“If U.S. intelligence experts believe Beijing and Moscow are leveraging Chinese and Russian-made technology to surveil Americans, surely DHS should also be concerned about Americans sending their web browsing data directly to China and Russia.”
These were the words of Senators Marco Rubio (R-FL) and Ron Wyden (D-OR) to Christopher Krebs, Director at the Cybersecurity and Infrastructure Security Agency (CISA) in a bipartisan investigation into the extent to which VPN companies are being used by Russia and China as surveillance tools to spy on Federal employees.
The investigation was not the first of its kind – a similar examination took place in 2019, and DHS issued a ban of Kaspersky products on Federal IT systems.
Both investigations were carried out to protect federal systems, but such findings must be extended to ordinary American citizens also.
The concern that VPN services have been funneling user data to foreign countries via a parent company has been present for a number of years, but the acquisition of ExpressVPN by Kape Technologies PLC has renewed those fears once more.
ExpressVPN has been a leader in the Virtual Private Network sector for several years and has over three million subscribers. The acquisition shed some light on their finances, showing that they generated “revenues of approximately $279.4 million in 2020, up 37% from 2019”. They have championed data privacy since their launch, often appearing in collaboration with other privacy-oriented services like DuckDuckGo.
ExpressVPN went a step further, establishing their HQ in the British Virgin Isles, and establishing their own protocol named Lightway to ensure user privacy.
Kape Technologies bought the company last week for $936 million, which makes it the most expensive acquisition in the history of the VPN industry.
The acquisition marks the fourth time Kape has purchased a VPN. 2017, it acquired Romanian VPN provider CyberGhost VPN, and in October 2018, it acquired the German-based VPN provider ZenMate.
Acquisitions are not cause for concern by themselves, however, Kape’s past certainly casts a shadow over the deal. Up until March 2018, Kape was known as Crossrider. The name change was due to gaining a shady reputation – Crossrider was branded as Adware by Symantec’s Security Center. The program replaced ads with its own in browsers, collected personal data, and connected to the Crossrider domain.
Malwarebytes had a similar outlook warning users that the Crossrider program was involved in browser hijacking, malicious software bundlers, adware, and other monetizing methods.
There are other factors to consider in the Kape/Crossrider story. Its founder and CEO for a number of years was part Unit 8200, an elite Israeli government body similar to the NSA. Its main investor was Teddy Sagi, whose name is included in the Panama Papers.
With details such as these, users of ExpressVPN who subscribed out of privacy concerns have a right to worry.
ExpressVPN is not the first VPN company to be acquired by a larger company with a shady or undesirable background. A study from VPNpro showed that 101 companies belong to just 23 companies, many of which are based in countries with poor privacy regulations.
The study highlighted that nearly 33% of popular VPNs are owned by Chinese companies, or run by Chinese nationals. This means user data is likely open to Chinese authorities, confirming US Senators’ fears of American data falling into Chinese or Russian hands. China is the world leader in online surveillance, which is the very thing VPNs purport
Not only are VPN providers in foreign nations obliged to hand over data to Government, it is also possible that they’re selling the information to their respective governments.
VPN users are at risk from these parents companies, risking their data being sold privately to other companies or being handed over to foreign governments. Based on research by VPNPro, we’ll look at some other companies besides Kape that own large slices of the VPN cake.
j2 Global – 13 VPN services
j2 Global, which also owns tech publication PCMag (who coincidentally do VPN reviews) recently acquired StackPath’s VPN products. StackPath states that they’re “an American content delivery network, cloud service, and web application firewall provider.” To branch out, StackPath bought Highwinds in 2017, which included IPVanish, StrongVPN, and Encrypt.me (formerly Cloak).
j2 Global is connected to many more VPNs than its website claims. On top of IPVanish, StrongVPN, and Encrypt.me, it also owns SaferVPN and OverPlay VPN through its subsidiary NetProtect.
The company also owns WLVPN.com, a white-label service that offers VPN infrastructure and strategy services.
With a white-label, VPN providers can buy software development kits (SDKs) from WLVPN to help them develop their VPN applications and features.
NetProtect claims that more than 100 businesses use WLVPN’s infrastructure and tools to power their VPNs, including StrongVPN, OverPlay VPN, Encrypt.me, and VPNhub, Pornhub’s VPN service. j2 Global’s reach should not be understated, and given that they own the largest publication that does VPN reviews it should be cause for concern.
AnchorFree – 10 VPN services
AnchorFree is a veteran on the VPN scene, first appearing in 2008 with HotSpotShield. Though a popular VPN, HotSpotShield was mired in controversy and rumors that they were selling user data.
In August 2017, the Center for Democracy and Technology (CDT) issued an open complaint to the Federal Trade Commission which they state “concerns undisclosed and unclear data sharing and traffic redirection occurring in Hotspot Shield Free VPN that should be considered unfair and deceptive trade practices under Section 5 of the FTC Act.” CDT “partnered with researchers at Carnegie Mellon University to analyze the app and the service and found ‘undisclosed data sharing practices’ with advertising networks.”
Though mostly known for HotSpotShield, AnchorFree has been quietly buying up a number of VPN services.
In February 2015, AnchorFree acquired JustVPN and TouchVPN. JustVPN has just one VPN product: an Android app called “JustVPN – Free Unlimited VPN & Proxy.”
TouchVPN has three unique apps. Two are for Android (Touch VPN, VPN 360), and three are for iOS: VPN 360, Touch VPN, VeePee VPN Proxy.
In November 2016, Betternet Technologies was acquired by AnchorFree. Betternet creates the following mobile apps:
- VPN Free – Betternet Hotspot VPN & Private Browser
- VPN Proxy by HexaTech
- VPN in Touch (developer listed as just “Betternet”)
- Best VPN Proxy Betternet
- HexaTech Unlimited VPN
- VPN in Touch
- VPN Pro | Lifetime Proxy & Best VPN by Betternet
Gaditek – 7 VPN services
Gaditek is a Pakistan-based company that owns PureVPN, Ivacy, and Unblock – a newer VPN and proxy product. Pakistan’s own privacy laws are not particularly rigid, and the country has often come under fire from international NGOs. Freedom House’s annual internet freedom report has repeatedly given Pakistan a rating of “not free.”
Pakistan practices heavy online censorship. The government blocks residents from accessing websites and social media platforms that express dissenting political opinions. Authorities also frequently disable mobile internet access during large protests or other politically sensitive events.
There are several cases of people being sentenced to death for their social media activity. Some reports suggest that Pakistan has begun targeting human rights defenders with invasive cyberattacks.
Pakistani law also makes it extremely easy for authorities to obtain a warrant to access citizens’ private data for almost any reason. This begs the question, how much control does the Pakistan government have over Gaditek?
The employees of Gaditek/PureVPN have also been connected to the following VPN review sites:
- bestvpn.co (previously bestvpnprovider.com)
Some employees of PureVPN and Gaditek also worked for another VPN provider called OneVPN, which is owned by Unravel Technologies.
Unravel is supposed to be based in Hong Kong, but like PureVPN, its base is actually in Karachi, Pakistan. Muhammad Fahad’s job profile shows him working at first Gaditek then Unravel, both in Karachi:
PureVPN, IvacyVPN, and vpnranks.com all share the same registration address in Singapore. The next company on this list – Innovative Connecting – also has the same address.
Innovative Connecting – 10 VPN services
Innovative Connecting is a young Singapore-based tech company that specializes in mobile app development. This Android developer directly makes TurboVPN, VPN Master, VPN Proxy Master Pro, and VPN Proxy Master Lite. It also develops the iOS app VPN Sofast – Mymobilesecure.
Innovative Connecting has been connected with Lemon Clove as well (in addition to a third company, ALL Connected Co. Ltd). Lemon Clove makes the VPN apps Snap VPN and VPN Robot.
Lemon Clove and Innovative Connecting both have the same secretary and key addresses. Additionally, the company’s LinkedIn page says that its product development team is actually based in China. Director Danian “Danny” Chen is a Chinese national.
When researchers studied the APK files for the three companies, they found the API calls going to the same domains
While it is clear Innovative are trying to hide their reach, they are behind many more VPNs than they claim to be.
SuperSoftTech – 3 VPN services
The company developers 3 apps; SuperVPN, VPN Payment Tool, and LinkVPN. While the apps are officially owned by the SuperSoftTech company based in Singapore, it actually belongs to the independent app publisher Jinrong Zheng – most likely a Chinese national based in Beijing.
The contact email address on the Play store (firstname.lastname@example.org) links to a Chinese address in Beijing. Jinrong Zheng has released several apps (mostly games) that almost all start with the prefix “Super.”
SuperVPN has been ranked the #3 most malware-rigged VPN app in a 2016 Australian research by Csiro:
Other Companies That Own Several VPNs
- Hotspot VPN (5 apps): Director Zhu Jianpeng has a residential address in Heibei Province in China
- Hi Security (3 VPN apps): the VPN apps are part of Shenzhen HAWK Internet, a subsidiary of the Chinese major company TCL Corporation
- Newbreed Network Pte.Ltd (6 apps): While it has a Singapore address, the websites for its VPN apps SGreen VPN and NodeVPN are completely in Chinese, while NodeVPN’s site lists the People’s Republic of China as its location.
A Risk-Free VPN and the Future of the Industry
It is clear that the VPN industry, initially thought to be a bastion of privacy and security, has become controlled by mendacious parent companies, holding companies, and megacorporations that are willing to sell out the average user to governments or advertisers.
In an age where living without a VPN leaves you and your data entirely exposed, it is nothing short of tragic that users wishing to escape into the safe harbor of a trusted VPN have their fears turned against them.
Though stories like ExpressVPN and Kape will make the headlines, there are always independent VPN services fighting the privacy fight in earnest, without turning on users and seeing them as the product to sell.
When considering a VPN service, consumers now must be well-informed or face the risks now facing ExpressVPN users.
Here are some factors those who are searching for a VPN should keep in mind:
- Independence; is the service owned by another company who themselves own a number of other VPN services?
- Data Limits
- Speed and throttling
- Price; the majority of ‘Free’ VPNs are expected to sell your data
- Company headquarters – Is the company based in a country with modern privacy laws?
- Privacy; what kind of logs are kept?
- Customer support
At SaferNet, we offer a competitive VPN for individuals, families, and businesses that ticks all these boxes and more.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.