Do you use a free VPN service to stream TV from overseas or hide your internet traffic? If so, there is a very good chance you are giving the VPN provider your personal data to do whatever they like with.

A recent investigation into free VPNs has uncovered some alarming statistics.

VPNs, or Virtual Private Networks, started life as a way to securely “dial in” to a remote network, usually so “road warriors” could connect to their workplaces from anywhere. However, in recent years the VPN has been repurposed to allow people to hide their internet activity or to access geo-blocked content by redirecting the user’s internet traffic through a remote server, which can be located anywhere in the world. For example, if you are using a VPN to watch BBC iPlayer, then the service will be passing your traffic through a server in the UK.

Here's the problem.  When you use a VPN, you are sending all your data through someone else’s server.  It's often very difficult to tell who that person is, or what they plan to do with your precious information.

A recent investigation (carried out by Metric Labs’ Top10VPN) showed that of the top 20 free VPN applications available on Apple’s AppStore and Google’s Play Store, 86% were found to have substandard security policies that failed to disclose how customers’ data was being used. 59% are either Chinese-backed or actually based in China, while the most popular non-Chinese services, each with millions of users, are based in Ukraine and Israel.  This means that the vast majority of free VPN users are not protected by the GDPR, and are sending their personal information to third parties, with no idea how that information is going to be used, or indeed what information is being collected.

And it is being collected, and then its being sold. 

When evaluating whether to use a free service or paid one, remember one of the internet’s oldest aphorisms: “If it's free online, then you are the product”. Selling your data is the keystone of their business model.

While some of these services may well be legitimate, many of them may not be. For example, 64% had no dedicated website, and 55% were hosting their privacy policies in “an amateur fashion” (on free WordPress sites, or in plain text files on Pastebin, Amazon servers or simply on raw URLs, using an IP address instead of a domain name). For over half, the only contact information was a Gmail, Hotmail or Yahoo! address, and only 17% of support requests were answered.

In addition, most of the services seemed to be going out of their way to obfuscate any ownership or location information, and for some this info was either non-existent or impossible to find.

So millions and millions of users are directing a good portion of their internet traffic through the servers of companies or individuals whose business is not to provide VPN services, but rather to gather up as much user information as possible (with no real limits on what they can do with it),  bundle it up and then sell it to whoever will pay.

Not all VPN providers operate in this way though.  There are many safe, secure and trustworthy providers out there, whose business actually is to provide VPN services. But you do have to be willing to pay them.