Editorial note: this guide is non-commercial. We do not link to affiliate partners from inside this page. Read our editorial policy

Free VPN Risks: What You Trade When You Don't Pay

A research-based breakdown of the real cost of free VPNs, the small set of tools that are actually safe, and a checklist for auditing any provider before you install it.

By , Lead Technology Analyst

Published · Reviewed by , Compliance & Security Specialist

The honest version: free VPNs have a business model

Running a VPN service costs real money. Servers, bandwidth, engineers, legal review, abuse handling, and independent audits are not free. If you are not paying, someone or something has to cover that cost. Free VPN apps solve that equation in one of four ways, and three of them are bad for you.

The four revenue models we have documented across free VPN apps on the Google Play Store, the Apple App Store, and the Chrome and Edge extension stores:

  • Freemium funnel — a paid VPN company offers a limited free tier as a marketing channel for their paid service. Revenue comes from paid upgrades. Example: Proton VPN Free, Windscribe Free, Hide.me Free.
  • Ads and trackers — the app shows ads, or embeds third-party tracking SDKs that sell your browsing metadata to ad networks. Your “private” VPN then sits next to an advertising pipeline that knows exactly what sites you visited.
  • Data resale — the app collects identifiable traffic metadata (destination domains, DNS queries, app usage, sometimes payload metadata) and sells aggregated or de-anonymised data to data brokers.
  • Bandwidth resale — the app turns your device into a residential proxy exit node. Paying customers on a sister product route their traffic through your phone or laptop. You get a free VPN; they get a residential IP that you are legally and reputationally exposed to.

The first model is fine. The other three are how “free” becomes expensive.

What the research actually found

We are not the first to look at this. A few studies are still the reference points for anyone serious about evaluating free VPNs.

  • CSIRO, 2017 — “An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps.” The research team studied 283 Android VPN apps. Findings that stuck: 38% contained malware or malvertising code, 18% did not actually encrypt the tunnel, and 16% manipulated HTTP traffic in transit. Four out of five apps requested sensitive permissions unrelated to VPN functionality.
  • Top10VPN Free VPN Risk Index, 2020 and updates — independent reviewers ran static and dynamic analysis against the most-downloaded free VPN apps. Patterns found: undisclosed Chinese ownership, DNS leaks, tracker SDKs from ad networks, and intrusive permissions like contacts and device identifiers.
  • Multiple supply-chain incidents — several free VPN apps have been removed from app stores after being linked to residential proxy networks (Luminati/Bright Data-style models), where the “free” user became a paid exit node for someone else's traffic.

The pattern across this research is consistent. The median free VPN app is not a privacy tool. It is a lightly disguised advertising, tracking, or proxy product with a VPN feature attached.

Ten documented risks, ranked by how common they are

Not every free VPN does every one of these. But these are the issues we look for every time we evaluate one.

  1. Third-party tracking libraries embedded in the client. Your VPN client should not be running Facebook, Mixpanel, Adjust, or AppsFlyer trackers. Many free apps do.
  2. DNS leaks outside the VPN tunnel. Even with an encrypted tunnel, DNS queries can be sent to the default ISP resolver, letting your ISP log every domain you visit.
  3. WebRTC leaks in browser extensions. Browser-extension VPNs often leak the real IP via WebRTC unless explicitly blocked.
  4. Aggressive permission requests. A VPN app does not need your contacts, your SMS, your call log, or your precise location.
  5. HTTP traffic modification. A minority of free apps inject ads or replace affiliate IDs in HTTP responses. HTTPS has blunted this, but not eliminated it.
  6. Bandwidth resale. A handful of apps explicitly sign users up as residential proxy nodes in the terms of service. Most users never read that clause.
  7. Opaque ownership. An app operated by a holding company with unclear jurisdiction and no listed staff is a red flag. Real VPNs publish their team and registration.
  8. No independent audit. Claims of “military-grade encryption” and “no logs” mean little without a third-party auditor confirming them.
  9. Stale or forked open-source clients. Some free VPN apps use forks of OpenVPN or WireGuard that have not been patched in years, leaving known CVEs unaddressed.
  10. Forced auto-update with broad permissions. If a free app can push updates that silently change its behaviour after install, today's benign app is tomorrow's monetised one.

Free tiers we consider acceptable

This is a short list on purpose. These are free tiers run by established paid providers, with at least one independent audit, a readable privacy policy, and no ad or tracker SDKs in the client.

Free tierData capLocationsAds in clientIndependent audit
Proton VPN FreeUnlimitedRotating free locationsNoSecuritum, published
Windscribe Free10 GB/month14 locationsNoPartial audit, infrastructure transparency reports
Hide.me Free10 GB/month8 locationsNoDefenseCode audit published
TunnelBear Free2 GB/monthGlobalNoAnnual Cure53 audits published since 2017

That is the list we would use ourselves. Everything else we treat as “assume hostile until proven otherwise.”

This is not a ranking and it is not an affiliate list. Picking a free tier is a privacy decision, and the only thing that matters is whether the provider's behaviour matches its claims.

When a free VPN is actually OK

Free VPNs are not universally a bad idea. They are a bad idea for the wrong job. They are fine for:

  • Light, short-term public WiFi use on a trusted free tier — airports, cafes, hotels — where you just want an encrypted tunnel for an hour of email and browsing.
  • Trying out a provider before paying. Many paid VPNs offer a real free tier as a trial. This is the best way to evaluate speed, server quality, and client behaviour before buying.
  • Region-testing sites that you visit rarely — checking whether a page renders differently in another country, for instance.

They are a bad idea for:

  • Always-on personal privacy on your primary device.
  • Anything in a higher-risk threat model (journalists, activists, dissidents, people under surveillance).
  • Torrenting, since most free tiers forbid it in their terms and actively monitor for it.
  • Bypassing censorship in authoritarian jurisdictions, where free apps are more likely to be compromised or blocked.

How to audit any free VPN before you install it

If you are going to try a free VPN we have not evaluated, run this checklist first. It takes ten minutes and catches most bad actors.

  • ☐ Find the legal entity behind the app. Cross-check it against the privacy policy, the website, and the app store listing. All three should match.
  • ☐ Search the company name plus “residential proxy” and “data broker.” If the same parent company runs a proxy marketplace, assume your bandwidth is for sale.
  • ☐ Read the privacy policy for the exact phrases “shared bandwidth,” “peer-to-peer network,” “SDK partners,” and “analytics providers.” These are where the concerning clauses hide.
  • ☐ Check the app's Android manifest or iOS entitlements (via tools like Exodus Privacy for Android) to see which tracking SDKs ship with the client.
  • ☐ Look for a third-party audit. Not a logo on a marketing page. A linked, dated, named audit report from a known firm (Cure53, Securitum, KPMG, Deloitte, Leviathan, Assured).
  • ☐ Check jurisdiction. A provider incorporated somewhere with mandatory data retention laws is a weaker privacy promise than one in Switzerland, Panama, or the British Virgin Islands.
  • ☐ Install on a test device, not your primary one. Run a DNS leak test (dnsleaktest.com), a WebRTC leak test, and an IPv6 leak test after connecting.
  • ☐ Watch the client on a secondary monitor for a day. Does it inject ads, notifications, or unexpected upgrade prompts? Does it spawn unrelated processes? Does network use spike when you are idle?

If the app fails three or more of these checks, uninstall it. There are enough acceptable options that tolerating a suspicious one is not worth it.

Red flags in free VPN marketing copy

Language to distrust whenever you see it on a free VPN site:

  • “Military-grade encryption.” Not a real thing. AES-256 is the standard. If the marketing leans on this phrase, the rest of the page probably does not describe an actual cryptographic posture.
  • “100% anonymous” or “complete anonymity.” No commercial VPN makes you anonymous. At minimum, the provider can see your real IP and your traffic metadata.
  • “Zero logs” with no audit link. If the claim is not backed by a named third-party audit report, treat it as aspirational.
  • “Free forever,” “no strings attached,” “no credit card, ever.” The question is not whether there is a card. The question is what the revenue model is. If the company will not say, assume the worst one.

The bottom line

Free VPNs are not a category. They are two very different categories sharing a label. A free tier from an audited paid provider is a legitimate privacy tool with limits you can live with. A random “unlimited free VPN” from an unnamed company on an app store is usually a data-collection or ad-injection product with a tunnel bolted on.

The price gap between “free from a real provider” and “a few dollars a month from a real provider” is small. The privacy gap between those two and “free from an unknown vendor” is enormous.

If you only take one habit from this page: never install a VPN you have not looked up the parent company and privacy policy for. Ten minutes of reading is cheaper than an unknown amount of data exposure.

Related reading: VPN logging policies explained · Do you still need a VPN in 2026 · Are password managers safe.

Frequently Asked Questions

Are all free VPNs unsafe?

No, but most are. Free tiers from established paid providers (Proton VPN, Windscribe, Hide.me, TunnelBear) tend to be far safer than ad-supported free apps from unknown vendors. The main risk is apps whose only revenue source is monetising your traffic or your data.

What is the biggest risk of a free VPN?

Data harvesting and resale. Multiple academic studies found free VPN apps that injected tracking libraries, routed user traffic through third-party servers, or sold bandwidth to residential proxy networks. You become a data product, and sometimes an unwitting exit node for someone else's traffic.

Can a free VPN inject malware?

It has happened. The 2017 CSIRO study of 283 Android VPN apps found 38% contained some form of malware or malvertising, 18% did not encrypt traffic at all, and 16% tampered with HTTP traffic in transit. Check independent audits and privacy policies before installing any free VPN.

Is Proton VPN Free safe to use?

Proton VPN's free tier is one of the few we consider acceptable. It is operated by the same company that runs Proton Mail, has been audited by Securitum, runs no ads, sets no data caps on the free plan, and enforces the same no-logs policy as the paid plans. Speed and server choice are limited, but the privacy model is intact.

Do free VPNs actually hide my IP?

Usually yes, but that is only one layer of privacy. If the provider logs your real IP, sells traffic data, or leaks DNS queries outside the tunnel, hiding your IP at the network edge is undone further down the chain. Independent DNS leak tests and third-party audits matter more than the marketing claim.

Should I use a free VPN on public WiFi?

A reputable free tier is better than no VPN on untrusted WiFi. But an unknown free app can be worse than no VPN if it breaks HTTPS, injects ads, or exports traffic to shady servers. If budget is a blocker, use a known audited free tier rather than whichever app is top of the app store.

JP
Reviewed by , Compliance & Security Specialist | Our Methodology