Sunday 21 / September / 2025
Berlin: Living in an authoritarian state and still wanting to obtain objective information about conditions in your country is not an easy undertaking. Oppositional media outlets are often banned, and foreign websites are frequently blocked.
For hundreds of millions of users, VPN connections, which is short for virtual private networks, are the solution as IP addresses are anonymized and content is encrypted. This combination enables users to access blocked websites and exercise their right to freedom of the press and information.
This is why VPNs are illegal or at least heavily restricted in countries such as China, Russia, Belarus, Iran, and North Korea. People who use them in these states do so secretly and expect their provider to handle the resulting data discreetly as well.
However, a comprehensive study by the Open Technology Fund, an independent non-profit organisation dedicated to promoting global internet freedom, has recently revealed alarming shortcomings among some VPN providers. In the worst case, these risks could send users to prison.
Chinese control
The list of shortcomings begins with opaque ownership structures. "Many VPN services obscure their true ownership through complex corporate structures," the study warns. In other words, it is often unclear who really has influence over these companies.
The companies Innovative Connecting PTE, Autumn Breeze PTE, and Lemon Clove PTE, for example, claim to be registered in Singapore. In reality, they are controlled by Chinese nationals from within Chinaand are therefore subject to Chinese information control laws, the authors write. Also, another report came to a very similar conclusion. "Many VPNs set up shell companies in countries with lax data retention laws," it states.
16 VPNs rated as "highly problematic"
Furthermore, numerous VPN services are developed by the same companies: "A small number of companies control a disproportionate share of the VPN market through white-label solutions," warns the study. A white-label solution is a product developed by a third-party provider and then sold by another company under its own brand name.
The study identified eight highly problematic VPN providers with 16 VPN applications and a total of over 700 million downloads in the Google Play Store that conceal their connections to each other. "The applications distributed by these providers also contain privacy and security issues that put users at risk of surveillance," the authors of the study warn.
Millions of users are potentially at risk
Among the apps described as "highly concerning" are Turbo VPN, VPN Proxy Master, XY VPN, and 3X VPN – Smooth Browsing, each of which has been downloaded 100 million times from the Google Play Store. Thus, hundreds of millions of internet users believe they are enjoying a level of security that does not exist. "Both sets of providers use the Shadowsocks tunneling protocol [which is not designed for confidentiality] to build the VPN tunnel, and claim their users' connections are secure," the study explains.
Moreover, according to the study "Who owns, operates, and develops your VPN matters," both groups of providers use the Shadowsocks protocol with hard-coded passwords stored in the apps — a serious security flaw. Attackers can read these passwords and thus decrypt and read all communications.
In addition, many providers rent servers in data centres without having complete control over the hardware. And some VPN apps secretly collect location data, even though their privacy policies claim otherwise.
Which VPN apps are affected?
"Unfortunately, VPNs can also provide a false sense of security at best, and at worst, completely compromise privacy and security. In the case of Innovative Connecting, Autumn Breeze, Lemon Clove, Matrix Mobile, ForeRaya Technologies, Wildlook Tech, Hong Kong Silence Technology, and Yolo Mobile Technology Limited," the study warns, adding that "any user of those applications is putting themselves at great risk, because the applications have serious privacy and security issues."
Instead, the authors recommend using paid VPNs, which are generally considered to be more reliable and secure. For example, no serious privacy or security issues were found with Lantern, Psiphon, ProtonVPN, or Mullvad.
'Disastrous for user security'
"It's catastrophic for those users' privacy and security," Benjamin Mixon-Baca, one of the authors of the study, says. "Without even considering the user's country, the weaknesses we identified indicate the VPNs don't provide any form of privacy or security which contradicts the claims made by these providers on their websites," he adds. "Users have a false sense of security because a nation-state threat actor can see everything the users of these products are doing," he warns.
Mixon-Baca also points out that this constitutes "a serious breach of user trust," considering how far some of the providers went to conceal their true identity and that, despite their claims to the contrary, they did indeed collect geographical information.
Call on app store operators
"Users should prioritize VPN providers that demonstrate full transparency about ownership, infrastructure, and jurisdiction," Mixon-Baca recommends. Open-source solutions and independent audits are key indicators of quality.
The authors also strongly recommend that app store operators pay more attention to security-related flaws in their selection process. Otherwise, the VPN icon available in the Google Play Store gives users a false sense of security.
Last resort: Tor browser
For Mixon-Baca, however, the fundamental contradiction when it comes to VPN solutions remains unaddressed. "Privacy and security, which is what people expect or think they are getting out of these products, is directly at odds with advertising and making money. What we discovered and others have also found is that when you mix privacy with advertising to make money, things don't end up well."
In his opinion, a publicly funded VPN solution similar to the Signal messenger app would be great, but it would not solve the fundamental limitations in terms of data protection and security. Anyone who really wants to be on the safe side should use the Tor browser, he concludes. "Tor does have limitation like anything, but if privacy is your primary concern, Tor is the king of the hill."
