A VPN or not a VPN, that is the question: Expert interview with Prof. Dennis-Kenji Kipker

Why are some VPNs free and others paid? How does the scope of service differ?

Definitely, not all VPNs are the same. If you are a user looking to get started or only sometimes need a VPN for really basic tasks, a free VPN may be attractive In the long term, however, this is not a good and, therefore, recommendable solution. This starts with the fact that free VPNs usually only provide a limited bandwidth. We all know how important speed is to us on the internet, and free VPNs generally use less powerful servers, which in turn leads to a loss of speed. However, it’s not just speed that is crucial on the internet, but also the ability to access as many servers as possible. Free VPNs generally only offer access to a limited number of servers in certain countries, which can play a role when visiting websites from different countries when traveling, for example. In addition, the vast majority of free VPNs have a much smaller range of technical functions and only offer the basics, such as data encryption and IP masking. Additional functions, such as a kill switch, ad blocker, or split tunneling, are generally not available. Last but not least, free VPNs are of course often misused for dubious activities on the internet and can therefore also be associated with data misuse in the past.

Are free VPNs really free?

(Almost) nothing is free — not even on the internet. Of course, with free VPNs, you may not have to pay in monetary terms at first. But ultimately, even with free VPNs, someone has to finance and maintain the underlying IT infrastructure. This is why free products usually generate their revenue through other means, such as advertising, data sales, or the request for personal data during use. As a rule, people use a VPN not only for additional security but also to protect their privacy — and this protection is ultimately counteracted by business models that use personal data to finance their services.

Can you explain the potential security and privacy risks associated with using free VPN services compared to paid services?

The security and privacy risks can certainly be explained in a technical comparison of the offers. One of these risks is the (further) sale of data to advertising partners, or sometimes even to government authorities. And this can certainly be sensitive data, such as IP addresses, surfing history, or payment information such as credit card details. Another risk concerns user tracking. For example, there are free VPN apps that monitor the behavior of their users in order to display targeted advertising. However, there are not only serious privacy risks, but also cybersecurity risks: free VPN services may not be using sufficiently secure encryption protocols. This can enable attackers to intercept users’ data traffic. This is known as a man-in-the-middle attack. Last but not least, free VPNs might have less secure implementations against DNS leaks. This is the case when DNS requests are not routed correctly via the VPN server. And in case of doubt, this leads to the cancellation of privacy and security on the internet if the actual user IP address is ultimately also visible to third parties.

What legal security precautions and compliance standards are generally associated with established, paid VPN providers, and how might these differ from those of free VPN services?

Paid VPN providers usually have a whole range of quality commitments, but also take contractual precautions or are audited and certified by independent providers, with which they can guarantee a higher level of cybersecurity and privacy and also present it transparently. In addition, in the event of problems with established providers, you can contact user support without any major problems and get help. Various fee-based VPN providers also have their own security guidelines, such as a no-log policy. This means that the VPN provider does not store any data about the activities of its users and therefore respects their privacy as much as possible.

You recently spoke about Windows’ own VPN in your column in the Tagesspiegel (German local newspaper), and said that it was not a “fully-fledged VPN” at all. Could you explain this in more detail?

Since 2022, Microsoft has also been offering its own VPN as part of its standard Windows system browser Edge. However, the term “VPN” appears here in a misleading way – it is not a fully-fledged VPN because it only works in the browser. A real VPN actually works system-wide and automatically protects the data traffic of other apps. This makes Microsoft’s service not only misleading, but also a risk for cybersecurity if inexperienced users assume that they will automatically enjoy complete and free protection. In addition, the Microsoft “VPN” is limited in terms of bandwidth and in its application scenarios. It is, therefore, not a VPN solution in the true sense of the word, even if it says otherwise, but rather just an encrypted surf proxy. There is also the case that Microsoft’s service probably does not follow a no-log policy and collects user-specific data.

Certain legally protected terms, such as “bank” and “insurance,” may only be used by companies that are authorized to do so. Keyword: labeling protection. Wouldn’t it also make sense to do this for VPN service providers, precisely because we’re talking about something as important as cybersecurity?

Yes, of course, that would make more than enough sense to prevent consumers from being deliberately misled — especially if their technical understanding is not so profound, and they are still reading up on the subject of VPNs. At present, it is theoretically possible for anyone to call themselves a VPN service provider. This also means that there are many unreliable services on the market. This can even go so far as a VPN app not helping, but instead doing harm by integrating devices into a global botnet. There have already been cases like this. Labeling protection would ensure that only companies that fulfill certain technical security standards and whose software has a sufficient range of functions are allowed to call themselves VPN service providers.