Free VPNs are one of the most dangerous things in the privacy space. Not because they don't work — but because people trust them while they actively undermine their privacy.
How Free VPNs Make Money
A VPN costs real money to operate: servers, bandwidth, staff. If you're not paying for the service, the service is being paid for by someone else. In most cases, that someone else is an advertiser buying your browsing data.
Several major free VPN providers have been caught doing exactly this:
- Hola VPN sold its users' bandwidth to a botnet, turning their devices into exit nodes for others' traffic.
- Opera's free VPN was found to log user data and share it with third parties despite claiming a "no-log" policy.
- UFO VPN and six other "no-log" VPNs were found to have a shared database of 1.2 terabytes of user logs exposed online in 2020.
The Kape Technologies Problem
Kape Technologies — formerly Crossrider, a company that made adware — has acquired multiple VPN brands including CyberGhost, Private Internet Access, and ExpressVPN. Understanding who owns a VPN matters as much as reading their privacy policy.
What to Look for in a VPN
Before trusting a VPN with your traffic, check these:
Independent audit. Has a third-party security firm audited their no-log claims? Mullvad, ProtonVPN, and IVPN have all published independent audits.
Jurisdiction. VPNs based in countries that are part of intelligence-sharing alliances (the Five Eyes, Nine Eyes, or Fourteen Eyes) can be compelled to hand over data. Mullvad is based in Sweden; ProtonVPN in Switzerland.
Ownership transparency. Who actually owns the company? A VPN bought by a holding company you've never heard of is a red flag.
VPNs Worth Paying For
If you're going to use a VPN, these are the ones with the strongest privacy records: Mullvad (accepts cash, no account required), ProtonVPN (Swiss-based, audited, transparent), and IVPN (small team, strong privacy focus).
The Bottom Line
A free VPN typically gives a corporation full visibility into everything you do online in exchange for masking it from your ISP. You haven't gained privacy — you've just changed who's watching you.