Study finds half of most popular VPN apps linked to China


More than half of the world’s 30 most popular smartphone apps for browsing the internet privately are owned by Chinese companies, according to a new study that raises significant privacy concerns.

Seventeen of the apps, which offer to connect users to the internet through a secure tunnel known as a “virtual private network” (VPN), were owned either by Chinese companies or companies appearing to have links to China.

Collectively, the apps, which include TurboVPN, VPN Proxy Master, VPN 360 and Snap VPN, have been downloaded more than 100m times on Android devices and iPhones.

But the companies operating them often had very limited privacy policies, said Simon Migliano, the head of research at Top10VPN.com, which reviews VPN services.

“We found a few apps that explicitly stated that users’ internet activity was logged, which we have never seen anywhere else with VPNs. [VPN] policies usually state that they never ever log data,” he said.

“We even found that in some cases they stated they would share your data with third parties in mainland China, which is clearly anti-privacy.”

The integrity of VPN providers is critical because they route all of a user’s internet activity. Typically, these services are used by businesses, cyber security specialists, journalists and dissidents who wish to keep their connections to the internet safe and private.

“VPN providers control your traffic. They can inspect it, modify it, log it and have a very good idea of what it is you’re up to. Whoever can see your traffic has an enormous responsibility and you’re placing a huge amount of trust in them,” said Troy Hunt, an independent cyber security expert who formerly worked at Microsoft.

The Chinese-owned VPNs had been downloaded by users in the US, UK, Latin America, the Middle East and Canada. “The listings for these apps on app stores were so obviously shoddy and poor quality and full of inaccurate information, that it was blindingly obvious that Apple and Google weren’t looking at this,” Mr Migliano said.

“It’s pretty crazy that 60 per cent of apps we looked at didn’t have a company website. Over half hosted their privacy policies on free wordpress blogs, that had ads on the page, full of typos and when you looked at them together, they had copied and pasted from each other in a sloppy way. This is far from what you’d expect from an internet company trying to protect your privacy.”

Three of the apps — TurboVPN, ProxyMaster and SnapVPN — were found to have linked ownership. In their privacy policy, they noted: “Our business may require us to transfer your Personal Data to countries outside of the European Economic Area (“EEA”), including to countries such as the People’s Republic of China or Singapore.”

The datapoints collected by the apps included websites visited, IP address which includes user location, time and duration of browsing, independent device identifiers, and email address, among others.

One of the apps, VPN Patron, is owned by IST Media, a Hong Kong-based company that markets itself in China as a mobile advertising company that monetises users’ internet behaviour. The company said it “helps domestic and overseas customers access global mobile phone users. And help [sic] customers to monetise the most efficient traffic.” The firm claims among its customers Baidu, and Alibaba-owned UC browser.

Cyber security experts said it was ironic that many of these apps were Chinese-owned, given the Chinese government itself has cracked down hard on the use of VPN domestically.

Private VPNs are used by businesses in China to access uncensored news and blocked websites such as Google, as well as banned foreign email and file-sharing platforms. Last year, Beijing shut down most domestic commercial VPN services and Apple removed 674 VPN apps from its China App Store.

“The Chinese government’s basic attitude to VPN is similar to their attitude towards democracy, which is that they have no problem with it as long as they can predict the result,” said Professor Steve Tsang, Director of Soas China Institute.

Transferring consumer internet data to China could also mean that it is being stored in data servers that the Chinese government has access to, since all internet companies must comply with the government’s requests for data.

Apple faced concerns over government surveillance of user data when it announced it would open an iCloud datacentre in Guizhou, China. “Potentially, browsing and location information about Chinese dissidents based abroad and others [outside China] being seen as unfriendly to China, could be quite useful to them,” Professor Tsang said.

Google and Apple did not comment about the vetting process for these apps.

Zoomd Custom Site Search

Be the first to comment

Leave a Reply

Your email address will not be published.


*