The FTC is warning users to read the fine print and do their homework before purchasing a VPN app as users could be opening themselves up to the very exploits they are looking to avoid.
The consumer protection agency cited a report which studied 300 VPN apps and found that many of the applications didn't use encryption and requested sensitive information or unexpected privileges, according to a Feb. 22 blog post. Some of the apps even sold user information to third parties to serve advertisements or to analyze user data to see how people are using particular sites and services.
Before downloading a VPN application, the agency recommends users research the VPN app they are looking to download to make sure the app will deliver the security and privacy that it promises. That includes reviewing the permissions that the app will request during installation or at the time of use. Users should be concerned if an app requests particularly sensitive permissions such as permission to read text messages.
These kinds of action put a user at risk of exposing their information to the very forces that lead to their initial decision to use a VPN such as seeking anonymity.
Consumers should also understand that VPN apps generally don't make users entirely anonymous.
“Instead, the app will typically obscure the content of your traffic from your internet service provider or public Wi-Fi provider, shifting trust from those networks to the VPN app provider,” the report said. “In addition, sites you visit may be able to determine that you are using a VPN app, and can still use any identifying information you directly share with them (for example, filling out a form with your email address) to track you.”
Even VPN's promoted by trusted brands could circumvent the purpose of their use, NordVPN researchers warn. Earlier this month, the firm reported that Facebook's Onavo VPN collected user data.
“The purpose of a VPN is to provide its users with online privacy and security by encrypting all data exchanged between a user's device and a VPN server. Reputable VPNs do not keep any user logs,” NordVPN Chief Management Officer Marty P. Kamden said in a Feb. 15 press release. “Unfortunately, Facebook's VPN seems to do the opposite – its goal is data collection, while it's disguised as a privacy tool”
While the VPN establishes an encrypted tunnel to reroute the traffic, researchers noted that a privacy focused VPN will never monitor the online habits of its users by keeping activity logs, even under the guise of using the data to help improve services.
Kamden said this discredits VPNs and deprives people of online protection that they need especially when using a VPNs in countries where the freedom of speech is restricted. The problem ultimately stems from users not knowing how or where the data is ultimately used.