Does VPN Steal Your Information?


A VPN, or Virtual Private Network, is something meant to protect our privacy and our data. However, with more and more free VPNs popping up, it can be hard to know how safe your personal information really is.

Do VPNs steal your information? Some can, but not all of them will. Choosing a secure VPN should protect you. Free VPNs are far more likely to collect and sell data, use malware, leak your IP address, and even track specific devices. Using the wrong VPN can result in a security risk for individuals and corporations alike.

It is frustrating that something we use to protect our information could potentially put us more at risk. Knowing which VPNs are safe to use is your best line of defense. Don’t leave your information out for third parties to collect by being able to identify safe internet use and trustworthy VPN services. 

Can you be hacked using a VPN?

Many of the popular VPNs may not be safe to use, as they could behave maliciously by installing additional software to hack your device. They could also spy on your data once it is routed to its VPN servers, especially if it is not using a HTTPS connection.  

It is important to choose reputable VPNs (check out my latest list of reputable VPN providers) as a secure way for you to keep your information safe.

Most of the security of the VPN[1] process is determined by the security protocol used during the connection to a website. If a VPN service is attempting to steal your information, they will have to do it one of two ways: intercepting the HTTP or installing fake certificates on your device. 

Intercepting HTTP 

HTTP, or HyperText Transfer Protocol[2], was the standard way to connect websites and information. However, it is an unsecured protocol as it uses plain text to transmit data. The use of the human-readable text is what makes standard HTTP so vulnerable as anyone can read it and then take it. Although there is a new HTTPS protocol that can be used, HTTP is still widely applied for website transactions. 

HTTPS stands for HyperText Transfer Protocol Secure. To know if your web address uses HTTPS or not, all you have to do is look to the left of your URL. If the website is using HTTPS, you will see a locked padlock next to the web address. 

If the connection is using standard HTTP, you will either see a message to the left of the URL that states “not secure” or you will see a locked padlock with a red slash through it. The message will depend on the browser that you are using. 

Although VPN will encrypt the information it receives on its server, it is transferred via an HTTP address, and it can be decrypted to be reread. So, although you are using a VPN, if you choose to use HTTP addresses, you are still at risk for information being collected. 

Installing Fake Certificates

The other common way for a VPN to steal personal information is a bit more complicated, but can basically be defined as hacking[3] in direct relation to your use of HTTPS. 

Since HTTPS is already encrypted to be secure, adding a VPN gives it a double encryption. So, it makes sense that this should make your data more secure. However, if you are using a shady VPN service, say a free one or one sourced out of China, they can install their certificates on your device. 

These fake certificates allow the VPN to intercept the HTTPS encryption, decrypt it, take the information they want, re-encrypt it, and then send it forward. Cybersecurity looks for VPN operations that do this specific process, and if caught, they are closed down. The good news is that untrustworthy VPNs that do this get caught quickly. 

Data VPNs Might Want

It is nerve-racking even thinking that third party companies could be using VPN services to collect and/or steal information. At the same time, what is worth taking? Here are the three most commonly collected pieces of information untrustworthy VPNs look to gather from their customers.

Passwords or Login Credentials

Your passwords give you the ability to access a lot of information these days. You can get into your business accounts as well as personal accounts. The good news is that VPN services can only access passwords that are typed in on websites that use unsecured HTTP. 

To protect your passwords, make sure any website you type a password into is HTTPS. Then, you are far less likely to have them compromised. Additionally, never use the same passwords for all of your logins. This is tempting to do as it is easier to remember, but if one website jeopardizes a password and it is the same for everything, you just gave the VPN all of your information. 

Bank Information

For really shady VPN services, they may try to access bank information. PayPal and all official banking services use an extremely secure HTTPS connection to ensure everything is encrypted. VPNs may attempt to access this via hacking. However, there are safeguards and alerts that banks use to stop this from happening. 

The only way a VPN would be able to get your bank information is if they were to access your password and login information. 

Personal Data to Sell

For a VPN business to be free, they need to have another source of income. That is where your data comes into play. Many third parties collect and store data for advertising purposes or government use. 

So, any information they can see and gather about you, they will take it, store it, and transfer it to a third party that is willing to pay for the data. 

Free VPNs do this as a source of income, and they are not trustworthy. China-based VPNs also collect data. It is legal in China to implement content censorship and monitor online activities, so their VPN services are equipped to collect data. So, just like free VPNs, China-based VPNs are not recommended either. 

Some countries participate in a surveillance alliance[4]. They are called 5-eyes, 9-eyes, and 14-eyes. To explain these, let’s look at what the 5-eyes is. The 5-eyes consists of five countries: the United States, the United Kingdom, Canada, Australia, and New Zealand. 

These five countries have been working together since WWII to spy on citizens, collect data, and share it amongst themselves. The 9-eyes and 14-eyes were built off of that and have added new countries to their alliances since then. 

How to Tell if a VPN is Safe

The best way to avoid a VPN service that may jeopardize your personal information is to know which ones you can truly trust. After all, we seek our VPN services to protect us and our time online, not to put us at a higher risk. Here are three things you should look for when choosing a VPN service:

  1. They are based outside of a surveillance alliance (5-eyes, 9-eyes, 14-eyes)
  2. Well-known, established, and are a long-time business 
  3. They have a strict no-log policy so they cannot keep your data

Fitting into these three criteria is difficult for more VPN services, so it will narrow down your pool of selection rapidly. The number one thing to remember is that a free VPN is usually not safe. They are still a business, and how can a business run a service for free without a side hustle of collecting and selling data?

Keeping your information safe shouldn’t have to be such a battle. However, data is a valuable tool for many companies and governments. Follow those guidelines above, and you will be able to find a trustworthy VPN in no time. 


Recent Posts