A VPN, or virtual private network, is a service that allows users to obtain free information through a secure connection. The services typically hide one’s IP address and encrypt the data sent or received over the internet, diverting traffic through a remote server.
But a new report by VPN review site Top10VPN.com investigating the companies behind these apps has revealed something disturbing: The majority of the most popular free VPN apps trace their ownership to Chinese companies.
Many such apps either have privacy policies that explicitly say data can be collected and transferred to China or other third parties, vaguely worded policies that lack important security details, or in some cases, no policy at all.
Top10VPN.com found that 17 of the top 30 apps, or 59 percent, on the U.S. and U.K. Apple and Google app stores have links to China.
In total, Chinese-backed apps have more than 80 million total downloads on the Google Play store and over four million monthly downloads on Apple’s equivalent.
As these apps are available to download around the world, citizens everywhere who use these apps and rely on them as a secure way to surf the web on their smartphones are now vulnerable.
In China, where the Chinese Communist Party has broad power over all sectors of society, “these are risky apps to use regardless of their ownership. They are very poor products that lack proper privacy protections and are likely to leave them [Chinese netizens] exposed to government surveillance even as they consider themselves safe,” said Simon Migliano, head of research at Top10VPN.com, in an email.
Curiously, the Chinese regime enacted a ban that went into effect in March, prohibiting the use of non-government-approved VPNs. The only authorized VPNs are those provided by state-owned firms—and even those are restricted for use only by companies that require unrestricted internet access in order to do business.
While Beijing has recently cracked down on unauthorized VPN use within its borders, the Chinese-linked VPN apps investigated in the report—none of which are officially approved by Beijing—have been allowed to operate uninhibited.
To comply with the VPN ban, in July 2017, Apple removed all VPN apps from its China app store.
So “the only way a Chinese netizen could download these apps would be either via a VPN, or while overseas,” said Migliano. Similarly, while the Google Play store is blocked in China, a user could access it via VPN to download the apps.
As such, Top10VPN was unable to provide data on how many free VPN app users were from China.
Apple and Google are ultimately responsible for vetting the apps on their platform, Migliano said.
“This is a dereliction of duty from Apple and Google, whose lax controls are potentially leaving their customers open to wholesale data harvesting,” Migliano said in a press release.
According to the report, VPN apps are the most searched-for category of apps after major social-media platforms such as Facebook and gaming apps. But the majority of free VPN apps appearing in top search results go to great lengths to obscure their company information.
For example, three popular apps, VPN Master, Turbo VPN, and Snap VPN, are closely associated and trace back to three companies registered in Singapore but with links to China. They have a combined 14 million Android installs and 1.1 million Apple iOS installs.
One of the registered companies, Innovative Connecting, is owned by an influential Chinese entrepreneur, Chen Danian. Despite no public associations with the VPN company, Chen is listed as a director of the company in Singapore corporate filings, according to the report.
Chen is also founder and CEO of LinkSure Network, a publicly listed company in China. The company’s website names several connections to the Chinese regime: It is a member of the Internet Society of China, an association of private internet companies administered by Beijing’s censorship authority, the Cyberspace Administration. It’s also a participant of Beijing’s “poverty alleviation” efforts through internet connectivity, also initiated by the Cyberspace Administration.
Surprisingly, one of the apps, VPN Super Unlimited Proxy, traces to a company whose corporate address is located within a well-known tech incubator in Beijing: the Dongsheng Science and Technology Park.
Other VPN apps, such as Super VPN Free VPN Client, which has 50 million downloads on Android, have no website. Its registered address in Singapore is part of a university campus, and likely is fake.
The presence of such VPN developers is unsettling given that Chinese authorities have also jailed VPN operators for selling or developing “unauthorized” VPN software. As recently as October, a VPN developer was sentenced to a three-year suspended prison term.
In recent weeks, Chinese netizens who have used a VPN to access Twitter and post comments critical of the Chinese regime have been interrogated, arrest, and detained by local police. They were also forced to close down their accounts.