Who Owns, Operates, and Develops Your VPN Matters: Transparency vs. Anonymity in the VPN Ecosystem Published: September 2, 2025 Research by: ICFP Fellow Benjamin Mixon-Baca, Dr. Jeffrey Knockel (Bowdoin College), Dr. Jedidiah R. Crandell (Arizona State University) Hosted by: Open Technology Fund (OTF) Information Controls Fellowship Program (ICFP) --- Overview New research uncovers that eight popular commercial VPN apps, collectively serving over 700 million users, have serious transparency, privacy, and security issues. Several of these apps are linked to China's People’s Liberation Army (PLA), and evidence suggests they are all ultimately owned by a Chinese national. VPNs are critical for bypassing censorship, protecting privacy, and securing public WiFi connections globally. However, the research reveals worrying deceptive practices and technical vulnerabilities in many widely-used VPN providers. --- Key Findings Ownership and Transparency Issues Two clusters of VPN providers with more than 700 million cumulative downloads obscure their ownership and operational ties. The first cluster (Innovating Connecting Limited, Autumn Breeze PTE. Limited, Lemon Clove PTE. Limited) links to the Chinese cybersecurity firm Qihoo 360 and PLA. The second cluster (Matrix Mobile PTE. LTD., ForeRaya Technologies PTE LTD, Wildlook Tech Pte Ltd., Hong Kong Silence Technology, Yolo Technology Limited) exhibits similar operational characteristics and code sharing but lacks confirmed links to Qihoo 360. Many VPN apps falsely claim origin from privacy-friendly countries like Singapore, while actually linked to China. Security Vulnerabilities Use of Shadowsocks tunneling protocol, which was designed for bypassing internet censorship but not for confidentiality, undermining user security. Hard-coded passwords embedded in app source code allow attackers to decrypt user encryption easily. Vulnerabilities susceptible to client-side and potential server-side interception and modification (blind-in/on-path attacks). Extraction of user location information despite privacy policy claims to the contrary. Risks of Free vs. Paid VPNs Free commercial VPN apps (e.g., TurboVPN, VPN Proxy Master, Snap VPN) pose higher security risks. Free VPNs often monetize user data and employ ethically questionable practices. Paid VPNs generally offer better security and transparency. --- Importance of Transparency vs. Anonymity VPN users transfer trust from their ISP to the VPN provider; transparency allows users to know who may access their data. Transparent providers are more vulnerable to censorship, legal orders, or cyber threats. Anonymous (opaque) VPN providers might better evade external targeting, but users cannot verify who controls the service, increasing surveillance risk. Information about ownership and operational practices is often hidden, putting users—particularly those in authoritarian contexts—at severe risk. --- Project Goals Assess the transparency and anonymity of 32 popular VPN apps on the Google Play Store with over 1 billion downloads. Assign a "transparency vs. anonymity" score to help users make informed choices. Encourage app stores to label VPN apps clearly by their transparency standards. Examine links between transparency and security vulnerabilities. --- Recommendations and Resources Users should carefully consider VPN transparency and ownership before trusting VPN apps, especially free commercial providers. More institutional and app store oversight is needed on VPN app ownership disclosures. Prefer VPN providers with transparent operations to understand potential data risks. Full Report: VPN Transparency Report (PDF) Technical Report: [Linking Suspicious and Insecure Apps in the VPN Ecosystem