The short version

A VPN provider is paying for servers in dozens of countries, the bandwidth every one of those servers pushes, and the engineering to keep it all running securely, around the clock. None of that is free to provide. A paid VPN covers it with your subscription, which is a business model with an obvious, aligned incentive: keep you as a paying customer by actually protecting your traffic. A free VPN has to cover the same costs somehow else, and "somehow else" has, repeatedly and documentably, turned out to mean your data, your bandwidth, or both.

How free VPNs actually make money

This isn't one mechanism, it's a handful of distinct ones, and knowing which one a given app is using tells you a lot about what to actually worry about.

Selling usage data to advertisers or data brokers

The most direct version: a free VPN logs the sites you visit, the apps you use, or your general browsing patterns, and sells that dataset, often "anonymized" in name only, to advertising or analytics buyers. This is the mechanism behind most of the "your free VPN is basically spyware" headlines, and it's the specific thing a genuine no-logging policy is supposed to prevent — which only matters if the policy is actually true.

Reselling your bandwidth and IP address

A less obvious model, but a well-documented one: some free VPNs, historically including Hola VPN, worked by routing paying customers' traffic through free users' own devices and internet connections, turning each free user into an exit node for someone else's traffic without making that trade especially clear up front. Hola's commercial arm sold this residential IP access to businesses through a service called Luminati. The practical risk isn't abstract: other people's internet activity, potentially including activity you'd never want associated with your home connection, can end up routed through your IP address.

Bundling adware or requesting excessive permissions

The bluntest version: the app itself is the monetization, packed with third-party ad SDKs or requesting device permissions (contacts, precise location, storage access) that have nothing to do with running a VPN tunnel. Multiple academic studies of free VPN apps on the Google Play Store over the past several years have found this pattern common enough to treat as the rule rather than the exception among free, ad-supported options specifically.

The leak that showed what "no log" meant

Policy claims are one thing; a live database is harder to argue with. In July 2020, security researchers at Comparitech and vpnMentor independently found an unsecured Elasticsearch server exposing data from seven different free VPN apps — UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN — all traced back to a single Hong Kong entity, Dreamfii HK Limited, operating under different white-labeled names. Every one of them advertised a zero-log or no-log policy.

What was actually in the database

Roughly 1.2TB of data, over a billion log entries, sitting on the open internet with no password protection. It included plaintext passwords, home addresses, payment details, device information, and detailed connection logs recording exactly which sites and servers each user had connected to — the precise category of information a "no log" policy exists to promise doesn't get recorded at all. Researchers noted the exposure put users in countries where VPN use itself is restricted at real personal risk, since the logs could show who had been circumventing local controls.

UFO VPN's response at the time was that the data was being kept only for performance monitoring and was anonymized — a claim the researchers who'd just watched their own plaintext password appear in the database in real time were in a strong position to dispute. It's one of the cleaner illustrations available of the gap between a privacy policy's wording and what a service actually does with your data once no one outside the company is checking. The Register's coverage at the time captured just how quickly the shared white-label infrastructure came apart once one app in the chain was examined.

When the VPN's real customer was never you

A different failure mode, worth knowing because it doesn't require any data leak or bad security practice at all: Facebook's Onavo Protect was a free VPN app whose entire underlying purpose was gathering competitive intelligence for Facebook itself. Once installed, it gave Facebook visibility into which other apps people were using and how often, data that reportedly played a role in decisions like acquiring WhatsApp. Apple eventually removed it from the App Store for violating data-collection policies, and Facebook shut the app down entirely not long after. Nothing about Onavo required a security failure to be a privacy problem; the app worked exactly as designed, for a customer that was never the person who installed it. It's the same underlying business logic behind most cross-app tracking, covered in more depth in our targeted advertising guide.

Not every free VPN is a trap

It would be dishonest to leave the impression that "free" is disqualifying on its own. A small number of providers run a free tier that's genuinely funded by their paid subscribers rather than by data collection — the free tier acts as an upsell funnel with real, disclosed limits, usually a data cap, fewer server locations, or reduced speed, rather than a hidden data-collection tradeoff. The distinguishing feature isn't the price tag, it's whether the limitation is disclosed and technical (a data cap, a server count) or undisclosed and behavioral (logging, ad injection, bandwidth reselling). A provider that's transparent about "here's what you don't get for free" is a fundamentally different proposition than one that doesn't explain how it stays in business at all.

The technical gaps beyond the business model

Even setting aside how a free VPN funds itself, there are consistent technical differences worth checking for directly. A meaningful number of free VPN apps still support only older protocols like PPTP or basic L2TP, both of which have known cryptographic weaknesses that modern protocols like WireGuard were built specifically to replace — see our WireGuard vs OpenVPN comparison for what actually changed. DNS leak protection and an automatic kill switch, features that stop your real traffic from leaking out if the VPN connection drops, are common on paid tiers and inconsistently available, if at all, on free ones — worth confirming directly with our DNS leak test and WebRTC leak test rather than trusting the marketing page. And server congestion is a direct, physical consequence of the free-tier economics: a provider funding a smaller server fleet through ads or data sales has less incentive, and less revenue, to keep pace with paying-tier speed expectations.

A quick checklist before installing any VPN

Worth running through this regardless of whether the app is free or paid, since a bad paid VPN and a good free one both exist:

  • Ownership — is the company's ownership disclosed, or does the app operate under a name with no clear parent entity behind it?
  • Audit — does the no-logging claim reference an actual, named third-party audit, or is it just a sentence on a privacy page?
  • Jurisdiction — what jurisdiction is the provider based in, and does that jurisdiction have data-retention laws that could compel logging regardless of stated policy?
  • Protocol — which protocol does it use by default, and does it mention WireGuard, OpenVPN, or IKEv2 specifically rather than staying vague about it?
  • Funding — if it's free, does the provider explain how it's funded anywhere in its own documentation?

What's actually worth paying for

The honest calibration depends on what you're actually using it for. Watching a show that's region-locked for an afternoon is a genuinely low-stakes use case where a reputable free tier's limitations are a minor annoyance, not a real risk. Routing your everyday browsing, financial activity, or anything you'd consider sensitive through a VPN regularly is a different calculation entirely, where the cost of a paid subscription is small compared to what an undisclosed data-selling free app could actually expose. If that's your use case, our best VPNs guide covers the providers that actually back their no-logging claims with an audit rather than just a policy page. The UFO VPN case above is a useful gut check either way: the exposed users weren't careless, they were trusting a policy statement that turned out not to be true, which is exactly the scenario a paid provider's audited, contractually-backed policy is meant to reduce the odds of.

Frequently asked questions

Is every free VPN secretly selling my data?

Not every one, but the pattern is common enough among free, ad-supported options that it's the reasonable default assumption until a provider demonstrates otherwise through a disclosed funding model or an actual third-party audit. A handful of providers run defensible, transparent free tiers — the distinguishing factor is disclosure, not the price.

How was the 2020 leak actually discovered?

Independently, by two separate research teams:

  • Comparitech's Bob Diachenko found an exposed 894GB Elasticsearch cluster tied to UFO VPN in early July 2020 and reported it directly to the provider.
  • vpnMentor's research team found the same exposed infrastructure days later and discovered it was shared across six additional white-labeled VPN apps, bringing the total exposed data to roughly 1.2TB.

The database wasn't secured until roughly 18 days after it was first discoverable online.

Does a VPN being free automatically mean it's using the bandwidth-reselling model like Hola did?

No, that's specifically a peer-to-peer model, not how most free VPNs operate. Most free VPNs monetize through data collection or ad bundling rather than turning your own connection into an exit node for other users' traffic. It's worth checking a provider's own terms of service for language about sharing your network connection or IP address specifically, since that's the detail that distinguishes this model from the more common ones.

If a free VPN has millions of downloads and good app store ratings, doesn't that mean it's trustworthy?

Not reliably. Several of the apps involved in the 2020 leak had millions of downloads and strong store ratings at the time, since ratings reflect whether the app functions and unblocks content, not whether its backend infrastructure is secured or its logging claims are accurate. Download counts and ratings are a popularity signal, not a security or privacy audit.

Sources

  • vpnMentor — original research report on the seven-app data exposure
  • Comparitech — independent discovery and timeline of the UFO VPN exposure
  • The Register — coverage of the seven-provider leak and shared infrastructure
PrivacyTestLab logo

Written by PrivacyTestLab

This guide is built around a specific, documented incident rather than a general claim about free VPNs, cross-referenced across the independent research teams that discovered and reported it.