VPNs exist to ensure users privacy and anonymity on the network. At least, this is what every single provider claims. In reality, however, some VPNs happen to be even more dangerous than an unprotected Internet connection. You should be aware of security issues associated with VPN usage to identify and avoid potentially harmful providers. In this post, we will talk about major VPN security risks that may pose a threat to your privacy.
Below are the most dangerous security risks associated with VPN:
1. Questionable Logging Policy
Logging refers to data a VPN provider collects and stores when subscribers make use of its services. Potentially, this information can diminish user security since it retains details on what websites they visit, what information they share with other people, what files they download, etc. Such detailed records are known as usage or traffic logs.
The majority of VPNs avoid this kind of logging because this practice will definitely scare clients away. That said, some unscrupulous providers may secretly keep records of users activities without even letting them know about it. Most often, this concerns free VPNs that earn by selling mined data to the third parties.
Along with traffic logging, there is also so-called metadata otherwise known as connection logs. These records may include information about the date and time of a VPN session, its duration, the amount of bandwidth consumed, as well as time of disconnection. Metadata logging is a common practice among VPNs since it helps them to provide troubleshooting, monitor the service usage, and keep track of simultaneously connected devices from a single account.
By itself, metadata is harmless because it doesn’t reveal any confidential information. At the same time, some providers include users’ actual IP addresses into connection logs. If this kind of logging is going on, your identity is at risk. Let’s say, you downloaded a file from a torrent website. A website owner cannot see your real IP address but instead, it knows IP address of your provider. If a complaint coming to a VPN specifies time, date, and size of a file downloaded, your service can figure out which user IP address made a connection and used the same amount of data at that specific time. Thus, it won’t be hard to identify a particular subscriber and turn him or her in to the law enforcement agencies.
2. Lack of integrity
This VPN security risk is closely related to logging. If you examine the websites of basically every commercial VPN provider, you will come across such wording as zero-logging policy. It implies that a service doesn’t implement any logs, neither connection nor traffic ones. However, if you dig a little deeper, the promise of no logging appears to be no more than a marketing gimmick.
For instance, a famous VPN provider Hide My Ass declares ultimate confidentiality and no-data logging while the legal proceeding against HMA former client proves otherwise. The provider turned over information about its subscriber it shouldn’t have had in the first place. Unfortunately, Hide My Ass is not the only service that misleads customers and creates a false sense of security.
3. Non-Anonymous Payment Methods
A VPN that truly implements log-less policy won’t know about your web activities but, at the same time, it will know who its users are if they pay with a credit card or PayPal. In order to obtain a bank card or open a PayPal account, you need to provide confidential information including your name, address, and banking details. While purchasing a VPN, this data becomes known. Even if a provider doesn’t handle payments in-house, it is no trouble to tie a specific transaction to a VPN account.
Luckily, more and more providers start introducing anonymous payment via Bitcoin and gift cards. Together with a burner email and pseudonym, secure payment methods are able to keep your identity secret.
4. Privacy-Hostile Jurisdiction
Not many people realize it but the location of a VPN’s headquarter matters. Some countries have privacy-friendly legislation while others force services to collect data regarding their users and share it with the authorities. Security-focused providers prefer to register in the former type of countries and avoid the latter.
Besides data retention laws, you should keep in mind the relation to the Five-Nine-Fourteen Eyes Union. Originally, the Five Eyes Treaty was concluded between 5 countries (the USA, the UK, Canada, Australia, and New Zealand) to share intelligence information. Later, more countries joined the spy alliance and formed the Nine Eyes (the above-mentioned nations plus the Netherlands, Denmark, Norway, and France). With time, the union expanded to 14 members (the Nine Eyes along with Belgium, Sweden, Germany, Spain, and Italy).
Since these alliances actively collect and share intelligence data, they are able to compel VPN services registered in the member countries to collect and turn over information regarding their clients. It is a no-brainer to guess that such providers won’t admit that spies watch over their users’ shoulder.
At the same time, if a VPN is based outside surveillance-friendly states, it is able to carry out business as it sees fit without reporting to authorities. For this reason, many premium services operate from off-shore countries known as privacy paradises. For instance, NordVPN runs its network from Panama and ExpressVPN’s office is located in the British Virgin Islands. By the way, in 2017, ExpressVPN was involved in the high-profile case concerning the assassination of the Russian ambassador in Turkey. The Turkish authorities seized one of its servers to obtain information about alleged killers. It turned out that the provider had absolutely no records stored at that server. At least we know that some providers tell the truth about zero-logging.
5. VPN Leaking
The main goals of a VPN are to hide users’ identity and protect their online activities from inspection. Providers carry out this mission by hiding subscribers’ real IP addresses and encrypting their traffic. Today, every more or less reputable provider has strong encryption while foolproof IP concealing is a more challenging task.
A user’s IP address is instantly masked when he or she connects to a VPN server. Unfortunately, due to connection problems, misconfigurations, and errors, user data might become known. Subscribers may suffer from IP, DNS, and WebRTC leaks that carry the threat of identity exposure. If such a leak occurs and the prying eyes intercept it, all other security measures will go down the pipes. Just so you know the magnitude of the issues, one of the studies conducted in 2016 revealed that 84% and 66% VPN apps for Android devices are not able to prevent IPv6 and DNS leaks respectively.
Therefore, when choosing a VPN provider, make sure it has reliable protection against all types of leaks. In addition, there must be a Kill Switch in place. This tool immediately interrupts data transfer if a connection to a VPN server is lost.
The same study we mentioned above highlighted another VPN-related issue – malware. While some trustworthy providers introduce dedicated malware protection, other questionable services become a source of this malware. VPNs such as Betternet, Hola, and CrossVPN have been found to be dangerous for users. Along with that, almost 40% of tested services had signs of malware.
Apps from unscrupulous providers can infect your device with adware, Trojans, or spyware. It is annoying when ads pop up on your screen but this is the least harmful outcome. If VPN software injects traffic code into your browser, your provider will know everything about your browsing behavior. What’s even worse, most apps require permissions to access data stored on your device to operate normally. If you grant access, they may pry into your messages, account details, and even monitor passwords. While VPNs are supposed to protect you from cybercriminals, some questionable services may act as fraudsters.
7. Sensitive Data Trade
Free VPNs rarely use mined information on their own. More often than not, they sell data to whoever offers the best price. In most cases, those are advertisers. However, since we don’t know exactly who these third-parties are, this practice may pose a greater threat than one can imagine.
If online frauds get hold of sensitive information about you and your activities, don’t you think they will miss their chance to blackmail you, extort money, or even clean your bank account? It is even possible that they commit crimes hiding behind your name.
Fortunately, the majority of paid VPNs are not involved in data trade because they value their reputation. As for free services, such practices are the only source of their income. It makes sense to stay away from no-charge VPNs because a dollar saved today may end up with everything lost tomorrow.
8. Botnet Infection
Some dishonest providers may use gullible users to build a botnet network. Such an outcome is not just speculations, it is something that has already happened before. The infamous Hola VPN employed user devices to DDoS attack the infrastructure of online-operating businesses.
The threat posed by peer-to-peer VPN is that exit nodes are users’ actual IP address. Imagine that someone is using your bandwidth and IP address to commit online crime. It is you whom law enforcement agencies are going to persecute. Even if you can prove your innocence, you would have to come through a lot of stress and headache you didn’t deserve. Is it worth it?
Unfortunately, when it comes to security, some VPNs just don’t live up to expectations. Extensive logging, questionable marketing tricks, poor jurisdiction, leaks, malware, and other issues may expose you to serious security risks. When your anonymity is at stake, you can’t trust a first comer VPN with luring advertisement.
Go ahead and check out these most secure VPNs that actually put their users security first. Thanks to years in business, excellent reputation, and transparent privacy, your security is in good hands.