A VPN server doesn't run on goodwill. Bandwidth costs money, server hosting costs money, and the
people writing and maintaining the app expect a paycheck. A paid VPN answers the "who's paying for
this" question in one sentence: you are, via your subscription. A free VPN has to answer it some
other way, and that answer is the entire story of whether the app is safe to put on your phone.
Sometimes the answer is boring and fine — a company subsidizes a limited free tier to get you to
try the paid product, the way Proton VPN's
free plan works. Sometimes the answer is that your bandwidth and IP address are themselves the
thing being sold to someone else. Both models exist under the word "free," and most people have no
way to tell which one they downloaded.
You're asking the wrong question
"Is this free VPN safe" is the question everyone asks, and it's the wrong one because it treats safety as a fixed property of the app rather than a consequence of how it makes money. The right first question is simpler: if I'm not paying, what is this company actually selling, and to whom? Once you can answer that, whether the app is "safe" mostly answers itself.
There are really only four honest answers a free VPN can give. It's selling you eventually, by funneling free users toward a paid upgrade. It's selling your bandwidth, by routing other people's traffic through your connection. It's selling your data, by logging your activity for advertisers or data brokers. Or it's selling something adjacent, the way Facebook used a "security" app to study which competitors were worth acquiring. Only the first one is a business model you should feel fine about.
How a free VPN actually pays its server bill
Look past the marketing copy on any free VPN's landing page and the revenue model usually falls into one of a few patterns. None of these are hypothetical — each one below is something a real, widely downloaded VPN app has done.
Reselling your bandwidth. Hola VPN marketed itself in the early 2010s as a "people-powered" free VPN — you'd get free access, and in exchange your idle bandwidth would help route other users' traffic. What the company didn't make clear was that it operated a commercial subsidiary, Luminati Networks, which sold access to that same pool of residential IP addresses to paying business customers. Reporting at the time found that Hola's roughly 47 million users had effectively become exit nodes for anyone willing to pay Luminati, with no clear disclosure that this was the actual product.
Harvesting usage data for a completely different business. Facebook's Onavo Protect is the clearest example on record. Marketed as a security and data-saving tool, it collected detailed logs of which apps people opened, how long they used them, and what traffic flowed through the device. That data reportedly helped Facebook see which apps — including WhatsApp and Instagram, both later acquired — were gaining traction before the broader market noticed. Apple eventually pulled Onavo from the App Store for violating its data-collection policies, but by then it had been installed for years.
Selling ad and tracking data outright. This is the most common pattern and the least dramatic — a free VPN embeds third-party analytics and advertising SDKs into the app, the same way a free mobile game might, and the data those SDKs collect gets monetized through the normal ad-tech pipeline. It rarely makes headlines because it's not one dramatic event; it's just quiet, continuous data collection running in the background of an app whose entire premise is supposed to be reducing exactly that.
What happens when researchers open the hood
The most rigorous look at this came from a 2016 academic study, run jointly by CSIRO's Data61, the University of New South Wales, UC Berkeley's ICSI, and the International Computer Science Institute. The team pulled 283 VPN-permission Android apps from the Google Play Store — not a cherry-picked list of shady apps, just a broad sample of what was actually available — and ran each one through static and live traffic analysis.
The comparison that matters most for this article sits inside the same dataset: among the paid VPN providers in the study, roughly two-thirds kept no third-party trackers at all. Among the free providers, that number dropped to a little over a quarter. That gap is not a coincidence — it's the direct, measurable fingerprint of two different business models running through the same category of app.
The exact app names in that research are mostly gone from the stores now, and the industry has matured in places. But the underlying economics haven't changed — a free app still needs a revenue source, and researchers examining fresh samples of free VPN apps keep finding the same categories of problem, just with different app names attached. Treat the pattern as current even where the specific apps aren't.
A short history of free VPNs going wrong
Academic studies establish the pattern. These are the moments the pattern became a headline.
What a subscription is actually buying you
It isn't the encryption itself — AES-256 and WireGuard are the same open standards whether you pay for them or not. What a subscription actually funds is the stuff that's expensive and boring: dedicated server capacity instead of an overcrowded shared pool, a team that can commission and publish a real third-party audit, and a straightforward incentive structure where the company's revenue depends on you staying subscribed rather than on some other business quietly monetizing you in the background.
- Revenue source often unclear or undisclosed
- Shared, congested server pool
- Rarely published, independently audited
- Data caps or forced speed throttling
- Third-party ad/tracking SDKs common
- Revenue source is your subscription, full stop
- Dedicated infrastructure sized to subscriber load
- Audit reports published and attributable to a named firm
- Unlimited bandwidth on the plan you're paying for
- No commercial reason to embed third-party trackers
When a free VPN is genuinely fine
This isn't a blanket case against every free option. A small number of providers run a legitimate free tier on the exact same infrastructure and codebase as their paid product — Proton VPN's free plan is the standard example, with unlimited data, no ads, and the same open-source, audited apps as the paid tier. Windscribe and TunnelBear offer smaller but similarly transparent free allowances funded by their paid upgrades rather than by your data.
If your actual use case is light — checking email on public Wi-Fi at a coffee shop, or getting around a mild regional content block once in a while — a reputable free tier from a company that also sells a paid product is a reasonable choice. What changes the calculation is anything that actually matters: banking, sensitive communication, or routine daily use where a slow leak of metadata over months adds up to a real profile of your habits.
Red flags before you install anything
Run any free VPN through this list before it touches your phone.