Virtual Private Networks (VPNs) have become popular as tools to protect online identity and bypass censorship, and they are widely used by journalists and activists. However, protection is not automatic: it depends on the provider’s integrity and business model. Choosing a service requires evaluating its logging policy, jurisdiction, and monetization practices.
Investigations, such as those conducted by Zimperium, have revealed that more than 65% of free mobile VPN applications contain vulnerabilities or collect data without consent, enabling its sale to advertisers and data brokers and turning the device into a surveillance point even for authorities.
Google’s Threat Intelligence Group documented a campaign named “IPIDEA” that posed as a VPN and turned millions of devices into nodes within an espionage network, demonstrating that applications can function as attack vectors beyond merely masking traffic.
Legal pressure is another reality: some providers publish transparency reports detailing requests received from authorities; in other cases, security incidents have come to light (for example, NordVPN), and their jurisdictional status (Panama) requires critical scrutiny. Jurisdiction and independent audits are decisive factors.
Properly audited alternatives, such as Mullvad, based in Sweden, show that it is possible to operate with verifiable policies, limit logging, and even accept anonymous payments. It is recommended to select providers with independent audits, transparency, and respect for privacy.
Fontes:
- Zimperium / coberturas do estudo sobre VPNs: https://www.zimperium.com/blog/insecure-mobile-vpns-the-hidden-danger · https://digit.fyi/report-65-of-free-vpns-pose-critical-privacy-risks/ (resumo informativo).
- Google / destrución da rede IPIDEA: https://www.reuters.com/technology/google-disrupts-large-residential-proxy-network-reducing-devices-used-by-2026-01-28/ · https://blog.google/innovation-and-ai/infrastructure-and-cloud/google-cloud/gtig-ipidea-disrupted/
- NordVPN / resposta ao incidente de 2019: https://nordvpn.com/blog/official-response-datacenter-breach/ · https://www.eff.org/deeplinks/2019/11/virtually-private-network-nordvpns-breach-and-limitations-vpns
- Mullvad / auditorías e políticas de non rexistro: https://mullvad.net/en/blog/new-security-audit-of-account-and-payment-services · https://mullvad.net/en/help/no-logging-data-policy