VPNs are known for their ability to enhance privacy and data security. However, it is all based on trust. Why? Because your data goes through the VPN network and is thus at the mercy of the provider. Your vendor can see and know everything about you. Thus, it is possible to facilitate theft or other malicious activity. Although most VPNs don’t misuse the trust placed on them by the user, there are a few black sheep in the market that manipulate data for their profit.
On one hand, VPNs are crucial to your privacy, but on the other, a hasty decision can spell your downfall. Thus, we always implore our readers to be determined and cautious while employing a VPN. Don’t only go for the big names, but also heed the necessary features required to guarantee safety. All this is to ensure that a VPN can’t steal your data. However, it is capable of theft, and it does so due to numerous reasons.
Disclaimer — The writing is a subjective representation of the thoughts of the writer and doesn’t condone the illegal use of VPNs. Not all VPNs steal data, and the write-up only reflects a minute possibility of such a scenario. Thus, we advise user discretion and not blind faith.
What kind of data can a VPN steal?
A VPN can steal a ton of information from the user. But before that, let us explain how it is possible. First, users need to understand that the whole VPN network falls under the control of the respective vendor. It can easily monitor what goes on the network. That’s because the clients and servers come together to form the network that facilitates encryption within its boundaries. It means that any data that undergoes encryption is subject to the purview of the VPN client and, by proxy, the vendor. As the client encrypts the data, the VPN servers decrypt it, creating one full circle. Hence, any dishonest VPN provider can do you more harm than worth.
Therefore, the following data is subject to monitoring and subsequent theft, such as:
- Your PII (Personal Identifiable Information)
- Your name
- Address
- Live location
- GPS positioning
- IP address
- Phone numbers
- Email address
- Sensitive information
- Banking/financial credentials
- Your passwords
- Debit/credit card details
- Other information
- Device make and model
- Operating system
- Your uptime and downtime
- Volume of traffic
How does a VPN steal your data?
A VPN is a technical product that has evolved. Regardless of vendors, the latest VPNs are one of the most secure cybersecurity tools available on the market. Hence, they have to employ numerous tricks to steal any worthwhile data. Although every VPN can see what goes on its network, many reputed and trustworthy vendors opt out of logging any minuscule of data to ensure prolonged user trust. However, at the same time, some providers don’t worry about the long-term growth and use underhanded techniques and unfair logging police to record and log user data.
Such vendors are often those who come up with dubious free VPNs. We have already discussed the numerous risks associated with free VPNs and how they fare against paid ones. Free VPNs are mostly traps that rely on absurd monitory policies to gain market traction. Such profit models include data mining and selling, infesting adware to enhance targeted ads, and unfair logging practices. Given below is a list of all the possible techniques a VPN relies on to steal data.
By using non-secure HTTP instead of HTTPS websites
HTTP is the older version of the now-standard HTTPS protocol. The sole difference between the two is the mode of interexchange of resources. While the latest one ensures encrypted transmission, the older version swapped plain text messages between browsers and web servers. Today there are still websites that rely on this older protocol to function, and that’s why a VPN can steal passwords.
Normally, it is hard for a VPN to steal passwords because most websites ensure their security with HTTPS. But if you visit a website with HTTP and enter a password, it is prone to risk. Unlike other information visible to a VPN, passwords for websites are more tricky to steal as long as users choose the correct web protocols to follow.
By forging and self-signing certificates
The HTTPS websites get secured with SSL (Secure Socket Layer) certificates. And a VPN adds another layer of protection over HTTPS encryption. However, a rogue VPN can fool the website by bypassing the encryption. How? By installing a fake self-signed certificate. If a VPN installs a fake certificate on your device, it can then bypass HTTPS security and pry into what you do on the web in more detail.
Nominally, a VPN can only log what sites you visit in a given session because the actual detail is safe behind the HTTPS connection. But with fake certificates and self-signing, a VPN can bypass most security measures and venture into your acute online workings.
Using browser VPN plugins
Browser VPNs or VPN extensions can help a lot, but malicious ones can route the traffic to fake websites. A browser VPN transfers all browser data to a VPN tunnel. But if the browser plugin is malicious or compromised, hackers can effortlessly reroute the traffic to a fake lookalike. Hence, whatever you do on the fake site would get recorded. It can incur a heavy loss to users.
Using Fake DNS servers
A DNS server is crucial to the web. The internet only identifies the IP address as the mode of connection. However, users can’t remember the correct IP for all the websites. It’s just inconvenient. Hence, a DNS server changes the web address to an IP address and vice versa. For example, 192.0.2.44 is the corresponding address for amazon.com. Then the user wouldn’t have to memorize the IP but only enter amazon.com to reach the intended website.
But malicious VPNs can use a fake DNS server to misguide the browser. The user may enter amazon.com, but the DNS would match it with some other website which may look similar to the original one but with traps. Hence, once the user enters any personal or sensitive information, it could get stolen. It is one aspect of a phishing scam.
By using data logging
VPNs that log data can sell it to interested third parties. Such logs contain PII and other sensitive information of the user, which others can manipulate. Cybercriminals can use the data to commit a crime and frame it on others, while giant corporates can use it to generate targeted ads. Even a government can use mined data to manipulate the political scenario. Hence, it is imperative to opt for a VPN without a logging policy. If the VPN doesn’t log anything, it won’t be able to use it. Thus, a VPN steals what it sees, but it can also store it by logging in.
Is there a way to stop a VPN from stealing your data?
There are methods to defend against such malicious use of your information, which are:
- Use a reputed VPN vendor
- Ensure your VPN has the best security protocol and encryption
- Double-check the logging policy of your provider
- Ensure that your VPN comes from a privacy-friendly place
- Always use secure FTP and HTTPS connections