Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Security Software The Internet

Popular VPN and Ad-Blocking Apps Are Secretly Harvesting User Data (buzzfeednews.com) 46

An anonymous reader quotes a report from BuzzFeed News: Sensor Tower, a popular analytics platform for tech developers and investors, has been secretly collecting data from millions of people who have installed popular VPN and ad-blocking apps for Android and iOS, a BuzzFeed News investigation has found. These apps, which don't disclose their connection to the company or reveal that they feed user data to Sensor Tower's products, have more than 35 million downloads. Since 2015, Sensor Tower has owned at least 20 Android and iOS apps. Four of these -- Free and Unlimited VPN, Luna VPN, Mobile Data, and Adblock Focus -- were recently available in the Google Play store. Adblock Focus and Luna VPN were in Apple's App Store. Apple removed Adblock Focus and Google removed Mobile Data after being contacted by BuzzFeed News. The companies said they continue to investigate.

Once installed, Sensor Tower's apps prompt users to install a root certificate, a small file that lets its issuer access all traffic and data passing through a phone. The company told BuzzFeed News it only collects anonymized usage and analytics data, which is integrated into its products. Sensor Tower's app intelligence platform is used by developers, venture capitalists, publishers, and others to track the popularity, usage trends, and revenue of apps.
Randy Nelson, Sensor Tower's head of mobile insights, said the company's apps do not collect sensitive data or personally identifiable information and that "the vast majority of these apps listed are now defunct (inactive) and a few are in the process of sunsetting." But, as BuzzFeed points out, most of the apps are no longer available "because they were removed due to policy violations."
This discussion has been archived. No new comments can be posted.

Popular VPN and Ad-Blocking Apps Are Secretly Harvesting User Data

Comments Filter:
  • I mean... (Score:5, Insightful)

    by satanicat ( 239025 ) on Tuesday March 10, 2020 @08:03AM (#59814486)

    At risk of sounding like a broken record.... I've often said if a product is free, you're likely the product...

    • Re:I mean... (Score:4, Interesting)

      by klingens ( 147173 ) on Tuesday March 10, 2020 @08:22AM (#59814536)
      Yes, you are so right! I was always suspicious how those dastardly Debian developers can produce a distro for more than 20 years now and not wanting a single penny from me!
      • by aitikin ( 909209 )

        Yes, you are so right! I was always suspicious how those dastardly Debian developers can produce a distro for more than 20 years now and not wanting a single penny from me!

        Of course they would want money from you, that's why there's a donations [debian.org] page.

      • How do those vpn companies pay for the metal and network access? Through their own donated time?
      • With the usual bait-and-switch formula. You get the product for free, but then they sell you the consulting.

        No, wait, that was Red Hat.

    • by Merk42 ( 1906718 )
      but..but.. I'm entitled to things for free!
      • by Z80a ( 971949 )

        Okay, where's the paid option that don't still sell all your data on the data black market?

    • by MrKaos ( 858439 )

      At risk of sounding like a broken record.... I've often said if a product is free, you're likely the product...

      Didn't Jeff Bezos say this?

    • Exactly if it isn't a product or service that you can run as a hobby like the old dial up BBS's, or a website that will cost you under $100 a month to operate. Chances are they will need some sort of payment to keep it operational. This can be from any combination Advertising, Collecting your user data, Grants, Government Funding, Corporate funding (often as a way to sell the higher end version of the product)....

      Even if you don't have to pay them money it isn't free, and you will probably will have to sacr

      • I think that educational content should be of high quality. People want to find useful information about self-education and self-realization. Such information https://www.aresearchguide.com... [aresearchguide.com] may be paid or free. It depends on the implementation methods and the way of interacting with informative resources.
    • Not to mention, it's LOGICALLY the place shady government agencies are going to START with.

      If I was the NSA, I'd be behind (or at least have my fingers deep into) every single VPN service that exists - *particularly* the ones set up in other countries.

      Unless you build and run your OWN VPN system entirely by yourself, there's no way to be paranoid enough.

      • Unless you build and run your OWN VPN system entirely by yourself, there's no way to be paranoid enough.

        Which is exactly why I think Apple should offer their own VPN service, directly integrated into macOS and iOS.

    • At risk of sounding like a broken record.... I've often said if a product is free, you're likely the product...

      Free healthcare for all!

      • That's not free, you're paying for it.

        In case you're wondering what that "tax" thing is that everyone's bitching about.

    • Comment removed based on user account deletion
      • Yes, somebody else made a comment similar to this, I think they were talking about Debian. I did make a bold statement, and you're right, my statement isn't always the case. (part of why I used the language 'likely' and not 'always') But I did make the statement in a very focused way, I was talking about an app, not a community driven ecosystem.

        Linux, and the FSF as a whole are kind of odd beasts because they imply an awful lot. For one, they are open source, and the community gets to participate. My co

    • Re:I mean... (Score:5, Informative)

      by JustAnotherOldGuy ( 4145623 ) on Tuesday March 10, 2020 @12:25PM (#59815400) Journal

      At risk of sounding like a broken record.... I've often said if a product is free, you're likely the product...

      True, but these days even if you pay for it, you're still the product.

      Pay for Windows, get tracked. Buy a Mac, get tracked. Buy any phone, get tracked.

      The line between free and paid has been erased in pursuit of that sweet, sweet user data.

    • Comment removed based on user account deletion
    • This. if it's free, you're the product. How else would they make money? Nobody's doing it for charity. People still believe in free lunch.
  • by Sarten-X ( 1102295 ) on Tuesday March 10, 2020 @09:03AM (#59814646) Homepage

    The primary purpose of most public VPNs' existence is to take money from paranoiacs. Should I now be surprised they're taking personal data, too?

    • Re:Not surprising (Score:5, Informative)

      by rho ( 6063 ) on Tuesday March 10, 2020 @09:11AM (#59814684) Journal

      It needs to be beat into everybody's head that VPNs are not for anonymity. It is not their purpose and never has been. If a company is telling you to "protect your privacy online" by using their service, they are lying to you.

      VPNs encrypt data over the Internet. It's in the name, a virtual private network. If you control both ends of the VPN, it's your private network. If you're using somebody else's software and endpoint, it's their private network.

      • Wll yea and no, it somewhat protects your privacy on that dodgy free wi-fi (8at the coffee shop/airport/where ever) , which is a goid thing untill wifi6 is rolled out to every ap and every device, as free wi-fi is now un encrypted, ofc if the wpn orovider sniffs evrything thst id not good,so kesson donâ(TM)t youse fee vpns
      • by AmiMoJo ( 196126 )

        It depends on the VPN, or more specifically how you paid for it.

        For example Mulvad VPN doesn't need anything to sign up, not even an email address. It generates a random user account number for you. You can pay them anonymously, just send cash in an envelope with the account number written inside. That's what I do.

        It's not perfect, they could look at the IP address that account connects from, but perfect is the enemy of good here. Any random copyright troll will get nowhere, and even the police will be larg

        • by mi ( 197448 )

          I'd be genuinely interested to know what the failure mode is as I may need to adjust my opsec.

          In a word: "Subpoena".

          Police can compel the VPN-provider to allow them to a monitor your traffic in real time, learning where else you're visiting using the same account, tying you to your Google, Quora (which insists on real names!), Facebook, and bank-accounts. Putting those records together, with the precise access timestamps, will identify you very quickly...

          Old-fashioned way they can also take your fingerprint

          • by rho ( 6063 )

            This.

            So long as you trust Mulvad to not change ownership, screw up or get subverted, you're probably as safe as one can get from the RIAA, Comcast, Disney, etc. I suppose, so gold star to you for that. But if you come under extreme scrutiny, your VPN habits won't be used to prosecute you, they'll be used to acquire a warrant, which is where the real evidence used against you will come from.

            All of those "100% anonymous, no-log" VPNs may as well be a neon sign to intelligence agencies that says "Look Here Fir

          • by AmiMoJo ( 196126 )

            The most they could do is monitor the VPN endpoint and see a load of encrypted traffic going to Google. Any attempt at MITM will be detected instantly.

            Timestamps are useless unless they are also monitoring your home internet connection already and you don't have enough traffic on it to obfuscate what goes where.

            This is some CSI Cyber grade stuff for the cops. Maybe MI5 or the FBI might be able to manage it but for â5/month I'll take that.

            • by mi ( 197448 )

              The most they could do is monitor the VPN endpoint and see a load of encrypted traffic going to Google.

              They don't need to know the content of the communication, just the fact of it. They would then ask Google, hey, who connected to your servers (identified by Google's IP-address(es)) at these times. Repeat for other services (Slashdot included) and look for overlap.

              The "useless" timestamps are quite useful, they will allow to filter you from millions of hits Google is getting per day down to a few seconds w

              • by AmiMoJo ( 196126 )

                Hmm, it still seems far fetched. Shared IP, lots of people use Google services, sites like Slashdot are served from a CDN so that IP address leads to hundreds or thousands of possibilities.

                I'm not saying it's impossible but it's so much effort that only someone with considerable resources, acting at state level and with a compelling reason to do so will bother. And once the UK is out of the EU it will be even harder for them.

                Tor is useful but slow, I can saturate my connection with Mulvad. What am I hiding?

      • Some VPNs were probably fighting for the good cause, but like in any market there will be people who will take advantage of it for less noble causes.

        With https becoming more common, the need for a VPN diminishes if anonymity over a wireless network is a concern. If the reason is for working around geo detection, then there is probably still a need.

      • It may protect your privacy online. Basically, you're trading your ISP as the entity knowing every connection you make for someone else.

        Depending on the ISP, this may actually improve your privacy level...

    • VPNs don't provide complete anonymity. They are useful to keep the local ISP from tracking traffic, injecting ads, trying DNS poisoning attacks, and other shenanigans. The traffic still has to pop out somewhere, and the VPN provider can easily collude with an ISP. However, it does provide some solid security, especially for Wi-Fi spots which demand E-mail addresses and other stuff before they give access.

  • So this news should shut them down completely I sure hope.

  • (...) a root certificate, a small file that lets its issuer access all traffic and data passing through a phone.

    ... what ??

A Fortran compiler is the hobgoblin of little minis.

Working...