SAN FRANCISCO — As Congress weighs an unprecedented ban of the wildly popular Chinese-owned TikTok over supposed security concerns, millions of Americans are downloading Chinese-designed apps to their phones that pose greater privacy risks with no outcry from lawmakers or regulators.
But experts have warned for years that everything the VPNs hide, they can see themselves. That means users who are working not to reveal who and where they are as well as what they are doing online are surrendering that very information to the VPNs. Some VPNs have the capability to see even more, including encrypted email content and banking information, because they have been placed in a highly trusted position on user devices.
Some of the most popular VPNs have misled consumers about their practices while disguising their origins, ownership and locations, including apps based in China or controlled by Chinese nationals, according to corporate records reviewed by The Washington Post as well as interviews and researchers.
“You have a bunch of lazy people calling themselves VPNs who are making money from your data, just like Google,” said Dennis Batchelder, whose company, AppEsteem, evaluates app safety for antivirus companies. “I would have reservations about VPNs based in any country that can tell your company they want to grab your data.”
Under Chinese law, tech companies can be compelled to turn over everything they have to government authorities that prize domestic and international surveillance — one of the main alarms congressional critics raise about TikTok.
Concerned about the potential prosecution of women seeking abortions through shoddy VPNs, two Democrats, Sen. Ron Wyden of Oregon and Rep. Anna G. Eshoo of California, last year asked the Federal Trade Commission to take action “particularly on those that engage in deceptive advertising and data collection practices.” They wrote to the FTC chair that the industry “is extremely opaque, and many VPN providers exploit, mislead, and take advantage of unwitting consumers.”
But other members of Congress generally have been silent about the risks posed by VPNs, even from Chinese providers, while championing restrictions and outright bans on TikTok, which has far less access to what users do online.
That may be in part because TikTok is an extremely visible target and a single brand, while scores of VPNs crowd into the app stores and change names, addresses and owners from year to year.
“We just tend not to focus on things until they become big,” said former Google government relations executive Adam Kovacevich, now head of trade group Chamber of Progress, adding that the TikTok fight could launch a broader debate on Chinese technology.
VPNs would, however, be covered under a broader bipartisan bill introduced by Sens. Mark R. Warner (D-Va.) and John Thune (R-S.D.) and endorsed by the White House that would require the Commerce Department to evaluate foreign tech and recommend bans to the president. “Congress needs to ditch the existing whack-a-mole strategy with technology from adversarial nations and create a more systematic process to examine national security risks and act on them,” Thune, a Republican, told The Post.
Warner said Chinese VPNs were the sort of apps that cry out for a systemic review like that proposed in the bill, which would allow the Commerce Department to examine apps on national security grounds.
“This is exactly why Congress needs to pass the Restrict Act,” Warner told The Post. “The secretary of commerce should be able to review and impose mitigation measures as needed to protect Americans from these apps, but she currently lacks the ability to do so under current law.”
TikTok has powerful, big-spending American companies as rivals, including Meta’s Facebook and Google’s YouTube. No big U.S. companies have consumer VPNs as a major line of business.
On the contrary, Apple and Google profit from VPN apps by taking a cut of the sale price on their app stores and by selling them ads.
Turbo VPN, for example, is among the first results that show up when searching the Google Play app store for “VPN.” It has been downloaded more than 100 million times.
The parent company of Turbo VPN, Innovative Connecting, has a Singapore headquarters and a Cayman Islands registration. It has had multiple Chinese nationals as directors in the past few years, records show. As with many of the apps, there is no way to prove who or where the real owners are.
The computer version of Turbo VPN was among several services that AppEsteem found last year to be installing root certificates, which allowed them to tell the computer to trust any application that it authorized. It could have vouched for a fake email or chat program to extract content from the real ones, but there is no evidence it ever did so. Turbo did not respond to an email seeking comment.
Two more of Google’s first six listed VPNs are owned by an entity called Signal Lab. While many might associate that with the privacy-protecting Signal app for communication, there is no connection.
Signal Lab has a website that gives no sign of what company is behind it. It lists an address near Los Angeles that is used by hundreds of entities. The only way to reach Signal Lab is through a Gmail address, where a Post query has remained unanswered for weeks. Employees told longtime researcher Simon Migliano, who writes for Top10VPN.com, that it really operated from Hong Kong.
Signal Lab’s privacy policy says its VPNs do not keep logs of user activity. But its terms of service prohibit sending any communication that is “objectionable,” a term that could be applied to much of the internet. It reserves the right to monitor activity to investigate “any possible violation” of the terms of service. Put together, that means it could monitor any user’s activity for anything suspected of being objectionable to anyone.
Apple’s App Store presents similar issues. Of the first 10 results for “VPN” in a recent search, one was based in Hong Kong, and three more were owned by Boston-based Aura, now parent of a VPN called Hotspot Shield.
Hotspot Shield drew a complaint to the FTC in 2017 from the Center for Democracy & Technology, which said that while Hotspot claimed in ads that it kept no records of users’ true internet protocol addresses, it gave those addresses to commercial partners.
Hotspot, which the center claimed installed tracking cookies on user computers, said deep in its privacy policy that it did not consider IP addresses or device identifiers to be personal information, even though both can be tied to a specific user. The FTC took no public action against the company. Aura has raised multiple rounds of venture capital and this month hired actor Robert Downey Jr. as a pitchman. It did not respond to an interview request.
Another of Apple’s top 10 results, VPN – Super Unlimited Proxy, is connected to a company with a Chinese history. Apple records say those are owned by Mobile Jump of Singapore, which once boasted a headquarters in Dongsheng Science and Technology Park in Beijing.
Singapore records show that Mobile Jump is owned by Free VPN, which is owned by VPN Super, which has the same Redwood City, Calif., address as a U.S. company named Super Unlimited. The address belongs to a law firm that a partner said offers mail drop services for hundreds of companies.
Super Unlimited’s president is Tanuj Chatterjee, who used to be a top executive at Aura, the owner of Hotspot Shield. Chatterjee posted on LinkedIn six months ago that what he described as one of his apps, VPN – Super Unlimited Proxy, had become the top free app in Apple’s store, ahead of TikTok and Instagram.
Chatterjee confirmed that Super Unlimited owned the big VPNs and said that when it acquired them, they “had no legal connection to China at that time.”
“Neither we nor any of our subsidiaries have any connection with China whatsoever; no shareholders, operations, code, servers, data, or team members are in China or affiliated with China,” he said by email.
Consumer advocates say Apple and Google should be keeping out the more questionable VPNs, especially those that violate the big companies’ policies against obscuring ownership or misleading users on privacy, or at least provide warnings to users.
“It should be that the app stores want people to come and not find things that are super suspicious. There should be a market incentive to do that,” said Mallory Knodel, chief technology officer of the Center for Democracy & Technology. “I’m a little confused why they don’t do more.”
Apple declined to discuss any of the apps mentioned in this story. In an emailed statement, it said that “VPN apps are powerful tools that can be used to track user internet traffic, so we have strict guidelines for what developers of VPN apps must do in order to be on the App Store.”
Google also declined to discuss specifics. “Google Play has policies in place to keep users safe that all developers, including VPN apps, must adhere to,” said spokesperson Ed Fernandez. “We take security and privacy claims against apps seriously, and if we find that an app has violated our policies, we take appropriate action.”
Both companies have argued that their grips on the app market should not be loosened out of antitrust concerns, another subject of congressional debate, because they are protecting consumers through their product approval process.
But app makers, regulators and legislators have pointed to failings in the vetting process, which have not flagged imitators and scams in multiple categories. Evidence in an antitrust suit by Epic Games showed that even Apple employees decried the weakness of its defenses, which a lead engineer described as “bringing a plastic butter knife to a gunfight.”
Malware from China and U.S. government contractors has sneaked into seemingly benign apps for years. In 2021, The Post reported that nearly 2 percent of the biggest moneymakers on Apple’s store were scams.
The VPN business is bigger than most categories of apps, with paid versions often charting among the highest revenue among productivity apps.
“It’s disgraceful the lack of due diligence that they do in this area,” Migliano said of Apple and Google. He said he first raised the issue with Apple in 2019.
The big app stores have a critical role with VPNs, both Migliano and Knodel said, because of the difficulty getting objective information: Many review sites are completely or partly owned by VPN providers, including Migliano’s.
Migliano found more than 200 million installations of VPNs with Chinese ties, many of which were hidden as the brands became more popular. Some abandoned Chinese headquarters from one iteration to the next, while others replaced executives.
Free VPNs are most likely to run afoul of best privacy practices, experts said, because they have an extra financial incentive to capture information about users in order to sell relevant ads.
Consumer Reports did a deep dive two years ago into whether popular brands had privacy audits that users could read, leaked their IP addresses or exaggerated the security they could provide.
The nonprofit magazine also noted that some VPNs that had claimed to keep no logs managed to produce them when confronted with legal papers, and it raised questions about some owners and executives.
Among those it highlighted was ExpressVPN, one of the most popular for browsing Chinese websites. That is now owned by Kape Technologies, which grew out of a company known for spreading malicious software and which has employed as executives both the convicted CEO of collapsed crypto exchange Mt. Gox and Daniel Gericke, a former U.S. intelligence operative who admitted hacking U.S. networks while working for the United Arab Emirates.
