BlankThis is new to me; I wasn't aware of the different VPN's almost all of
whom are linked
to the PRC. So, FYI, caveat empter.
Popular apps with Chinese ties can gather more data than TikTok By Joseph Menn
The
Washington Post
SAN FRANCISCO -- As Congress weighs an unprecedented ban of the wildly popular
Chinese-owned
TikTok over supposed security concerns, millions of Americans are downloading
Chinese-designed apps to their phones that pose greater privacy risks with no
outcry from
lawmakers or regulators. Known as mobile virtual private networks, or VPNs, the
apps create
a virtual tunnel through the internet that disguises a users virtual and
physical location,
in theory rendering them anonymous to the websites they visit, the
communications providers
that take them there, and advertisers and government snoops trying to suck up
information
along the way.
But experts have warned for years that everything the VPN's hide, they can see
themselves.
That means users who are working not to reveal who and where they are as well
as what they
are doing online are surrendering that very information to the VPNs.
Some VPNs have the capability to see even more, including encrypted email
content and
banking information, because they have been placed in a highly trusted position
on user
devices.
Some of the most popular VPNs have misled consumers about their practices while
disguising
their origins, ownership and locations, including apps based in China or
controlled by
Chinese nationals, according to corporate records reviewed by The Washington
Post as well as
interviews and researchers.
"You have a bunch of lazy people calling themselves VPNs who are making money
from your
data, just like Google," said Dennis Batchelder, whose company, AppEsteem,
evaluates app
safety for antivirus companies. "I would have reservations about VPN's based in
any country
that can tell your company they want to grab your data."
Under Chinese law, tech companies can be compelled to turn over everything they
have to
government authorities that prize domestic and international surveillance --
one of the main
alarms congressional critics raise about TikTok. Concerned about the potential
prosecution
of women seeking abortions through shoddy VPNs, two Democrats, Sen. Ron Wyden
of Oregon and
Rep. Anna G. Eshoo of California, last year asked the Federal Trade Commission
to take
action particularly on those that engage in deceptive advertising and data
collection
practices. They wrote to the FTC chair that the industry is extremely opaque,
and many VPN
providers exploit, mislead, and take advantage of unwitting consumers.
But other members of Congress generally have been silent about the risks posed
by VPNs, even
from Chinese providers, while championing restrictions and outright bans on
TikTok, which
has far less access to what users do online.
That may be in part because TikTok is an extremely visible target and a single
brand, while
scores of VPNs crowd into the app stores and change names, addresses and owners
from year to
year.
"We just tend not to focus on things until they become big," said former Google
government
relations executive Adam Kovacevich, now head of trade group Chamber of
Progress, adding
that the "TikTok fight could launch a broader debate on Chinese technology."
VPN's would, however, be covered under a broader bipartisan bill introduced by
Sens. Mark R.
Warner (D-Va.) and John Thune (R-S.D.) and endorsed by the White House that
would require
the Commerce Department to evaluate foreign tech and recommend bans to the
president.
"Congress needs to ditch the existing whack-a-mole strategy with technology
from adversarial
nations and create a more systematic process to examine national security risks
and act on
them," Thune, a Republican, told The Post. Warner said "Chinese VPNs were the
sort of apps
that cry out for a systemic review like that proposed in the bill, which would
allow the
Commerce Department to examine apps on national security grounds. This is
exactly why
Congress needs to pass the Restrict Act, Warner told The Post.
The secretary of commerce should be able to review and impose mitigation
measures as needed
to protect Americans from these apps, but she currently lacks the ability to do
so under
current law.
TikTok has powerful, big-spending American companies as rivals, including Metas
Facebook and
Googles YouTube. No big U.S. companies have consumer VPNs as a major line of
business.
On the contrary, Apple and Google profit from VPN apps by taking a cut of the
sale price on
their app stores and by selling them ads. Turbo VPN, for example, is among the
first results
that show up when searching the Google Play app store for VPN. It has been
downloaded more
than 100 million times.
The parent company of Turbo VPN, Innovative Connecting, has a Singapore
headquarters and a
Cayman Islands registration. It has had multiple Chinese nationals as directors
in the past
few years, records show.
As with many of the apps, there is no way to prove who or where the real owners
are. The
computer version of Turbo VPN was among several services that AppEsteem found
last year to
be installing root certificates, which allowed them to tell the computer to
trust any
application that it authorized. It could have vouched for a fake email or chat
program to
extract content from the real ones, but there is no evidence it ever did so.
Turbo did not
respond to an email seeking comment.
Two more of Googles first six listed VPNs are owned by an entity called Signal
Lab. While
many might associate that with the privacy-protecting Signal app for
communication, there is
no connection. Signal Lab has a website that gives no sign of what company is
behind it. It
lists an address near Los Angeles that is used by hundreds of entities. The
only way to
reach Signal Lab is through a Gmail address, where a Post query has remained
unanswered for
weeks. Employees told longtime researcher Simon Migliano, who writes for
Top10VPN.com, that
it really operated from Hong Kong.
Signal Labs privacy policy says its VPN's do not keep logs of user activity.
But its terms
of service prohibit sending any communication that is objectionable, a term
that could be
applied to much of the internet. It reserves the right to monitor activity to
investigate
any possible violation of the terms of service. Put together, that means it
could monitor
any users activity for anything suspected of being objectionable to anyone.
Apples App Store presents similar issues. Of the first 10 results for VPN in a
recent
search, one was based in Hong Kong, and three more were owned by Boston-based
Aura, now
parent of a VPN called Hotspot Shield.
Hotspot Shield drew a complaint to the FTC in 2017 from the Center for
Democracy &
Technology, which said that while Hotspot claimed in ads that it kept no
records of users
true internet protocol addresses, it gave those addresses to commercial
partners. Hotspot,
which the center claimed installed tracking cookies on user computers, said
deep in its
privacy policy that it did not consider IP addresses or device identifiers to
be personal
information, even though both can be tied to a specific user. The FTC took no
public action
against the company. Aura has raised multiple rounds of venture capital and
this month
hired actor Robert Downey Jr. as a pitchman. It did not respond to an interview
request.
Another of Apples top 10 results, VPN - Super Unlimited Proxy, is connected to
a company
with a Chinese history. Apple records say those are owned by Mobile Jump of
Singapore, which
once boasted a headquarters in Dongsheng Science and Technology Park in
Beijing. Singapore
records show that Mobile Jump is owned by Free VPN, which is owned by VPN
Super, which has
the same Redwood City, Calif., address as a U.S. company named Super Unlimited.
The address
belongs to a law firm that a partner said offers mail drop services for
hundreds of
companies. Super Unlimiteds president is Tanuj Chatterjee, who used to be a top
executive at
Aura, the owner of Hotspot Shield.
Chatterjee posted on LinkedIn six months ago that what he described as one of
his apps,
VPN - Super Unlimited Proxy, had become the top free app in Apples store, ahead
of TikTok
and Instagram. Chatterjee confirmed that Super Unlimited owned the big VPNs and
said that
when it acquired them, they had no legal connection to China at that time.
"Neither we nor
any of our subsidiaries have any connection with China whatsoever; no
shareholders,
operations, code, servers, data, or team members are in China or affiliated
with China," he
said by email.
Consumer advocates say Apple and Google should be keeping out the more
questionable VPN's,
especially those that violate the big companies policies against obscuring
ownership or
misleading users on privacy, or at least provide warnings to users. It should
be that the
app stores want people to come and not find things that are super suspicious.
"There should be a market incentive to do that," said Mallory Knodel, chief
technology
officer of the Center for Democracy & Technology. "I'm a little confused why
they don't do
more."
Apple declined to discuss any of the apps mentioned in this story. In an
emailed statement,
it said that "VPN apps are powerful tools that can be used to track user
internet traffic,
so we have strict guidelines for what developers of VPN apps must do in order
to be on the
App Store."
Google also declined to discuss specifics. "Google Play has policies in place
to keep users
safe that all developers, including VPN apps, must adhere to," said
spokesperson Ed
Fernandez. "We take security and privacy claims against apps seriously, and if
we find that
an app has violated our policies, we take appropriate action."
Both companies have argued that their grips on the app market should not be
loosened out of
antitrust concerns, another subject of congressional debate, because they are
protecting
consumers through their product approval process.
But app makers, regulators and legislators have pointed to failings in the
vetting process,
which have not flagged imitators and scams in multiple categories. Evidence in
an antitrust
suit by Epic Games showed that even Apple employees decried the weakness of its
defenses,
which a lead engineer described as "bringing a plastic butter knife to a
gunfight."
Malware from China and U.S. government contractors has sneaked into seemingly
benign apps
for years. In 2021, The Post reported that nearly 2 percent of the biggest
moneymakers on
Apples store were scams. The VPN business is bigger than most categories of
apps, with paid
versions often charting among the highest revenue among productivity apps. Its
disgraceful
the lack of due diligence that they do in this area, Migliano said of Apple and
Google. He
said he first raised the issue with Apple in 2019.
The big app stores have a critical role with VPNs, both Migliano and Knodel
said, because of
the difficulty getting objective information: Many review sites are completely
or partly
owned by VPN providers, including Miglianos. Migliano found more than 200
million
installations of VPNs with Chinese ties, many of which were hidden as the
brands became more
popular. Some abandoned Chinese headquarters from one iteration to the next,
while others
replaced executives.
Free VPN's are most likely to run afoul of best privacy practices, experts
said, because
they have an extra financial incentive to capture information about users in
order to sell
relevant ads. Consumer Reports did a deep dive two years ago into whether
popular brands had
privacy audits that users could read, leaked their IP addresses or exaggerated
the security
they could provide. The nonprofit magazine also noted that some VPN's that had
claimed to
keep no logs managed to produce them when confronted with legal papers, and it
raised
questions about some owners and executives. Among those it highlighted was
ExpressVPN, one
of the most popular for browsing Chinese websites. That is now owned by Kape
Technologies,
which grew out of a company known for spreading malicious software and which
has employed as
executives both the convicted CEO of collapsed crypto exchange Mt. Gox and
Daniel Gericke, a
former U.S. intelligence operative who admitted hacking U.S. networks while
working for the
United Arab Emirates.