The United Kingdom’s Online Safety Act took effect on July 25th. Among other provisions, the new law makes websites responsible for protecting UK children from content deemed harmful, like pornography or the promotion of eating disorders. This has resulted in many of the most-used websites, including Pornhub, X and Reddit, either putting up or planning to put up age verification barriers to restrict access by minors.
Age-restricting laws put broadly popular websites in a difficult position. Sites like Reddit that rely on user-generated content have no good way of making sure nobody under 18 ever sees restricted material anywhere on the platform, so it’s usually simpler to just ban minors altogether. But this creates a knock-on problem: underage users relying on unvetted free virtual private networks (VPNs) to get back on their favorite platforms.
UK residents are using VPNs to change their apparent locations to other countries and circumvent the Online Safety Act. In the few days since the law went into force, five of the 10 most-downloaded free apps in the UK have been VPNs. We like two of the five, Proton VPN and NordVPN, but NordVPN does not have a free plan — just a seven-day free trial, after which you have to pay. The other three are unvetted, untested and suspiciously generic (VPN Super Unlimited Proxy, FreeVPN.org and Unlimited VPN Proxy).
When you use a VPN, all your web traffic goes through one of the VPN’s servers before moving on to its ultimate destination. Every time you connect, you’re trusting the VPN not to abuse its access to your information, and some VPNs unfortunately abuse that trust. A free VPN is generally safe if it’s supported by paid subscriptions, like Proton is. If there is no paid tier, or the free tier comes with no restrictions, you have to ask yourself where the money is coming from.
The saying that “if the product is free, then the real product is you” holds true here. For example, Hola VPN admits in its terms of service that its sister company Bright Data can sell free users’ residential IPs as proxy servers, and Hotspot Shield was the subject of an FTC complaint in 2017 that charged it with providing personally identifiable information to advertisers. And one of the services on the UK’s top 10 list, FreeVPN.org, has no address on its website and a frighteningly sparse privacy policy.
Malware is the other significant risk. A 2016 study analyzed 283 Android apps with VPN capability, and found malware in 38% of them. Nor has the threat diminished in the 10 years since — just this year, threat analysts at CYFIRMA reported on a free VPN shared on GitHub being used as a malware vector.
In the end, a fully free VPN has no real reason to protect you or your rights, and every incentive to milk you for profit. Whatever you choose to do with a VPN, make sure you’re picking one that will keep you save without exploiting you. Green flags include a clear pricing structure, audits from independent firms in the last three years, a specific physical location on the VPN’s website and a thorough privacy policy. Some trustworthy free VPNs include the aforementioned Proton VPN, plus hide.me, TunnelBear and Windscribe.
If you buy something through a link in this article, we may earn commission.
This story originally appeared on Engadget
