attention to what you do for other reasons. Selling your data on the black market is just as viable as the grey market run by traditional tech companies.

        • by sosume ( 680416 )

          Alternatively set up an image for a VPN linux node on AWS or some other cloud. Provision in the morning, use its VPN one day and delete the machine afterwards. But you're absolutely right, signing up for a VPN provider will probably lead to extra checks when flying.

          • by Shaitan ( 22585 )

            That works too. With a little more effort you can use any of the automation frameworks to put together and image that configures itself on a fresh cloud vm each day. Of course that will have a consistent fingerprint but so will doing it manually.

      • I tend to trust my VPN provider more than I trust my ISPs, especially the mobile ones.

        I'm not trying to argue necessarily, but I don't really see any reason why I should trust a random VPN provider over a random ISP. I wouldn't trust either to have my best interests at heart. If anything, VPNs have more reason to snoop because they have more reason to believe that the traffic going through them is sensitive.

        There is also value in routing your traffic to a different legal jurisdiction, because it makes it much harder for law enforcement to bypass due process.

        True, but there's also danger in routing your traffic to a different legal jurisdiction, for a couple of reasons:

        1) Though arguably it's harder for the government to bypass due process

        • by AmiMoJo ( 196126 )

          I select my ISP based on availability and then on performance. I select my VPN provider based on privacy and security. So at least privacy is the main factor with a VPN.

          • Right. So you select a VPN provider that you believe you can trust. Still, that doesn't change the fact that you're putting a lot of trust in that company, and if the trust is misplaced, they could violate your privacy as badly as your ISP. Or even worse.

    • by DarkOx ( 621550 ) on Monday January 21, 2019 @10:10AM (#57995638) Journal

      Don't forget to that technical issues aside in a lot cases people are trading one possible threat, local law enforcement and their own ISP where they have some contractual, statutory, and constitutional/lawful recourse against if "something" was done to them for some actor(s) in a foreign country where:

      1) you may or may not be granted legal rights and protections
      2) exposes you to foreign surveillance powers by own own government since your traffic is no longer domestic
      3) generally face a more costly and difficult process for accessing any legal remedy

      Basically the VPN guys can pretty much abuse you in any way they like. Sure you can quit using their VPN more easily than you can quit your ISP. You have the lever so if they start spamming your with ads and stuff you have control there. If they are more subtle than that and more nefarious and do something to you that isn't obvious though, chances are good there is NOTHING at all you can do about it; and they know that! Consider the incentives and disincentives. While I am not making a "if you have nothing to hide argument here" I am going to suggest that if whatever your reasons for wanting additional privacy fall short of criminal you might just be better off trusting your ISP and simply practicing good hygiene. IE - use the incognito mode in your browser as appropriate, patch your system, if you have to use 'sketchy sites' use a VM and revert the snapshot when you are done, be smart/think before your click.

    • by Bob_Who ( 926234 )

      You can't buy security or privacy. It is not an issue of price, it simply can't be sold as some sort of inventory or commodity. You can spend all you want on people who assure you that is what the have to sell you, but whatever it is that you just bought in no way can be measured by anything more than how you feel and what you believe. It is impossible to know if your privacy or security have improved or not. Either way, you'll never really know until its lost, at which point you realize that you paid

    • Not only that, traffic on VPN is certainly more 'interesting' to various parties/authorities. Wanna dig dirt? Go for VPN instead of unencrypted traffic.
  • by Anonymous Coward

    Isn't it good for us in the western world who uses that VPN? Chinese wouldn't be so much obliged to cooperate with anybody.

    • My thought too.

      Who do you trust more, Comcast, or China?

      Seems like an easy choice. Harder if your ISP isnt such a dreadful company. My town wont let them in because the voters spoke up over decade ago on the matter of cable internet franchises. The country phone infrastructure is terrible and basically cant be fixed without a monumental investment that wont see an ROI in 50 years (still twisted pair from the early 80's on the poles / going into homes) so we didnt take it kindly when the local small cabl
  • Rule number one is that someone using a VPN probably has a reason for that.

    And yeah, a lot of people aren't much more savvy than hearing "VPN's are secure!" so when you have the combination of wanting to have privacy fro some reason, and lack of savvy, you have a ripe spying market that thinks it is secure and more likely to share stuff.

    Especially when it's free.

    Rule number two is that there is no such thing as security on the internet.

    • by sjbe ( 173966 )

      Rule number one is that someone using a VPN probably has a reason for that.

      True but it isn't necessarily anything nefarious. For example I don't like being tracked by advertising companies. The reason to use one doesn't have to be anything greater than valuing privacy.

      Especially when it's free.

      Yeah if something is "free" the first thing you should be questioning is why. Nothing is truly free. Nothing. These services aren't provided because someone is being generous so it if is free you need to understand their motivations.

      Rule number two is that there is no such thing as security on the internet.

      Not true at all. Security is always a relative state and as such there is reaso

      • Rule number two is that there is no such thing as security on the internet.

        Not true at all. Security is always a relative state and as such there is reasonable security possible. Security becomes more difficult against focused, experienced, and/or well financed attackers but even then it's possible. Perfect security against all conceivable threats is impossible but that's like saying we shouldn't lock our doors because someone might own a battering ram. Security is always relative to the circumstances and likely threats one might face.

        Well, if you insist. Perhaps I'm paranoid or just don't know as much as I think I do. That happens. I'm still not putting anything there that I don't consider public.

  • Whether the PRC having access to your surfing habits is a problem depends mostly on why you use their VPN to access something. If your reason to use it is that you don't want the US or Europe to know where you're surfing, you should be doing ok.

    • Whether the PRC having access to your surfing habits is a problem depends mostly on why you use their VPN to access something. If your reason to use it is that you don't want the US or Europe to know where you're surfing, you should be doing ok.

      Anecdotally speaking, around here most people use VPNs to avoid the attention of the copyright popo. The Chinese don't give a shit if you are downloading the latest Game of Thrones or Drake album, so you should be fine.

      If you are using it to exchange industrial trade secrets maybe not so much.

      • If you are using it to exchange industrial trade secrets maybe not so much.

        Are you kidding? Sounds like something that China would offer to pay you to keep doing.

  • A large number of the largest ________ are owned by China.

    It's not just VPN it's anything. Partially because they are a large country with a large population (and large companies tend to form in large markets). Partially because state sponsorship and the government TRYING to make large companies; and partially because the government restricts competition from foreign companies in some situations that an alternative will always be found domestically.

    It's no surprise large VPN-companies are found in China.

  • by Anonymous Coward on Monday January 21, 2019 @09:53AM (#57995558)

    UK and Europe based VPNs mean they don't need a search warrant to look at your traffic. Using a UK VPN is the worst thing you can do, since they cooperate closely with our law enforcement, but don't have to use warrants to spy on US citizens. The Chinese might be spying on you while you buy weed on the darkweb and torrent pornos, but the Chinese aren't going to cooperate with the US authorities.

  • This is why I just roll my own. I don't think I would be able to trust any VPN service provider for precisely this reason. Corporations do all kinds of shady shit so the only way you can be reasonably certain of your own security is to take matters into your own hands. When you configure, control, and manage your own VPN solution, you can be reasonably certain that your secure.
    • I was gonna say the same (although I haven't) - I had some fun with https://github.com/StreisandEf... [github.com] a while back - it's very good :-)

      As for TFA - the list of VPNs is here: https://www.top10vpn.com/free-... [top10vpn.com] I can't say I'd heard of any of them.

    • That's not a bad idea, but how do you handle the issue of which internet connection to use? Given that the whole point is hide your communication, to be effective the VPN endpoint would need to be somewhere that isn't tied to you. So no running it through your home line or a business.
  • Comment removed (Score:4, Insightful)

    by account_deleted ( 4530225 ) on Monday January 21, 2019 @10:17AM (#57995684)
    Comment removed based on user account deletion
  • Many years ago, the guardians of the Emperor's palace became very alarmed.

    "Your Majesty, forgive our intrusion, but we must caution you immediately!"

    The serene supreme calmly sighed, "there, there, what has upset you so?

    "The Mongolians has invaded from the north - They have come n great multitude with soldiers and weaponry. They have pillaged the villages and rice paddies, raped the women, killed the farmers and burned the homes of all who resist their despotic wrath - what should we do?"

    The Emperor compla

    • " killed the farmers and burned the homes of all who resist their despotic wrath - what should we do?"

      The Emperor complacently shrugs."

      We will build a beautiful wall.

      • by Bob_Who ( 926234 )

        The Emperor complacently shrugs."

        We will build a beautiful wall.

        ...Even Kissinger never saw that one coming.

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Monday January 21, 2019 @10:27AM (#57995722)
    Comment removed based on user account deletion
  • Wait, you didn't pay for this? Wonder what the motive is of those who did.....

  • by CaptainDork ( 3678879 ) on Monday January 21, 2019 @11:24AM (#57996060)

    ... is the list?

  • by Solandri ( 704621 ) on Monday January 21, 2019 @12:32PM (#57996608)
    One of the most frustrating things about the Play store is that there's no way to sort the search results. It seems like the more popular apps (based on number of reviews since it hides the exact number of downloads) are clustered near the top, but they're not in any order I've been able to determine. So "top 20 free apps" is kinda meaningless unless you know the sort order.
    • One of the most frustrating things about the Play store is that there's no way to sort the search results. It seems like the more popular apps (based on number of reviews since it hides the exact number of downloads) are clustered near the top, but they're not in any order I've been able to determine.

      It's probably a mixture of factors like all of google's search results. Ranking by score is their core competency. Age, review scores, cost (since they take a percentage), downloads...

  • Only VPN apps? (Score:4, Insightful)

    by doubledown00 ( 2767069 ) on Monday January 21, 2019 @01:30PM (#57997040)
    One should be worried about everything from the app store. It is awash in "free" games, GPS apps, etc that do nothing but mascarade as ad delivery conduits that also spy on the user.

    This isn't new or limited to free VPN apps.

    Just the other day we had a story about "free" GPS apps that were nothing but Google Map overlays that show ads. A few years ago there was a story about a bunch of long abandoned apps that had suddenly come alive again. It turned out that a Russian company bought the apps and their domains and had begun "updating" the app with new invasive code.

    At times I feel like we're back in the late 80's / early 90's again downloading unknown cool sounding programs in the middle of the night off some guy's BBS. The difference is today the apps are surrounded in aura of legitimacy because they come from a "store".
    • by sad_ ( 7868 )

      indeed, people ask me to install app x or y, or show of this new app which is funny/entertaining/... (but mostly never really useful) and install just about anything.
      i have a smartphone but install almost nothing, simply because i can't trust any of these apps. i do have some on there which have a paid subscription, but even those you can't be 100% sure that they are ethical enough to not mistreat your data.

      • And even the paid âoetrustedâ apps are one private buyout away from being in unknown hands. If youâ(TM)re an app developer who happens to stumble on something people like and would pay for and someone wants to buy it for a couple million......
  • Oh wait, Chinese are the biggest users of VPN, of course there are many VPN providers there. Are you retarded not realizing this?
  • Yeah... I mean Chinese owned... based out of China. Damn it must have taken decades to figure out.
  • China needs to understand the entire internet people use in real time the way the NSA and CGHQ can.
    China at this time does not have the direct networks into US and EU telco networks the way the NSA and GCHQ has.
    How to detect a new network request deep in Chain to some random web site/service globally?
    Is that a tourist, a business leader in a hotel using a VPN?
    A CIA backed human rights network in China?
    A MI6 agent working for a decade in China?
    Someone with permission to work in China uploading a video

No spitting on the Bus! Thank you, The Mgt.

Working...