Are Free VPNs Safe for Privacy? What the Research Actually Shows
Most free VPNs fund themselves by treating users as the product — your browsing logs, device IDs, and sometimes plaintext traffic.
Are free VPNs safe for privacy? The short answer: most are not, and the reason is structural rather than incidental. A free VPN has no subscription revenue, so it needs another way to cover server costs, bandwidth, and staff. In most cases, that means you — your browsing history, device identifiers, and in some instances your plaintext traffic — become the product that funds the service.
This isn’t speculation. It has been documented repeatedly in independent research and confirmed by a string of data breaches at providers that publicly claimed to keep no logs at all.
What Independent Research Found
The most comprehensive academic analysis of the category comes from a 2016 collaboration among CSIRO, ICSI at UC Berkeley, and UNSW that examined 283 Android VPN apps ↗ drawn from a corpus of over 1.4 million Google Play apps. The findings were stark:
- 67% of apps contained third-party tracking libraries embedded in their source code
- 18% used unencrypted tunneling protocols, meaning traffic passed through the VPN server in plaintext
- 38% triggered at least one malware detection on VirusTotal; 4% triggered five or more
- 84% failed to tunnel IPv6 traffic, leaving a standard leak path open
- 66% did not tunnel DNS queries, so your ISP could still see every domain you visited
Two-thirds of the apps had tracker code baked in. Nearly one in five used no encryption at all. Those numbers invert the premise of what a VPN is supposed to do.
Subsequent breach records confirm the pattern continued well past 2016. In 2021, a cluster including SuperVPN and GeckoVPN was compromised, exposing over 21 million user records. In 2023, SuperVPN suffered a second major breach — 360 million records exposed. In 2020, seven Hong Kong-based providers that each claimed a strict no-logs policy collectively leaked 1.2 terabytes of data ↗ including plaintext passwords and detailed activity logs. If the no-logs policies had been real, those logs could not have existed.
How Free VPNs Actually Fund Themselves
Understanding the risk requires understanding the business model. Documented revenue streams include:
Data brokerage. The app collects browsing history, location data, device identifiers, and session timestamps and sells the dataset to ad networks or data brokers. Your traffic is the inventory, not the service.
Traffic injection. Some free VPNs insert JavaScript into unencrypted HTTP pages to serve their own advertisements. Because all traffic routes through their servers, they can modify it in transit.
TLS interception. Four of the 283 apps in the CSIRO study deployed man-in-the-middle TLS inspection. The app presents as a privacy tool while reading the HTTPS traffic it was supposed to protect.
Bandwidth resale. Some services sell your unused connection as a proxy node for other users. This was Hola VPN’s original model — users unknowingly provided exit nodes for commercial traffic and, in some cases, traffic from other Hola users conducting attacks.
Paid-tier upsells. The free version exists to push subscriptions. This is the least harmful model: the product is functional and the business incentive is acquisition, not extraction. Identifying which category a given app falls into requires reading the privacy policy carefully and checking for independent audits — documents most free VPN providers have never commissioned.
The Threat Models That Free VPNs Actually Fail
A VPN doesn’t provide privacy in isolation. It shifts traffic visibility from your ISP to the VPN operator. Whether that shift helps you depends on which entity you trust less and the specific threat you’re defending against.
Free VPNs fail on these threat models specifically:
Advertiser and tracker surveillance. If the VPN embeds third-party tracking libraries — true of 67% of apps in the CSIRO dataset — routing traffic through it adds a new tracker on top of existing ones.
Data broker profiling. If the provider actively sells your browsing history to data brokers, the VPN makes this threat worse, not better. Your ISP loses visibility but a data broker gains a packaged profile.
ISP DNS logging. If DNS queries aren’t tunneled through the VPN — true of 66% of tested apps — your ISP still sees every domain you visit. The core ISP-snooping use case is entirely defeated.
Public Wi-Fi attackers. A local network attacker can read unencrypted VPN traffic. The 18% of apps using no encryption at all offer zero protection here, despite marketing language about securing public Wi-Fi connections.
The threat model where a free VPN provides genuine protection is narrow: concealing your IP address from a specific destination site, for a short session, from a provider you’ve independently verified keeps no logs. That describes very few free offerings.
What to Use Instead
Paid VPNs with independently audited no-logs policies are the baseline recommendation from independent security researchers. The word “audited” matters: no-logs claims without a published third-party audit — by firms like Cure53, Securitum, Trail of Bits, or NCC Group — are marketing statements, not technical guarantees.
Criteria worth evaluating for any VPN:
- A published independent audit covering both the applications and server infrastructure
- Transparency reports or active warrant canaries documenting zero data disclosures to authorities
- Support for WireGuard or OpenVPN (auditable, open protocols with published specifications)
- A functioning kill switch that blocks all traffic if the VPN tunnel drops
- RAM-only servers, which eliminate persistent log storage by design — logs can’t be seized if they don’t exist on disk
Mullvad is consistently cited by independent privacy researchers because it accepts cash and Monero payments, requires no email address to register an account, and has completed multiple external audits. It does not run an affiliate program, which removes a financial incentive that can distort recommendations. ProtonVPN’s free tier operates under the same no-logs policy as its paid product and is funded by paid subscribers rather than data sales — a structural difference from most free offerings.
For broader cybersecurity news and surveillance-related developments, Techsentinel News ↗ aggregates reporting across the security beat. Readers tracking how AI systems interact with user data and the regulatory landscape around algorithmic surveillance can follow coverage at Neuralwatch.org ↗.
Sources
-
An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps (CSIRO / ICSI / UNSW / UC Berkeley, IMC 2016) — https://www.icir.org/vern/papers/vpn-apps-imc16.pdf ↗. The foundational peer-reviewed study: 283 Android VPN apps tested for encryption, DNS handling, tracking libraries, and malware. Source for the 67%, 18%, 38%, 84%, and 66% figures cited above.
-
Are free VPNs safe? Here’s what the research says — BitLaunch — https://bitlaunch.io/blog/are-free-vpns-safe/ ↗. Aggregates findings from the CSIRO paper alongside documented breach records including the SuperVPN and Hong Kong provider incidents.
-
Are free VPNs safe? 7 risks + how to protect your privacy — Norton — https://us.norton.com/blog/vpn/are-free-vpns-safe ↗. Documents additional risk categories including traffic injection, browser hijacking, and references Top10VPN’s antivirus scan findings across 100 free VPN apps.
Sources
Related
VPN Jurisdiction Compared 2026: Where Your Provider Is Based
Jurisdiction shapes what a VPN can be compelled to hand over. Switzerland, Sweden, Panama, and Gibraltar compared — and why it matters less than no logs.
What Makes a VPN Actually Private? 5 Things to Check
Not all VPNs protect your privacy equally. These five factors separate the ones that work from the ones that just claim to.
Best VPN for Streaming Netflix in 2026: 5 That Actually Work
Netflix blocks most VPNs on sight in 2026. According to independent testing from CyberInsider and PCWorld, only five survive consistent unblocking.