Earlier this week, a VPN comparison site released a white paper in which it criticized a number of VPNs. The research led to an article in the Register that claimed that using a number of Chinese-owned VPNs was tantamount to sending “your data to President Xi”. But what is the truth? And does the research hold any water?
First, the research paper focuses on a number of VPNs; some from Hong Kong, some Chinese, others from the US, Ukraine, Singapore, Bangladesh, and Israel. The research actually brings to light problematic VPN privacy policies pertaining to an international cross-section of providers: not just Chinese VPNs.
What’s more, on closer inspection it turns out that a number of the criticized “Chinese” VPNs are actually based in Hong Kong. A VPN from Hong Kong is not a VPN from China (even if it belongs to Chinese shareholders).
Hong Kong is politically and economically independent. And, Hong Kong is considered an excellent place for a VPN to be based (in terms of privacy), because it lacks any mandatory data retention directives, does not enforce widespread surveillance, and does not impose censorship or other aggressive anti-internet policies.
Despite this, Top10VPN lumps all Hong Kong-based VPN providers in with China - primarily using the argument that because they belong to Chinese nationals they must be frowned upon. Charming.
Full of holes
Further analysis of the “research” reveals that a number of the “Chinese” VPNs (and some from other nations) that are singled out actually have pretty good policies (on paper at least). Not only does the research mistakenly find fault with Hong Kong-based VPNs, but it also haphazardly misrepresents their policies. For example, in the intro, the study claims that:
“Several privacy policies explicitly stated that they share data with China.”
The implication here is that the VPNs are working with the Chinese government. However, when I analyzed the policies myself I found them to state nothing of the sort. Instead, the policies reveal that the VPNs may store or move some data onto Chinese servers (which is normal if they have central servers in China).
That does not explicitly mean that they are sharing data with the Chinese government. To claim it does is disingenuous.
Even more frustrating, where valid criticisms could be made about the VPNs, the study fails to do so - preferring to stick to inaccuracy and disinformation.
The VPNs in question
To properly understand my criticism of the study, let's take a closer look at some examples of the VPN’s that Top10VPN finds fault with.
VPN Master Unlimited, Turbo VPN & Snap VPN
The research paper claims that these three VPNs are aliases for the same service. It also alleges that all three VPNs have links to Chinese firms and investors. This appears to be true.
However, while these VPN’s policy (they all have the same policy) is not fantastic and does state that data may be sent back to servers located in Singapore or China - this is no different to any other VPN that does the same. Many VPNs send data back to their central servers. The notion that by being Chinese this is somehow worse is false.
A closer look at the policy reveals that they all keep the following data:
"SDK/API/JS code version, browser, Internet service provider, IP address, platform, timestamp, application identifier, application version, application distribution channel, independent device identifier, iOS ad identifier (IDFA), Android ad master identifier, International Mobile Subscriber Identification Number(IMSI), iOS network card (MAC) address, and iOS international mobile device identification code (IMEI) The equipment model, email address, the terminal manufacturer, the terminal device operating system version, the session start / stop time, the location of the language, the time zone and the network state (WiFi and so on), the hard disk, the CPU, and the battery use"
That is, admittedly, extremely invasive and consumers would be advised to stay away from this VPN - even if it were based in Romania, Sweden, or some other VPN-friendly country.
Despite having some problem areas, however, I see no mention of usage logs or connection logs being stored alongside IP addresses. I also see no mention of data being sold to third parties. So we can conclude that this VPN policy is not that bad. Accusing these three VPNs of working for the Chinese government is completely unsubstantiated.
This VPN actually has a pretty good policy. Top10VPN's research shows it is based in Hong Kong - not China. That means it is not bound by the Chinese government's VPN laws that force providers to get an official government VPN license.
As previously mentioned, Hong Kong is considered one of the best places in the world for a VPN to be based. A quick look at the policy reveals that X-VPN comes close to having a zero logs policy. VPN usage is never stored, IP addresses are never stored, and the few noninvasive connection logs that are kept are stored for 4 days only.
Again, this is a Hong Kong-based VPN that is owned by a Chinese national. Its policy states that no usage logs are retained - but does admit to keeping connection logs. In addition, I have to presume that those connection logs are stored with IP addresses, which admittedly isn’t great.
In reality, however, the rest of what Top10 VPN finds fault with boils down to the VPN provider admitting that it will cooperate with law enforcement if it is approached with a valid warrant. In reality, this is a common clause.
Even no logs VPNs can be forced to give whatever little they have to the authorities. In fact, they can even be forced to start monitoring somebody if they are served a warrant to that effect - this is not something peculiar to X-VPN.
Being based in Hong Kong actually makes this much less likely to happen than in the US (where warrants and gag orders exist) for instance. Finally, no evidence exists of this VPN being a Chinese government honeypot, and the VPN policy does not claim it will monetize user data in any way; which is really good.
VPN for iPhone
If I had to make a criticism about this VPN, it would be it is based in Bangladesh. Bangladesh is a far from ideal location for a VPN because the government is known to perform surveillance. That means the VPN could, in theory, be compromised (a reasonable criticism that Top10VPN never even bothers to mention).
The study continues in this vein throughout, making it a completely untrustworthy source. Some of the other VPN providers that deserve an honorable mention are SkyVPN, YogaVPN, VPN Private, ThunderVPN, VPN Melon, and #VPN - none of which have policies I would instantly flag up as troubling.
So what is going on? Well, arguably, some of the free VPNs mentioned in the study have policies that are too good to be true. Allow me to explain…
Running a VPN costs money. Keeping VPN servers up and running around the globe; maintaining those servers; updating the software; implementing up to date encryption; and having an active development team and customer care team - all costs money. For this reason, any VPN that doesn't charge a subscription fee should be eyed with caution.
Many of the VPNs mentioned in the study have unknown revenue streams, and that is suspicious because it is hard to determine whether they can be trusted. This is a valid point worth mentioning - that Top10VPN never acknowledges or even seems to notice.
To conclude, there is no evidence that any of the VPNs in the study share data with the Chinese government. The sad truth is that the study often claims that perfectly good policies are problematic - when they aren’t.
I wouldn’t necessarily recommend using any of the VPNs in the study (because there are many better ones on the market to choose from). However, when I’m confronted with research as bad as this, I find it only fair to draw attention to it. The VPN industry is already confusing enough for most people. The last thing we need is poor research adding to the problem. And for a respectable publication like The Register to pedal it, shame on them.