VPN apps toy with trackers: why it should worry you
When we look for a VPN to install, it's usually friends or tech publications we refer to. A regular user simply lacks time or resources to examine each and every of dozens of VPN providers, review thousands of testimonies (provided they are not carefully curated) and make an informed choice.
Trust, but verify
And while your friends may have valuable firsthand experience with VPNs, there's also seemingly nothing wrong with trusting high-in-regard industry experts on the matter: they would carefully vet each service provider, poke it with a privacy-sharpened stick and arrive at a verdict: Yea or Nay. It's usually a range of different criteria that reviewers take into consideration: connection speed, number and location of servers, customer support — we can all agree that these are important — but what we expect from VPNs by default is a certain degree of privacy and protection from trackers and advertisers. There is very little wiggle room when it comes to sharing data with third parties — after all, that is what VPNs are designed to prevent and which many of them pride themselves on doing.
But what if some of the important facts about a VPN slip under the experts' radar or get omitted by them on purpose? We will not entertain conspiracy theories and declare all tech publications frauds and sell-outs. Instead we will give you some information to ponder over. Here's what we did: We selected 20 VPNs that have made it into the "best VPNs" lists compiled by various technology and cybersecurity publications over the past year and checked if they have any in-built trackers in their Android apps.
It has turned out that at least 14 VPN apps have tracking scripts embedded in them.
We won’t out any specific VPNs, but we will name the publications so that you can have a crude idea where to look for our heroes and anti-heroes. These are Techradar, Tom’s Guide, Cybernews.com, vpnMentor, Security.org, Makesuseof, and PCMag among others.
You can use this website to check any of the VPN apps you are interested in yourself:
Trackers and 'best' VPNs: Look under the hood
As we've already mentioned, out of the 20 VPNs we chose to review based on their inclusion in various ratings, 14 have trackers built into their Android apps.
Let's take a closer look at what these trackers are exactly. The most popular, found in 13 apps out of 20, is Google CrashLytics, a real time crash reporting tool which is part of Google's Firebase ecosystem. The second place in terms of popularity is taken by another Google tool — Google Firebase Analytics, which is built into 11 applications.
The bronze is split between AppsFlyer, a data-driven marketing tool, and the good ol' Google Analytics, each with 6 clients out of 20 VPN apps. Honorable mention goes to Google Tag Manager, which is embedded into 3 apps.
Now we're diving into deeper waters populated by more rarer, and in some cases, more dangerous species: 3 apps use MixPanel, a marketing analytics tool; 2 have the Adjust mobile retargeting tool running, and 2 have have mobile analytics and attribution platform Kochava built into them. Code signature of Google AdMob can be found in 2 apps.
New Relic monitoring tool, a set of tracking tools known as Huawei Mobile Services (HMS) Core, Insider marketing platform, and a testing solution for marketers Taplytics — all can be found in at least one app.
One VPN app has found an unlikely bedfellow in Facebook, having a horde of in-built Facebook tracking codes, including Facebook Analytics, Facebook Places, Facebook Share, Facebook Login.
A different VPN app has a tracker with a telling name: Facebook Ads. The same VPN app has apparently a soft spot for advertising scripts, and also has Google AdMob, Kochava, MixPanel, and Unity3d Ads built into it.
Even by looking at the names of the trackers, we can venture a wild guess that some of them can hardly pass for benign analytics tools essential for providing you with the best service possible.
But let them speak for themselves.
But VPNs are not tracking me, right?
We have studied privacy policies of the trackers found in the 'best of the best' VPN apps to find out what data they might collect and what they might be doing with it.
AppsFlyer
Where: code signature present in 6 apps
California-based AppsFlyer, which received its first funding from Microsoft, says that it can process a vast amount of end user data. That data includes the information about device's type and model, CPU, system language, memory, OS version, Wi-Fi status, time stamp and zone. The data also contains technical identifiers, for example, an IP address, user agent, Android ID, customer issued ID as well as "other interactions, events and actions customers choose to measure and analyze with their application".
AppsFlyer says that the end user data that it handles "does not generally contain" information that can directly identify a user, but acknowledges that "under certain jurisdictions" the end user data they receive "may be deemed personal data"․ Moreover, a customer, that is a VPN app, may configure its services to collect sensitive personal information if it so wishes, and then AppFlyer will receive and process this information.
Google Analytics
Where: code signature present in 6 apps
Google Analytics is a tried and trusted marketing tool that collects Android Advertising ID by default. For that a developer has to give the SDK certain permissions. Even then the user can opt out of advertising ID collection in Android Settings.
In a default mode, Google Analytics also collects the following information about the user: age bracket, gender, language, app store, app version, region, continent, country, city, device brand (for example, Samsung), device category, device model, OS version, platform.
Google CrashLytics
Where: code signature present in 13 apps
CrashLytics is a member of the extended Google family and, like every respected Google family member, handles significant amounts of end user data. In the case of Crashlytics, these are the Crashlytics installation UUIDs (universal unique identifiers), among other things. CrashLytics uses the UUIDs to "measure the number of users impacted by a crash"․ It retains crash stack traces, minidump data and UUIDs for 90 days. The information it stores may also include the name and version of the operating system, an indication of whether the device has been jailbroken/rooted, model name, CPU architecture, amount of RAM and disk space, an instruction pointer of every frame of every currently running thread and so on.
Google Firebase Analytics
Where: code signature present in 11 apps
The tool processes mobile advertising IDs and in its default implementation can collect quite a lot of data, such as: number of users and sessions, session duration, operating systems, device models, geography, first launches, app openings, app updates, in-app purchases — it's basically the same as with Google Analytics. It stores the Android advertising ID for 60 days and "retains aggregate reporting without automatic expiration". It stores user-level data such as conversions for up to 14 months. A developer can set data retention settings to either 2 or 14 months.
MixPanel
Where: code signature present in 3 apps
MixPanel is an analytics company whose CEO is a former Twitter executive. Interestingly, the company's privacy policy does not apply to end users, but to customers, which in our case are VPN applications. This means that end users cannot directly request MixPanel to delete their personal data. MixPanel says that in default mode a developer can allow the following information to be sent to MixPanel: app version, bluetooth usage, device brand and model, Wi-Fi carrier and status, device manufacturer, whether the device has telephone functionality, device ID, user ID that is stored locally on the user's device, operating system, screen height, screen width, screen DPI, timezone.
Mixpanel also says that it "may also use Customer Content in a de-identified and aggregated form for Mixpanel’s own business purposes, including use, duplication, modification, and creation of derivative works regarding usage and performance of Aggregated Data.".
Google Tag Manager
Where: code signature present in 3 apps
Google says that its Tag Manager may "collect some aggregated data about tag firing", which, however, does not include users' IP addresses or any other identifiers that could be used to track a specific person. "Other than data in standard HTTP request logs, all of which is deleted within 14 days of being received, Google Tag Manager does not collect, retain, or share any information about visitors to our customers' properties, including page URLs visited". Sounds encouraging, unlike the doom and gloom we've seen before.
Adjust
Where: code signature present in 2 apps
Adjust is a mobile attribution and analytics company, owned by AppLovin. For starters, Adjust’s marketing materials already sound unsettling: "Unlimited and uncapped are words that we use a lot when we describe our data access", the service boasts. Adjust says that its SDKs and APIs can process data such as hashed IP addresses, mobile identifiers, in-app actions, including purchases and registration, information regarding user interactions with ads, touch sensor data, accelerometer, gyroscope, battery, light sensor, device hardware specifications and operating system version. The company claims it does not enrich this data to identify individual users, and does not share or disclose the data "with anyone else except our service providers and in response to lawful requests by public authorities". The data is stored as long as developers use the SDK, unless Adjust is specifically told to do otherwise.
Google AdMob
Where: code signature present in 2 apps
AdMob makes no secret of the purpose of its existence: by integrating it into an app one wants to display ads and earn revenue. The Mobile Ads SDK may collect the following data while helping app developers to do so: device ID, diagnostic information (such as non-user related crash logs) that can be used for advertising purposes, "user-associated performance data" that can used to gauge user behavior such as when they launch an app and how much time spend in it. Such "performance data" can be used for showing ads, "including sharing with other entities that display ads".
Kochava
Where: code signature present in 2 apps
Idaho-based Kochava says that "various data is transmitted from the SDK to Kochava". The company says that among data points that it can receive are Google Advertising ID, as well as Android, Amazon and Huawei advertising identifiers, user agent of the device and other data points that "are common across most SDK platforms": battery level, device architecture, boot time, battery status, device model, display width, height, location, language, network, platform, screen DPI, size and brightness, timezone setting. An end user cannot opt from the data transmission, only the app developer can.
Unity3d Ads
Where: code signature present in 1 app
As its name suggests, Unity3d Ads is in the ad monetization business. The data it processes depends on the type of product, and can range from IP address to various device information, login data, OS, language, and advertising ID, and so on. According to its privacy policy, Unity Ads can use the information it "collects or receives" to "deliver and target advertising, including personalized ads". The company also says that it may "employ cookies and related technologies to store information on or read information from your browser or device". Third-party advertisers can place ads within its service and likewise deliver ads.
New Relic
Where: code signature present in 1 app
California-based New Relic develops software that helps application owners to monitor and improve performance. It can collect log files, event files, aggregated data as well as personal data, such as user ID and user name. The company may share this data with "third-party services providers that support our business and operations" as well as law enforcement agency, regulator, court or other third party if it deems it necessary to protect the law, the company's rights or vital interests of "any person". The platform stores different types of data for different time periods. If an app owner reduces the number of days New Relic may store the data, it might still be included in queries "for up to several weeks". Moreover, "once telemetry data (events, metrics, logs, traces) is reported to New Relic and available for querying, that data cannot be edited or deleted" and will only expire after the retention period ends.
Huawei Mobile Services (HMS) Core
Where: code signature present in 1 app
HMS is an assortment of tools that positions itself as an alternative to Google's developer libraries developed by China's telecommunications giant, Huawei. It includes dozens of "kits", such as Analytics Kit, Location Kit, and Ads Kit among others.
Insider
Where: code signature present in 1 app
Turkey-origin and Singapore-based Insider has developed a marketing tool that may process personal data, including contact information, technical information, such as IP addresses and the data that pertains to device's hardware and software. Insider says it does not "rent, sell, or share personal data with third parties", but may share personal information when "required by law" and "when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud or respond to a government request".
Taplytics
Where: code signature present in 1 app
Taplitics's description of what data it receives from its clients is rather vague. The Canada-based company says that it would "receive data collected by our clients for the purposes of providing our services to the client" and that in such cases an application "solicited your consent to share the personal information with us". The information is stored "on a secure cloud" in the US, which means that the "United States law can apply to it". Taplitics says that it does not disclose user personal data "unless it is with your consent or as authorized or required by law".
The Facebook bundle
The next family of trackers needs no introduction. Facebook is the last company one thinks of when thinking about privacy protection so the association between the tech giant and ostensibly privacy-oriented VPNs looks rather odd, to put it mildly. Facebook SDKs automatically log basic interactions in the app, but the developer can disable automatic logging. They also collect Facebook ad ID, mobile advertiser ID and metadata, including device-related metrics, such as device OS, carrier, screen size, processor cores, total disk space, remaining disk space.
What are the implications for the end user?
VPN service providers may argue that they do not use the potential of these marketing tools to the fullest, but rather the bare minimum of features they need to improve their service to you, the end user. But you should not necessarily believe them.
By building trackers into their apps, VPN providers leave themselves loopholes to collect user data. They may not be doing it just now, but where is the guarantee they won’t in the future?
Either way, we think that VPNs that embed trackers into their apps have some tough questions to answer. It won't take much of your time and effort to check if you need to ask your VPN app these questions.
All you need to do is to go to Exodus, a privacy auditing platform for Android apps and enter the name of your VPN application in the search bar. You will see the list of embedded trackers and permissions found in the app. If your app doesn't have built-in trackers, congratulations, your VPN isn't collecting your data. If your app has built-in trackers, commiserations, you are running the risk of your data being collected and shared with third parties.
If you feel queasy about what you might have found, we suggest you consider installing AdGuard VPN: we have no built-in trackers, so you won't need to worry about anyone snooping on your online activity.
