You Are the Product: The Price of Free in the Growing Privacy Industry
In an Internet world dominated by Facebook and Google, most people understand the phrase “If you aren’t paying for it, you are the product.” What people don’t understand is that this concept has also landed on the shores of the privacy industry. History has proven that as any industry becomes “hot,” marketers will inevitably enter it. Companies that have demonstrated little regard for privacy are now using misleading marketing messages to tout their free privacy services, all the while supporting themselves through advertising and selling user data. This leads to important questions, such as why did Facebook pay $120 million to buy a free VPN app? Why did a popular free browser proxy turn its free users into a botnet for hire? And, what’s next?
To stay protected users must give access to more information, resulting in a privacy paradox.
The Privacy Paradox
The arrival of marketers in the privacy industry is especially disturbing, since privacy products require a more intimate relationship with users than other free products. Users must relinquish control in order for providers to protect them against external threats. To stay protected users must give access to more information, resulting in a “privacy paradox.”
Think of it this way: You hire a house sitter. In order for them to protect your home, you must give them extra access to it (keys, alarm codes, valuable items in the house). There is a level of trust involved, as you expect they will not steal your things or throw a party.
VPNs are a great example of the privacy paradox. VPN users must send all their network traffic through the VPN provider in order to be protected from malicious third parties. But as a result, VPN providers can see a great deal of information about you, including:
Every website you visit
Unencrypted email content
Who you are emailing
What applications you are using
When you are online
How long you are online
Who talks to you
How Much is Your Privacy Worth?
In a popular new marketplace like the privacy industry, most new companies are looking for the quickest way to build market share and sell high. Building a large user base with free apps is a quick way to grow market share, but to justify the value of the company for sale (not the service) free users have to make money. If the user doesn’t pay the company, the only other value they bring is their data. As a result, in the online privacy industry you can become the product in many ways including through network manipulation, selling the insides and advertising. Is the price you’re paying in data worth it to you?
User Network Manipulation
These sites offer free privacy services, then manipulate network activity of users.
Hola claims it offers “secure browsing” to its over 55 million users, but was recently revealed to be selling the bandwidth of its free users without their knowledge. As explained by LifeHacker, “the company is selling the bandwidth of Hola users to anyone with money to buy, effectively turning its users into a botnet for hire.”
Should Hola free users trust a company that security researchers say is a “poorly secured” service? Others say that Hola allows you to “be tracked across the internet, no matter what you do” and they let “anybody execute programs on your computer.” Should users trust a company that promises to change its ways, but only after an uproar from the general public?
Most Internet users don’t understand that Web proxies don’t encrypt your entire Internet connection and they view (and possibly record) every URL you visit. Many proxies also modify web code to inject ads, and some even ban HTTPS traffic which “could be because they want you to use HTTP so they can analyze your traffic and steal your logins.” A recent investigation looked at 443 free proxies and revealed that 79% of them were “shady.” With proxies you get what you pay for – and sometimes more.
Opera is a browser that offers fast and secure access to the web. Opera recently started offering a free built-in VPN to users, which is advertised as an “important privacy improvement.” This feature is marketed as a “Browser VPN,” but as github points out it’s actually a proxy: “This Opera “VPN” is just a preconfigured HTTP/S proxy protecting just the traffic between Opera and the proxy, nothing else. It’s not a VPN.” Proxies are inherently less secure than VPNs, and Help Net Security expressed concern over this misleading marketing messaging: “While Opera may have done this little tweak of definitions with the best intentions, end users should understand that this free service by Opera is nowhere near the security provided by a real VPN solution.”
Opera also owns SurfEasy, a VPN company out of Canada. Their approach to advertising and lack of transparency highlights the importance of going beyond the marketing message to ensure you understand the privacy product and the company’s business model.
Free VPN Apps: “Selling the Insides”
Companies acquiring VPN apps to collect analytics about free users is a disturbing trend in the VPN industry.
Facebook – Onavo
Facebook bought a VPN app called Onavo in 2013. Why would Facebook buy a VPN app? As reported on All Things D, it gives Facebook insight into app data usage: “The way Onavo’s apps work, it requires basically getting information across all of your smartphone’s actions. So in a nutshell, if Facebook can extend that sort of deep analytics to the billion-plus users on its network, it will give the company a massive amount of insight into how people use their smartphones.”
As a recent Wall Street Journal article reveals, Facebook using Onavo to collect a vast amount of data, and making decisions based on these insights: “Interviews with more than a dozen people familiar with Facebook’s use of Onavo data show in detail how the social-media giant employs it to measure what people do on their phones beyond Facebook’s own suite of apps. That information shapes Facebook’s product and acquisition strategy—furthering its already formidable competitive edge, the people said.”
VPN functionality gives Facebook visibility into the network connection for the entire phone, including URLs and app traffic. Consequently, Facebook can examine user activity for their own purposes. Onavo is one of the more egregious examples of the privacy paradox. Free users are expecting the VPN to protect them, but likely aren’t aware the VPN app’s business model compromises their expectation of privacy.
App Annie – VPN Defender
VPN Defender regularly ranks as a Top 10 downloaded VPN app in App Stores, but it’s owned by App Annie, a business intelligence and analytics company. Why would an app analytics company backed by Silicon Valley venture capitalists own a VPN app? TechCrunch speculated that App Annie via VPN Defender “could become the go-to resource for mobile app data that has been otherwise impossible to collect via a third party following Onavo’s exit, which left a gaping hole in the market.”
Users think they have found a free way to protect themselves online, but may have exposed data about their apps, visited websites, unecrypted emails and other network traffic passing through App Annie’s VPN servers. Presumably App Annie incorporates this user data to sell the analytics data to third parties, including the Venture Capitalists that are looking for the next big app to invest in. Consumers should beware of free VPN apps that collect, analyze and share your data with third parties – a practice known as “selling the insides.”
AVG – Hide My Ass!
What’s more concerning is that AVG recently bought Hide My Ass!, a VPN provider offering users “total privacy and protection.” If AVG’s antivirius product is being called “spyware,” can Hide My Ass! VPN users trust AVG to respect their privacy?
Consumers should beware of free VPN apps that collect, analyze and share their data with third parties – a practice known in the analytics industry as selling the insides
It’s Private…But We Advertise
Some free services’ business models are based around selling ads and showing these ads to users.
Ouch. While free users may understand their privacy is compromised when using an ad-supported product, Hotspot Shield has taken things to a whole new level by applying invasive practices to paid users AND by being dishonest. It’d doubt that free or paid users of VPN products expect their privacy to be compromised in this manner.
Betternet is a free VPN service that states they are “a free service and will be free forever.” They support their business by asking user to install “free apps that are recommended inside the Betternet app, [which] covers the cost of keeping our service alive.”
A VPN that is “free forever,” and they appear to be transparent about their business model. Sounds great, right? But if you dig deeper it appears that Betternet is owned by another VPN company, VPN In Touch, although this fact is not advertised on their site. It appears they changed their information in the Android and iOS app stores in January of 2015, removing all mentions of this affiliation. Betternet’s Amazon listing includes an email address from VPN In Touch, also indicating the companies are affiliated.
Betternet seems to be transparent about its ad-supported business model, but doesn’t include information about who they are, their experience or where they are located. Free users should try to understand who is behind the product before trusting it.
AdBlock is a popular ad-blocking service with over 200 million downloads. A competitor criticized AdBlock for moving from an open source project to closed source, recording unique user IDs and settings and monetizing users by partnering with privacy company Disconnect.me. AdBlock was recently sold, but “won’t disclose who it’s been sold to, why it was sold, or how much it was sold for.” AdBlock also started allowing advertisers to unblock ads to display to its user base.
In 2014, it was reported that Avast, a leading antivirus provider and browser extension, was spying on its users. Although the company advertises “The golden standard in PC security, keeping you safe online and offline” and services that stop spyware, the company was revealed to be spying on user browsing (recording every site you visit) and inserting ads – without the knowledge and consent of the user. This security issue has since been changed.
Ghostery’s “Ghostrank” feature allows users to block ads and the online tracking associated with them. Ghostery is a positive example in that they are transparent about their practices, and Ghostrank is opt-in. If you opt-in to this feature, however, Ghostery will sell data about what ads you block.
Ghostery is owned by Evidon (formerly called Better Adverting). As pointed out by MIT Technology Review, Ghostery is selling information to the exact industry it claims to be protecting users from: “Yet some of those who advocate Ghostery as a way to escape the clutches of the online ad industry may not realize that the company behind it, Evidon, is in fact part of that selfsame industry.”
Yik Yak is a messaging app that allows you to share “your thoughts with people around you while keeping your privacy.” Ars Technica revealed that several people have been arrested due to statements posted on the app. Turns out that Yik Yak records an alarming amount of data, including your IP address, GPS coordinates, time and date of message, unique ID and sometimes your phone number. It may be free and social, but it does not protect user privacy.
Ello is a privacy-focused social network, with a manifesto including the line “you are not the product.” However, the CS Monitor points out that Ello “catalogs Ello pages users access, users’ IP address, sites that refer users to Ello, general geographic location, the e-mail and username for each account, and users’ device information,” causing CS Monitor to claim that “much of that data can still be used to identify users and their online activities.”
Ello may be trying to be anti-Facebook, but it appears to have a long way to go to protect its free users.
Is Your Privacy Provider Trustworthy?
There are a few things you can do to avoid becoming the product, the most important being to determine if your provider is trustworthy. Just like you wouldn’t hire a stranger off the street to watch your house, you shouldn’t hire an unknown or shady privacy company. Getting to know your company means doing some research, and asking the following:
If it’s free, what’s the business model?
Investigate how the company makes money to support itself, especially if they offer free products. If their business model isn’t clear then its likely “you” they’re selling.
Who is the company?
Beware of policies that are vague or convoluted, or where you cannot understand clearly what information they are collecting from you.
Do they allow you to opt-out of their data collection?
Or are you automatically opt-ed in (a practice called implicit opt-in)? It’s important to understand how the company will use your data from the moment you sign up – and what control, if any, you have over this data collection.
It’s All About Transparency and Trust
Transparency builds trust. Trusted privacy providers do exist so it’s essential to take the time to get to know the privacy company you are doing business with. At Golden Frog we uphold a high level of transparency and trust, and are very clear about the information we collect and how we use it. Golden Frog operates on a “freemium” business model, which allows us to offer both free and paid products without selling user data. We never sell your data to third parties. Our free plans exists so users can try our services and determine for themselves if they want to buy a paid plan. At Golden Frog you are never, ever, the product.
Please read our Vision Paper: “Peace, Prosperity & the Case for the Open Internet” or visit our About Us to learn more.
- Hola Better Internet Sells Your Bandwidth, Turning Its VPN into a Botnet
- Adios, Hola: Researchers say it’s time to nix the ‘poorly secured’ service
- Users of free VPN Hola vulnerable to hacking, researchers warn
- The recent events on the Hola network – blog post by Ofer Vilenski, Hola CEO
- Free Proxies
- Analyzing 443 free proxies – Only 21% are not shady
- Facebook – Onavo
- Facebook’s $120 Million Onavo Buy Comes With Lots of Upside
- App Annie – VPN Defender
- App Annie Fills The Void Left By Facebook’s Onavo Acquisition With Its New Company Smart Sense
- AVG – Hide My Ass!
- AVG can sell your browsing and search history to advertisers
- AVG Acquires Privax, a Global Leader in Personal Privacy Solutions
- Hotspot Shield
- How betternet works
- Amazon Listing: Unlimited Free VPN by betternet
- Adblock Plus
- Which is better, Adblock or Adblock Plus?
- Adblock extension with 40 million users sells to mystery buyer, refuses to name new owner
- Avast Antivirus Was Spying On You with Adware (Until This Week)
- Was Avast Antivirus Spying on Users?
- Ad-Blocker Ghostery Actually Helps Advertisers, If You “Support” It
- A Popular Ad Blocker Also Helps the Ad Industry
- Yik Yak
- Want attention and jail time? Post a violent threat on Yik Yak
- Yik Yak – Legal
- Ello ads pan online targeting. Here’s what experts say about its privacy practices