For the last seven years, Shannon Morse has been making videos on security and privacy tips on YouTube. That includes reviews of Virtual Private Networks, or VPNs—software that encrypts your network traffic so that internet service providers or people on the same Wi-Fi network as you can't spy on your activity.
VPNs are frequently marketed as a tool to protect privacy because they can hide your IP addresses and other signals that tell a website who you are, like your internet service provider or your approximate location. Businesses have VPNs to make sure remote staffers are securely connected to their internal network, activists use them to hide from government espionage, and the average person might use it to watch TV shows only available in other countries.
Morse said she uses VPNs like ProtonVPN to help keep her online activities private because of her public persona.
"Especially because I'm a content creator, it's so important to me to uphold my own security and privacy standards," she said. "A VPN helps secure and helps privatize some of what I do on the web."
But while VPNs say they do not log people's activity—meaning their browsing, who they call, which TV shows they watch—that does not mean they're not siphoning data from their users and even their prospective customers.
To get a sense of exactly what sorts of information VPNs are grabbing, The Markup examined the privacy policies of 14 popular VPN companies. We also ran their websites through Blacklight, our tool for detecting third-party trackers. And we searched through our Citizen Browser data for VPN Facebook advertisements to see not only how VPNs are marketing themselves on Facebook but also how they're making use of that platform's personal-data-driven advertising machine.
Overall, we found a fair bit of hypocrisy: While the VPNs' homepages and blog posts highlight their privacy benefits, some of their privacy policies tell a different story.
Surfshark's homepage, for instance, boasts that it can "protect your privacy with the fastest VPN," while its privacy policy notes that the company collects user devices' advertising identifiers for marketing purposes.
"We do collect aggregated data for marketing purposes as it is crucial in making business decisions for customer acquisition and competing in an extremely competitive VPN industry," Dom Dimas, a spokesperson for the company said.
Not all VPNs we examined tracked users or visitors to their websites, but many did.
Eight apps collected data from VPN users, and 10 out of 14 VPN websites contained trackers. As for how that data played into Facebook's advertising machine, we'll get to that in a minute. First, the results.
What Data Are VPNs Scooping Up About Their Users?
We selected 14 VPNs that were among the most frequently recommended VPNs from websites like Security.org, Wirecutter, and PCMag. We also included VPNs known to run ads on Facebook, discovered through our Citizen Browser project.
Again, none of these VPN's say they collect any sort of logs of user activity. But many of their privacy policies do allow for other sorts of data collection.
CyberGhost VPN, for example, promotes "absolute privacy on all devices" with its service, but its privacy policy notes that it can collect specific "non-personal" information on devices, including their advertising ID, battery levels, gyro-sensor data (the sensor used to automatically rotate a phone screen), and mobile service provider.
CyberGhost didn't respond to requests for comment.
NordVPN, meanwhile, says it uses its customers' user IDs and device IDs for marketing purposes.
Tyler Miller, a spokesperson for the company, said that user IDs are only collected to figure out where purchases came from (for example, if the app download came because of a specific ad) and that customers are notified when that data is collected.
"While we accept and understand our strategy's criticism, millions of people would be less safe and less private without it," Miller said in an email.
ExpressVPN's privacy policy discloses that it also collects device IDs to track where users learned about and signed up for its mobile app. ClearVPN also says in its privacy policy that it collects device IDs.
Julia Petryk, a spokesperson for MacPaw, ClearVPN's parent company, said the company was transparent with its tracking through a disclosure on its website and a mandatory review of its privacy policy through the app.
"As you have noted, users' device IDs might be used with their consent, which is exclusively non-personal data," Petryk said.
While the company's privacy policy notes that a device ID is collected with user permission, it's mandatory to give permission if you want to use the VPN.
And while technically "non-personal data," a device ID, for example, can be matched with granular details that can be used to identify an individual and, in some cases, even reconstruct a person's movements and behaviors.
"One of the biggest points where you lose some control is when a device ID gets linked to a real identity," Paul-Olivier Dehaye, a board member at PersonalData.io, a nonprofit focused on making data rights actionable, said. "It's the entry key to a whole ecosystem of tracking."
Take a recent example that attracted a lot of media attention: A Catholic priest, using the hookup app Grindr, was tracked and outed as gay by The Pillar, a Catholic publication.
The outlet said it obtained commercially available location data that was anonymized but contained his phone's device ID. Even though the priest's name wasn't on any of the data, his device ID was linked to him because it was in locations where he worked and lived.
Ultimately, it's important to note that VPN privacy policies are built on trust, as these companies have the capability to collect a ton of information and it's not always obvious what they're doing with it.
In 2017, the Center for Democracy and Technology (CDT) filed a complaint with the Federal Trade Commission about Hotspot Shield Free VPN accusing the service of deceptive practices by advertising complete privacy yet sharing data, including device identifiers, with third-party advertising networks, redirecting traffic, and employing insecure data security practices.
"The FTC reached out for additional information from us after the CDT complaint, and we provided such information. The FTC did not take any action," Howard Clabo, chief communications officer for HotSpot Shield Free VPN's parent company, Aura, said in an email.
While collecting data for marketing purposes is a common industry practice, VPNs risk hurting their reputation through this tactic, Mallory Knodel, the CDT's chief technology officer, said.
"We need a healthy ecosystem of trustworthy VPNs, and one way to demonstrate trustworthiness is by not tracking data that's unnecessary," Knodel said.
How Do VPN Websites Track People?
The internet is littered with digital trackers. A previous Markup investigation using the Blacklight scanning tool found 87 percent of the 80,000 most popular websites contained third-party cookies or tracking network requests.
Websites routinely use such trackers to see who's visiting their sites, gain insight into the demographics of their customer base, and then target advertising appropriately.
And while VPNs may peddle privacy products, that doesn't mean they don't use these data-collecting techniques.
We found trackers on VPN websites and apps belonging to marketing companies like AppsFlyer as well as Facebook and Google.
NordVPN, ClearVPN, and VPNBook had more than the average we found in our earlier investigation of seven ad trackers and three third-party trackers on their websites. VPNBook had nine ad trackers and 17 third-party trackers on its website.
"This free VPN service is supported by advertisement on our website and generous donations made by our supporters," the company says in the FAQ on its site. VPNBook didn't respond to requests for comment.
NordVPN's website uses trackers to combine browser and unique user IDs for targeted advertising. NordVPN's website also uses cookies to identify LinkedIn users for marketing on that platform.
StrongVPN, IPVanish, ExpressVPN, and ClearVPN have Facebook pixels that tell the advertising giant if you've visited their websites.
Usman Choudhary, a chief product officer for the VIPRE Group, which operates both IPVanish and StrongVPN, said VIPRE uses trackers on its website to "understand more about visitors to our sites and to serve advertisements to encourage their return," but noted that the data is anonymous.
Only four VPN websites had no trackers of any kind, and only three of those VPN apps didn't track its users in any way. The Markup's analysis found that the VPNs Mullvad, IVPN, Windscribe, and ProtonVPN had no trackers on their websites. Other than ProtonVPN, whose app uses customers' email addresses for advertising, their apps don't collect any data for marketing, either.
ProtonVPN spokesperson Matt Fossen reached out after this story published to say that the company only uses emails to send newsletters and service updates.
"There are people who make a lot of effort to avoid using Facebook and Google services. It's completely opposite to their expectation if the moment they show up to a website to buy a tool, they're already tracked and that information is revealed to those companies," PersonalData.io's Dehaye said. "It's the exact opposite of what they are going to a VPN for."
How Does All This Data Get Used?
We don't exactly know—the anatomy of the data-fueled online advertising system is complex and not exactly transparent. Does a VPN user's phone's gyro-sensor data somehow translate into money in some obscure corner of the data-verse?
But some tracking, at least, is a little more straightforward: Companies commonly use information they collect on their users and site visitors for marketing purposes. And our Citizen Browser data gave us a tiny window into how one VPN company—ExpressVPN—scooped up data on its app users and website visitors and then used that data to target them with Facebook ads.
Our Citizen Browser project is a nationwide panel of Facebook users who share their news feed data with us. That data includes the ads that appear on their timelines, along with information Facebook provides them with on why they were targeted for the ads. (For any Facebook user, that information appears if you click "Why am I seeing this ad?" in the dropdown menu on the upper right side of an ad.)
Our panelist data turned up multiple ads purchased by ExpressVPN, and the targeting information on the ads showed that ExpressVPN used Facebook's "custom audience" feature to target some of its ads. Custom audiences are specific lists of people the advertiser has identified whom it wants to reach with its ads.
A Citizen Browser panelist saw an ExpressVPN ad for a 49 percent discount on May 20. The ad, our data shows, targeted a custom audience of people who had used the VPN's app in the past. Five panelists also saw ads from ExpressVPN in April that were targeted to people who had visited the VPN's website.
The advertising tactics conflict with ExpressVPN's own blog posts, which called targeted ads on Facebook "creepy" and "invasive" in a blog post last updated on May 31—just 11 days after our panelist saw its ad targeted to app users.
"ExpressVPN uses third-party tools to show advertisements on third-party websites to potential new customers who have visited our website," Harold Li, a vice president for the company, said in an email.
Other companies have forgone such advertising tactics.
IVPN's chief marketing officer, Viktor Vecsei, said the company stopped using third-party trackers for advertising on Facebook and Google in 2019 because of privacy concerns. He noted that it had hurt his company's growth but was worth the privacy protections.
"Keeping these boundaries [means] we will never be a market leading VPN provider and promoting our service is an uphill battle," Vecsei said. "Even so, we cannot consider financing the corporate surveillance reality and brush it off as a necessary trade-off."
As for Morse, the YouTube content creator, she said she was surprised at the extent of VPNs' tracking of users.
"I'm upset about it because I do expect privacy from a virtual private network. I mean that's the reason we're using it," Morse said. "You expect to have that privacy as a part of their promise to you."
This article was originally published on The Markup and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.