Despite the administration’s warnings of punishing VPN users with the Unlawful Activities (Prevention) Act meant for terror offences, most Kashmiris are resorting to the use of free Virtual Private Network applications in a bid to circumvent the Indian government’s ban on all but a handful of “whitelisted” websites, which do not include social media websites.

However, the conditions applied by most free VPN applications being used in Kashmir (and elsewhere) put everyone who signs up at risk of losing their data to third parties including government agencies.

Even as the government restored limited mobile data services last month – and a brief, probably accidental spell of 4G network access was reported last night – social networking sites such as Facebook, WhatsApp and Instagram continue to remain blocked, prompting locals to use VPNs or proxy servers to bypass the restrictions.

VPNs are widely used by people across the world suffering from online censorship, as they allow a user to access blocked websites through a proxy server that changes their IP address.

Free VPN services are particularly used by people from regions with restricted internet like China, Iran, Turkey, Kashmir, etc.

These applications are reportedly among the biggest culprits of data abuse, as they have built a profitable business model by selling user information to the highest bidder.

“The highest bidder can be the same government against whose directives you are using it,” says Naomi Hodges, a cybersecurity expert at the online privacy protection company Surfshark, based in the British Virgin Islands.

“The fact that your personal information could be sold to third-parties is usually written on the privacy policy page, but most people don’t read those. The operational transparency of free VPNs is usually kept under lock, while their privacy policies deliberately make it difficult to understand how they monetise products and services to generate profit,” Hodges explains.

Hodges analysed 11 out of 16 common apps used in Kashmir and found they contain ads, which reduce the chances of not being tracked nearly to zero. “If an app is ad-supported, it usually means developers can gather data points about users’ online activity for targeted advertising,” she says.

These “free” service providers cannot sustain themselves in almost any way except by selling their users’ data. The old adage, “If you’re not paying for the product, you are the product”, applies here as well.

It isn’t yet public whether the government has approached any VPN provider for data or asked for restrictions – as it often does with regular internet service providers – but experts aren’t ruling this out.

“It is extremely difficult to gather such evidence. Everything happens behind closed doors – neither the government nor untrustworthy service providers will reveal such information publicly because of how sensitive it is,” says Gabrielle Hermier, media officer at Surfshark.

“For this particular reason, the vast majority of free VPN providers are owned by China. All VPN providers there must be registered with the government, which means that the Communist Party of China has full access to those users’ data,” Hermier believes.

Among the most common hidden means that allow free VPNs to generate profits is tracking their users’ online activity and sharing this data with third parties, as well as selling their bandwidth to data mining companies. The apps don’t often specify what technologies they use to ensure users’ privacy and security.

For instance, the relatively popular app Thunder VPN contains ads, but claims to “not log or track user data”. However, in the same Privacy Policy page the service contradicts itself, stating: “When you use our app we may collect the following information: IP address, Internet service provider, OS version, the language of the device, app identifier, app version, independent device identifier, ad identifier, device manufacturer and model.”

The vast majority of free VPN providers collect user data themselves. They then analyse the data and provide it to unknown third parties that use it to segment customers into profiles. In some cases, however, free VPN providers allow third parties to access their customer base directly.

For example, TurboVPN operated by three closely related companies based in Singapore with links to mainland China, has more than 100,000,000 Google Play installs. It claims to be a no-logs VPN but their privacy policy openly admits that third parties can set independent tracking libraries on their product: “advertising partners may set and access their cookies, pixel tags, and similar technologies on our services.”

Similarly, Psiphon’s privacy policy admits that it tracks users’ browsing history and shares access to it with third parties: “Our advertising partners use cookies to enable them and their partners to serve ads based on your usage data.”

Another popular app, Hola VPN, allows you to browse the internet using other Hola users’ internet connections. People throw their IP addresses into a pool for other users to use as they please. This free VPN service has one of the most intrusive logging policies: they reserve the right to track the webpages their users visit, the time spent on those pages, or phone usage patterns. Additionally Hola VPN warns it “may also transfer or disclose Personal Information to our subsidiaries, affiliated companies”.

Although many youngsters in Kashmir are aware of the risks that come with using free VPN services, they feel helpless because of circumstance. “Paid VPN services are beyond the budget of a commoner, and the few websites the government allows us to access are of no use. These VPN apps are the only option for us to remain connected to the outside world,” says Adnan Ahmad, a student residing in Srinagar.

Cover photo BASIT ZARGAR for The Citizen