Virtual private networks are designed to preserve your anonymity on the internet. But VPNs can suffer from data breaches too, just like any service—as a recent report reminded us all. They also can be run by just about anyone, so it’s wise to scrutinize your options before signing up.
That’s especially true when picking a free VPN. Free services aren’t automatically bad, but internet connections, electricity, and servers cost money. To afford those, free VPNs may show you ads, sell your data, or use you as part of their network to route data for paid users.
(Need a quick rundown on what you most need to know about VPNs? Check out our list of the top 5 things to keep in mind.)
Good paid services won’t push these practices on you, but if you can’t afford one, here’s what you should look into to ensure your privacy. Generally, you want the VPN keep and share as little information about you as possible.
This same criteria for evaluating a free VPN also applies to paid ones—especially those priced at extremely low rates for a lifetime subscription.
Who runs the VPN?
Anyone can run a virtual private network—it’s not hard. Accordingly, you should always investigate who operates the VPN. You could be passing your traffic through a trusted, privacy-minded company offering limited free service to reel in new customers…or all your internet activity could be going through a single person who wants to monetize your habits at best and exploit the data at worst.
Look up who runs the service, how the company is structured, and where they’re located. Where the VPN operates influences how much its local government and also your local government can dig into the data. Some countries have an agreement to share intelligence data with one another. For example, the U.S. is part of multiple alliances.
What data does the VPN collect?
The top VPN services retain virtually nothing: no email address, no IP addresses, no logs of places visited on the internet, and for paid VPNs, no traceable payments. Finding a free VPN that offers such high privacy is rare—the overwhelming majority keep data on users.
What does the VPN do with your data?
As you research what data a VPN provider keeps, also note who that data will be shared with. Be wary of any service that only outlines its policy in vague terms or doesn’t disclose this information.
Often you’ll find that free VPNs (and even some paid VPNs) make money by aggregating your data with other users and selling it. It’s also common for VPNs to reserve the right to share your data with government agencies conducting criminal investigations. If you have good cause to worry about government surveillance, you should look into a paid service that offers iron-clad privacy across the board.
How does the VPN make money?
If you’re not paying for a VPN with money, you’re likely paying in some other way—usually through suffering through ads, which can also be a security risk, or by providing data that can be sold to interested parties.
Services run by individuals or smaller outfits will more often lean on these tactics to keep the lights on, but even some larger companies will aggregate your data with other users’ to sell.
To avoid the risk that your individual information is being sold, be especially careful before downloading an app for a free VPN. Vet those thoroughly. A large number of downloads doesn’t guarantee that a particular VPN is on the up and up.
How does the VPN secure your data?
Know the answer to this question for both data in transit—that is, when you’re actively using the service—and any data retained about you and your usage habits.
For data in transit, the protocols that the VPN supports indicate the general level of encryption strength, as they define how your connection first begins (the “handshake”), how the connection generates the piece of auxiliary data (the “key”) used to encrypt and decrypt data during the session (aka the key exchange), how long those keys persist, and the method used to protect the established connection.
The ones most highly regarded by experts include OpenVPN, IKEv2/IPSec, and Wireguard, and they’re widely used among VPN providers, though with variations in configuration. One company might stick closer to industry defaults to boast faster speeds, while another might dial up the key lengths/sizes used for encryption to go all out on security. A very fast-and-dirty screening tip is to skip any VPN that doesn’t use a 2048-bit RSA key and 128-bit AES encryption at minimum.
As for data collection, delve into how the company stores all the information, who has access to it, and who it shares that information with. You want the answers to these questions: Is the data encrypted, and if so, how? What types of employees have access to user databases and logs? What third parties would it ever be shared with?
Best free VPNs to start with
Make life easier on yourself by first looking at well-known, well-regarded paid VPN services that offer a free plan, such as ProtonVPN, Windscribe, or HotSpot Shield. You can also try out limited VPNs, like the one built into Opera’s desktop browser and full-fat Android mobile browser—it keeps any web browsing done within Opera private. (Anything done in a different program or app, including your operating system, will not be kept private.)
If you find that a free VPN doesn’t offer enough features or monetizes its service in a way that makes you uncomfortable, you’ll need to instead look into a paid VPN. (You can check out our top recommendations to make your hunt faster.) You’ll still have to ask all these same questions, but the answers should be less difficult to find and more in line with industry best practices.
Alaina Yee is PCWorld's resident bargain hunter—when she's not covering PC building, computer components, mini-PCs, and more, she's scouring for the best tech deals. Previously her work has appeared in PC Gamer, IGN, Maximum PC, and Official Xbox Magazine. You can find her on Twitter at @morphingball.