You Are the Product: The Price of Free in the Growing Privacy Industry

In an Internet world dominated by Facebook and Google, most people understand the phrase “If you aren’t paying for it, you are the product.” What people don’t understand is that this concept has also landed on the shores of the privacy industry. History has proven that as any industry becomes “hot,” marketers will inevitably enter it. Companies that have demonstrated little regard for privacy are now using misleading marketing messages to tout their free privacy services, all the while supporting themselves through advertising and selling user data. This leads to important questions, such as why did Facebook pay $120 million to buy a free VPN app? Why did a popular free browser proxy turn its free users into a botnet for hire? And, what’s next?

To stay protected users must give access to more information, resulting in a privacy paradox.

The Privacy Paradox

The arrival of marketers in the privacy industry is especially disturbing, since privacy products require a more intimate relationship with users than other free products. Users must relinquish control in order for providers to protect them against external threats. To stay protected users must give access to more information, resulting in a “privacy paradox.”

Think of it this way: You hire a house sitter. In order for them to protect your home, you must give them extra access to it (keys, alarm codes, valuable items in the house). There is a level of trust involved, as you expect they will not steal your things or throw a party.

VPNs are a great example of the privacy paradox. VPN users must send all their network traffic through the VPN provider in order to be protected from malicious third parties. But as a result, VPN providers can see a great deal of information about you, including:

  • Every website you visitEvery website you visit
  • Text of unencrypted emailUnencrypted email content
  • Who you are emailingWho you are emailing
  • What applications you are usingWhat applications you are using
  • When you are onlineWhen you are online
  • How long you are onlineHow long you are online
  • Who talks to youWho talks to you
  • Your locationYour location

How Much is Your Privacy Worth?

In a popular new marketplace like the privacy industry, most new companies are looking for the quickest way to build market share and sell high. Building a large user base with free apps is a quick way to grow market share, but to justify the value of the company for sale (not the service) free users have to make money. If the user doesn’t pay the company, the only other value they bring is their data. As a result, in the online privacy industry you can become the product in many ways including through network manipulation, selling the insides and advertising. Is the price you’re paying in data worth it to you?

User Network Manipulation

These sites offer free privacy services, then manipulate network activity of users.

User Network Manipulation
  • Hola

    Hola claims it offers “secure browsing” to its over 55 million users, but was recently revealed to be selling the bandwidth of its free users without their knowledge. As explained by LifeHacker, “the company is selling the bandwidth of Hola users to anyone with money to buy, effectively turning its users into a botnet for hire.”

    Should Hola free users trust a company that security researchers say is a “poorly secured” service? Others say that Hola allows you to “be tracked across the internet, no matter what you do” and they let “anybody execute programs on your computer.” Should users trust a company that promises to change its ways, but only after an uproar from the general public?

  • Free Proxies

    Most Internet users don’t understand that Web proxies don’t encrypt your entire Internet connection and they view (and possibly record) every URL you visit. Many proxies also modify web code to inject ads, and some even ban HTTPS traffic which “could be because they want you to use HTTP so they can analyze your traffic and steal your logins.” A recent investigation looked at 443 free proxies and revealed that 79% of them were “shady.” With proxies you get what you pay for – and sometimes more.

  • Opera

    Opera is a browser that offers fast and secure access to the web. Opera recently started offering a free built-in VPN to users, which is advertised as an “important privacy improvement.” This feature is marketed as a “Browser VPN,” but as github points out it’s actually a proxy: “This Opera “VPN” is just a preconfigured HTTP/S proxy protecting just the traffic between Opera and the proxy, nothing else. It’s not a VPN.” Proxies are inherently less secure than VPNs, and Help Net Security expressed concern over this misleading marketing messaging: “While Opera may have done this little tweak of definitions with the best intentions, end users should understand that this free service by Opera is nowhere near the security provided by a real VPN solution.”

    Opera also owns SurfEasy, a VPN company out of Canada. Their approach to advertising and lack of transparency highlights the importance of going beyond the marketing message to ensure you understand the privacy product and the company’s business model.

Free VPN Apps: “Selling the Insides”

Companies acquiring VPN apps to collect analytics about free users is a disturbing trend in the VPN industry.

VPN Apps
  • Facebook – Onavo

    Facebook bought a VPN app called Onavo in 2013. Why would Facebook buy a VPN app? As reported on All Things D, it gives Facebook insight into app data usage: “The way Onavo’s apps work, it requires basically getting information across all of your smartphone’s actions. So in a nutshell, if Facebook can extend that sort of deep analytics to the billion-plus users on its network, it will give the company a massive amount of insight into how people use their smartphones.”

    As a recent Wall Street Journal article reveals, Facebook using Onavo to collect a vast amount of data, and making decisions based on these insights: “Interviews with more than a dozen people familiar with Facebook’s use of Onavo data show in detail how the social-media giant employs it to measure what people do on their phones beyond Facebook’s own suite of apps. That information shapes Facebook’s product and acquisition strategy—furthering its already formidable competitive edge, the people said.”

    VPN functionality gives Facebook visibility into the network connection for the entire phone, including URLs and app traffic. Consequently, Facebook can examine user activity for their own purposes. Onavo is one of the more egregious examples of the privacy paradox. Free users are expecting the VPN to protect them, but likely aren’t aware the VPN app’s business model compromises their expectation of privacy.

  • App Annie – VPN Defender

    VPN Defender regularly ranks as a Top 10 downloaded VPN app in App Stores, but it’s owned by App Annie, a business intelligence and analytics company. Why would an app analytics company backed by Silicon Valley venture capitalists own a VPN app? TechCrunch speculated that App Annie via VPN Defender “could become the go-to resource for mobile app data that has been otherwise impossible to collect via a third party following Onavo’s exit, which left a gaping hole in the market.”

    Users think they have found a free way to protect themselves online, but may have exposed data about their apps, visited websites, unecrypted emails and other network traffic passing through App Annie’s VPN servers. Presumably App Annie incorporates this user data to sell the analytics data to third parties, including the Venture Capitalists that are looking for the next big app to invest in. Consumers should beware of free VPN apps that collect, analyze and share your data with third parties – a practice known as “selling the insides.”

  • AVG – Hide My Ass!

    AVG is the third-largest antivirus company in the world. AVG recently updated their privacy policy in order to sell the data of their free users: “[s]ecurity firm AVG can sell web search and browser history data to advertisers in order to “make money” from its free antivirus software, a change to its privacy policy has confirmed.”

    What’s more concerning is that AVG recently bought Hide My Ass!, a VPN provider offering users “total privacy and protection.” If AVG’s antivirius product is being called “spyware,” can Hide My Ass! VPN users trust AVG to respect their privacy?

Consumers should beware of free VPN apps that collect, analyze and share their data with third parties – a practice known in the analytics industry as selling the insides

It’s Private…But We Advertise

Some free services’ business models are based around selling ads and showing these ads to users.

It's Private...But We Advertise
  • Hotspot Shield

    Hotspot Shield is a VPN provider that displays ads to its free users as part of its business model. However, advertisers typically want to be able to target particular sets of users, and to do so require the advertising platform to monitor user activity. Hotspot Shield’s privacy policy has some disturbing statements, and Hotspot Shield doesn’t consider IP addresses or the collection of a unique identifier as “personal information.” They also “may use automatically-collected information to identify your general location, improve the Service, or optimize advertisements displayed through the Service.” In August of 2017, a claim was filed to the FTC against Hotspot Shield, accusing them of unfair and deceptive business practices. The company has been accused of outright lying in messaging, not only selling and sharing user data but also redirecting traffic to partner sites.

    Ouch. While free users may understand their privacy is compromised when using an ad-supported product, Hotspot Shield has taken things to a whole new level by applying invasive practices to paid users AND by being dishonest. It’d doubt that free or paid users of VPN products expect their privacy to be compromised in this manner.

  • Betternet

    Betternet is a free VPN service that states they are “a free service and will be free forever.” They support their business by asking user to install “free apps that are recommended inside the Betternet app, [which] covers the cost of keeping our service alive.”

    A VPN that is “free forever,” and they appear to be transparent about their business model. Sounds great, right? But if you dig deeper it appears that Betternet is owned by another VPN company, VPN In Touch, although this fact is not advertised on their site. It appears they changed their information in the Android and iOS app stores in January of 2015, removing all mentions of this affiliation. Betternet’s Amazon listing includes an email address from VPN In Touch, also indicating the companies are affiliated.

    Betternet seems to be transparent about its ad-supported business model, but doesn’t include information about who they are, their experience or where they are located. Free users should try to understand who is behind the product before trusting it.

  • AdBlock

    AdBlock is a popular ad-blocking service with over 200 million downloads. A competitor criticized AdBlock for moving from an open source project to closed source, recording unique user IDs and settings and monetizing users by partnering with privacy company Disconnect.me. AdBlock was recently sold, but “won’t disclose who it’s been sold to, why it was sold, or how much it was sold for.” AdBlock also started allowing advertisers to unblock ads to display to its user base.

  • Avast

    In 2014, it was reported that Avast, a leading antivirus provider and browser extension, was spying on its users. Although the company advertises “The golden standard in PC security, keeping you safe online and offline” and services that stop spyware, the company was revealed to be spying on user browsing (recording every site you visit) and inserting ads – without the knowledge and consent of the user. This security issue has since been changed.

  • Ghostery

    Ghostery’s “Ghostrank” feature allows users to block ads and the online tracking associated with them. Ghostery is a positive example in that they are transparent about their practices, and Ghostrank is opt-in. If you opt-in to this feature, however, Ghostery will sell data about what ads you block.

    Ghostery is owned by Evidon (formerly called Better Adverting). As pointed out by MIT Technology Review, Ghostery is selling information to the exact industry it claims to be protecting users from: “Yet some of those who advocate Ghostery as a way to escape the clutches of the online ad industry may not realize that the company behind it, Evidon, is in fact part of that selfsame industry.”

It’s Free. It’s Social. But It’s Not Private.

Social networks want to be the anti-Facebook, but can free users trust their business models?

It's Free. It's Social. But It's Not Private.
  • Yik Yak

    Yik Yak is a messaging app that allows you to share “your thoughts with people around you while keeping your privacy.” Ars Technica revealed that several people have been arrested due to statements posted on the app. Turns out that Yik Yak records an alarming amount of data, including your IP address, GPS coordinates, time and date of message, unique ID and sometimes your phone number. It may be free and social, but it does not protect user privacy.

  • Ello

    Ello is a privacy-focused social network, with a manifesto including the line “you are not the product.” However, the CS Monitor points out that Ello “catalogs Ello pages users access, users’ IP address, sites that refer users to Ello, general geographic location, the e-mail and username for each account, and users’ device information,” causing CS Monitor to claim that “much of that data can still be used to identify users and their online activities.”

    Ello may be trying to be anti-Facebook, but it appears to have a long way to go to protect its free users.

Is Your Privacy Provider Trustworthy?

There are a few things you can do to avoid becoming the product, the most important being to determine if your provider is trustworthy. Just like you wouldn’t hire a stranger off the street to watch your house, you shouldn’t hire an unknown or shady privacy company. Getting to know your company means doing some research, and asking the following:

  • If it’s free, what’s the business model?

    Investigate how the company makes money to support itself, especially if they offer free products. If their business model isn’t clear then its likely “you” they’re selling.

  • Who is the company?

    It’s important to know who you’re doing business with, so you can assess their privacy policy and trustworthiness. Is it clear who you’re doing business with, or is the company actually owned by someone else? Is that fact common knowledge or hidden? If the company is dodgy about their ownership or keeps it hidden, there may be a reason they don’t want you to know.

  • Is their privacy policy understandable?

    Beware of policies that are vague or convoluted, or where you cannot understand clearly what information they are collecting from you.

  • Do their marketing messages contradict their privacy policy and business model?

    Do the marketing claims line up with the text in the company’s privacy policy? Oftentimes, the shiny marketing messages do not accurately reflect the company’s practices.

  • Do they allow you to opt-out of their data collection?

    Or are you automatically opt-ed in (a practice called implicit opt-in)? It’s important to understand how the company will use your data from the moment you sign up – and what control, if any, you have over this data collection.

It’s All About Transparency and Trust

Transparency builds trust. Trusted privacy providers do exist so it’s essential to take the time to get to know the privacy company you are doing business with. At Golden Frog we uphold a high level of transparency and trust, and are very clear about the information we collect and how we use it. Golden Frog operates on a “freemium” business model, which allows us to offer both free and paid products without selling user data. We never sell your data to third parties. Our free plans exists so users can try our services and determine for themselves if they want to buy a paid plan. At Golden Frog you are never, ever, the product.

Please read our Vision Paper: “Peace, Prosperity & the Case for the Open Internet” or visit our About Us to learn more.

Sunday Yokubaitis

Sunday has been president of Golden Frog since its founding in 2009, and guides the company's global strategy and vision. He is honored to work with a team that's committed to delivering a secure and open Internet experience to people around the world.

Read more posts by Sunday Yokubaitis →