Almost a third (30%) of the world’s top virtual private network (VPN) providers are secretly owned by six Chinese companies, according to a study by privacy and security research firm VPNpro.
The study shows that the top 97 VPNs are run by just 23 parent companies, many of which are based in countries with lax privacy laws.
Six of these companies are based in China and collectively offer 29 VPN services, but in many cases, information on the parent company is hidden to consumers.
Researchers at VPNpro have pieced together ownership information through company listings, geolocation data, the CVs of employees and other documentation.
In some instances, ownership of different VPNs is split amongst a number of subsidiaries. For example, Chinese company Innovative Connecting owns three separate businesses that produce VPN apps: Autumn Breeze 2018, Lemon Cove and All Connected. In total, Innovative Connecting produces 10 seemingly unconnected VPN products, the study shows.
Although the ownership of a number of VPN services by one company is not unusual, VPNpro is concerned that so many are based in countries with lax or non-existence privacy laws.
For example, seven of the top VPN services are owned by Gaditek, based in Pakistan. This means the Pakistani government can legally access any data without a warrant and data can also be freely handed over to foreign institutions, according to VPNpro.
The ability to access the data held by VPN providers, the researchers said, could enable governments or other organisations to identify users and their activity online. This potentially puts human rights activists, privacy advocates, investigative journalists and whistleblowers in jeopardy.
This lack of privacy, the study notes, extends to ordinary consumers, who are also coming under greater government surveillance.
“We’re not accusing any of these companies of doing anything underhand. However, we are concerned that so many VPN providers are not fully transparent about who owns them and where they are based,” said Laura Kornelija Inamedinova, research analyst at VPNpro.
“Many VPN users would be shocked to know that data held on them could be legally requested by governments in countries such as China and Pakistan.
“Our recommendation is that people do a lot of due diligence on the VPN that they want to use, since they aren’t all created equal and simply using a VPN does not guarantee privacy or security.”
VPNpro identified a further four companies: Super VPN & Free Proxy, Giga Studios, Sarah Hawken, and Fifa VPN, which together own 10 VPN services – where the parent company, and therefore company of origin, is completely hidden.
In February 2019, two US senators raised concerns about this issue and the potential threat to consumers and government agencies, calling on the Department of Homeland Security to investigate the possibility that VPNs are allowing valuable information to be routed to foreign adversaries.
In a letter, Democrat Ron Wyden and Republican Marco Rubio asked Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency (CISA) under the DHS, to perform a VPN threat assessment to determine potential risks to the US government, SearchSecurity reported.
In a factsheet on VPNs, civil liberties and privacy group Big Brother Watch warns that VPN providers have the potential to see users’ internet activity, “but many paid for VPNs make it clear that they do not log any of their user’s traffic”.
This prevents VPN providers from giving a document of any of the websites users visit, the guidance states.
Big Brother Watch recommends that free VPNs should be avoided because they may not be secure and could track users.
“If you want to be sure your online activity stays private, make sure you choose a VPN which does not log your internet activity and online traffic,” the guidance says. “Not all VPNs are the same. Make sure you do your research before choosing a VPN.”