VPN’s sharing data with Facebook

Using the Internet can be dangerous. There are lots of people who like to intercept messages and steal data. The solution, we’ve been told for years, is to use a Virtual Private Network (VPN). A VPN is designed to encrypt traffic and provide a secure and anonymous connection to the Internet. This is not just something for companies to give to their staff. They protect users from data theft as well. Or at least that’s what we all used to think.

vpnMentor looked at 286 VPNs. It discovered that 50 are sharing data with Facebook. The details are in a blog which also links to the affected vendors. That contains a table that vpnMentor is updating to show any actions taken by the VPN vendors.

What data are the VPNs sharing with Facebook?

The 50 VPNs are using what vpnMentor calls the Facebook pixel. Before anyone says in an incredulous voice “it’s only a pixel”, stop and think. That pixel tells Facebook something that it can use to refine how it markets advertising and other information to you. It also provides it with data that can later be given to a government via a legal demand.

I will address marketing first. By using the Facebook pixel, the VPNs are telling Facebook that users are masking their location and details. Facebook will know that the location data from the IP address is therefore not truly accurate. While most VPN users tend to use a location in their home country, some products default to fastest location which could be thousands of miles away.

Facebook can also infer that by using a VPN, the user has an interest in personal security and privacy. That allows them to improve the marketing data they hold on the user. Remember, you have already logged into your account so it has a lot of data on you. This pixel just adds more data that provides it with the ability to refine marketing.

Some might see the upside of this. Better targeted marketing from Facebook and no more adverts to buy a VPN from another vendor. However, there is no guarantee of this. A new entrant into the VPN market might want to target VPN owners. In addition, existing players looking to increase market share will also want to target those who already use the technology.

What about the risk of government access?

The government issue is more of a problem. VPN providers vary wildly. Some log users and will hand over if requested by governments, others do not. VPN providers have a reason to restrict what data they hand over. Their entire business proposition is built on user security although it appears some don’t see it as that.

There are regions in the world where the use of encrypted communications is seen as suspicious. The UK and US governments have made it clear that they want better access to encrypted communications. They claim that only people doing something wrong would object to governments being able to check what they are doing. This is, of course, rubbish. Many people encrypt data to protect it from any misuse, government or otherwise.

Handing over data about users who connect to Facebook using a VPN carries several risks. It allows government to know who is trying to mark/protect themselves online. As mentioned, this is not just about criminals but ordinary people. If those people live under an oppressive regime, there is a risk the data can compromise them. Human rights workers, journalists and others fall into this group.

Who has vpnMentor names and shamed?

As already mentioned, there is a total of 50 VPN vendors named and shamed by vpnMentor. However, some of these have responded quickly to the report.

VyprVPN, IPVanish, CyberGhost, GooseVPN, Hotspot Shield, PrivateVPN, PureVPN, SaferVPN and Zenmate VPN have all removed the pixel. OperaVPN has been shut down leaving users having to quickly find an alternative.

However there are several big names in the VPN market who, so far, appear to have done nothing. The two biggest are arguably HolaVPN and HideMyAss. The latter is now part of Avast, a security vendor who you would expect to do better. They have declined to comment on this story.The full list of VPN vendors who are sharing data is at the bottom of the vpnMentor blog and is being constantly updated.

Enterprise Times sent emails to several of the VPN vendors yesterday. So far, no response from any of them. One VPN vendor who has responded to an email from one of our team is Unlimited VPN. In the email chain a support team member wrote:

“Yes, we run Facebook Pixel on our website, however, this does not put a dent in your privacy in any way.

“Yes, we protect all your data, both your customer data and the traffic under a VPN-connection. Privacy and security are the main purposes of our service, so we really take it seriously.”

When faced with questions over marketing and government access, he responded:

“Yes, we mean that ‘your data’ that is used on our websites is not ‘your’, but it’s just ‘some non-personalized data’.

“The thing is – the same could be said about:

“- any search engine (such as Google, Yahoo, Bing, etc). For example – “… if you’ve ever searched for “VPN” – the US government could force these US based search engines to present a list of people… “

“- any web browser, that could potentially collect your browsing history

“- any ISP, that could potentially detect VPN traffic

“- any email service provided, that can detect that you’ve used VPN to access your account

“- any bank or payment system that was used to make a purchase

“- any operating system, that could potentially collect information about the installed applications

“- the list goes on…

“What is important, even though it is possible to know that someone is using VPN (your system/network administrator and ISP are probably aware of that) – it is not possible to see your online activities.

“When you’re connected to VPN – all your traffic is protected with a military-grade encryption, thus you can be sure that your personal information and anonymity are secured. “

It seems to us that Unlimited VPN is ignoring the issue of trust and opt-in. The spokesperson is right that any of those sources could gather the data and pass that off. However, what Unlimited VPN, and the other named and shamed are doing, is enabling Facebook to tie VPN usage to user accounts. This is fed into Facebook’s marketing system improving its ability to sell advertising to targeted user groups.

What does this mean

VPN vendors are meant to be trusted organisations. The level of encryption and security they offer is relied upon by many to provide a safe way of using the Internet. By compromising that trust, VPN vendors are showing a lack of respect for their customers.

There is another issue here. NONE of these vendors say that they are doing it. Under the EU-US Privacy Shield this failure to get explicit consent to share that data is a breach of duty. When GDPR comes into force, every VPN vendor will need to say explicitly what they are storing and how it will be used. There is now just one month for those vendors who are using the Facebook pixel to remove it or get explicit consent.

There are other issues for some of these vendors. Some log activity and some do not. Article 17, Right of Erasure, means that they need to be capable of deleting logs relating to an individual.

While the data transferred is just a pixel, in the world of marketing, every small piece of data can become a force multiplier. That is what is happening here.

The VPN industry is now due for a shake-up. If it hadn’t been for the attention on Facebook it could be argued that vpnMentor would not have done this research. Now it has, a dark light has been shone on some shoddy practices. It will be interesting, post 25th May, how many VPN vendors shut up shop.