Free VPN Chinese Ownership Investigation

At least 10 of the most popular free mobile VPN apps in the US have hidden Chinese ownership. Another four have suspected China links. As the pandemic drives up global VPN demand, we investigated just who is behind these apps.
Free VPN Chinese Ownership report header image showing two Android devices, one with the Google Play store listing for Turbo VPN and other showing VPN search results
Simon Migliano

UPDATED 07 July 08:35 GMT to highlight the impact of the new security laws introduced in Hong Kong.

  • Hidden Chinese ownership: 10 of the most popular free VPN mobile apps in the US are Chinese-owned. Another four VPNs have suspected links to mainland China.
  • Installs: with over 223 million global installs, these VPNs have a huge reach.
  • Fears over independence: these Chinese-owned VPNs continue to operate despite China’s strict VPN ban. Are they compromised?
  • Hong Kong crackdown: 5 VPN apps are registered in the city with a further two likely to be so as their developers are based there.
  • Weak privacy: 12 of these VPNs have privacy policies that are substandard or worse. Six VPNs have policies that are “poor” to “very poor”.

The Risks of Chinese VPNs

Virtual Private Networks (VPN) have become increasingly important since the global Covid-19 pandemic forced billions of people around the world to shelter in their homes, and increasingly rely on the internet for work, entertainment and communication.

VPN demand surged by over 40% worldwide as lockdowns came into force – even doubling or more in 21 countries.

A VPN is a powerful privacy and anti-censorship tool, but there are inherent risks with using one. Unless a VPN service has implemented measures to prevent it from happening, they can see – and potentially log – all your internet traffic.

This makes VPN traffic an appealing target for intelligence-gathering, especially so during this period of heightened demand.

The security risks posed by the involvement of companies like Huawei in the rollout of 5G outside of China are well-documented.[1]

Similarly, companies like Hikvision and Dahua have been blacklisted due to accusations that their surveillance technology has been used in state-sponsored human rights abuses in China.[2]

The world has been slower to catch up to the dangers posed by Chinese ownership of free VPN apps with hundreds of millions of users.

These risks have intensified not only in light of the increased VPN demand but also as China seizes the opportunity posed by the pandemic to export its surveillance tech

We have been reviewing VPNs since 2016, and have been investigating free mobile VPN apps very closely since 2018. We were the first to uncover the extent to which many of the most popular free VPN apps were secretly Chinese-owned, despite China’s strict ban on VPNs and general hostility to internet freedom.

Shortly after we published this report, China introduced sweeping new security laws in Hong Kong.[3]

The powers allow for raids without a warrant, secret surveillance and confiscation of property related to national security offences. Authorities can also order the takedown of online material they believe breaches the law.

These changes make it much harder to argue that Hong Kong-registered VPN apps with mainland Chinese ownership are somehow beyond reach of Beijing.

It’s more important than ever to scrutinize those apps most vulnerable to state interference and raise awareness of the risks.

We therefore reviewed the top 20 free mobile VPN apps in Google Play and Apple’s App Store in the United States. We identified 14 apps for further investigation of their ownership and corporate structure.

As well as digging into who’s behind these VPNs, and identifying any red flags around overall credibility, we also analyzed their privacy policies.

2022 UPDATE: More than two years after we published these findings, Chinese ownership of popular free VPNs in strategically-important territories continues to be an issue. Our analysis of who owns the most popular free VPN iOS apps in Taiwan reveals that half have links to mainland China.

EXPERT ADVICE: Before installing a mobile VPN, do your research on free Android VPNs and free iPhone VPNs. Our guide to safe free VPN apps is a good starting point.

Read a summary of our research into the safety of free VPNs.

Which Free VPNs are Chinese-owned?

Chinese Free VPN Provider Details

View this report’s Sources Appendix for URLs of Google Play Store listings and privacy policies of individual apps, along with links to evidence of Chinese ownership and corporate credibility issues.

Turbo VPN, VPN Proxy Master, Snap VPN

Note: These VPNs are grouped as we have found their ownership to be interconnected.

VPN Info

  • Turbo VPN:
    • VPN Installs 100 million
    • Listed VPN Developer: Innovative Connecting
    • App ID: free.vpn.unblock.proxy.turbovpn
    • VPN Website: turbovpn.co
    • Support Email: turbovpn@inconnecting.com
  • VPN Proxy Master:
    • VPN Installs 35 million (iOS) | 10 million (Android)
    • Listed VPN Developer: ALL Connected Co.,Ltd (iOS) | ALL Connected (Android)
    • App ID: 1025707485 (iOS) | free.vpn.unblock.proxy.vpn.master.pro (Android)
    • VPN Website: vpnmaster.co
    • Support Email: support@inconnecting.com
  • Snap VPN:
    • VPN Installs 10 million
    • Listed VPN Developer: Autumn Breeze 2020
    • App ID: free.vpn.unblock.proxy.vpnpro
    • VPN Website: lemonclove.net
    • Support Email: snapvpn@lemonclove.net

Who’s behind these VPNs?

These apps are operated by three interconnected companies based in Singapore with links to mainland China.

Turbo VPN

  • Company Name: Innovative Connecting
  • Company No: 201812738K
  • Corporate website: inconnecting.com
  • Office Address: 8 Marina View, #42-099, Asia Square Tower 1, Singapore, 018960
    • Prior address: 38 Beach Road #29-11 South Beach Tower, Singapore
  • Registered Address: As per office addresses above
  • Company Directors:
    • Li Chenguang – Chinese citizen, Shanghai address (full details redacted but available on public record)
    • Sun Kaixuan – Chinese citizen, Singapore address (full details redacted but available on public record)
    • Chen, Danian – former director, Chinese citizen, Singapore address (full details redacted but available on public record)
  • Shareholder Name: Lemon Seed Technology
  • Shareholder Company No: T18UF2859L
  • Place of Incorporation: Cayman Islands
  • Shareholder Address: Cricket Sq, Hutchins Dr, PO Box 2681, Grand Cayman, KY1-1111, Cayman Islands

VPN Proxy Master

  • Company Name: ALL CONNECTED PTE. LTD.
  • Company No: 201914849E (previously 201537185C)
  • Corporate website: allconnected.co
  • Office Address: No office address published
  • Registered Address: 10 Anson Road, #13-15 International Plaza, Singapore 079903
    • Prior address: 576, Woodlands Drive 16, #05-514, Singapore 730576
  • Company Directors:
    • Chen Lan – Chinese citizen, Guangzhou address (full details redacted but available on public record)
    • Chen Songlin Michael – Singapore citizen and address (full details redacted but available on public record)
    • Chng Li Boon Cherry – Singapore citizen and address (full details redacted but available on public record)
    • Chand Kumar Vishwakarma – former director, Indian citizen, Singapore address (full details redacted but available on public record)
  • Shareholder Name: All Connected Co Ltd
  • Shareholder Company No: T19UF3451J
  • Place of Incorporation: Cayman Islands
  • Shareholder Address: Suite #4-210, Governors Square, 23 Lime Tree Bay Avenue, PO Box 32311, Grand Cayman, KY1-1209, Cayman Islands

Snap VPN

  • Company Name: AUTUMN BREEZE PTE. LIMITED
  • Company No: 201813125N
  • Corporate website: autumnbreeze.co
  • Office Address: No office address published
  • Registered Address: 8 Marina View, #42-099, Asia Square Tower 1, Singapore, 018960
  • Company Directors:
    • Li Chenguang – Chinese citizen, Shanghai address (full details redacted but available on public record)
    • Sun Kaixuan – Chinese citizen, Singapore address (full details redacted but available on public record)
  • Shareholder Name: Cyber Knight Ltd
  • Shareholder Company No: T19UF4183A
  • Place of Incorporation: British Virgin Islands
  • Shareholder Address: Vistra Corporate Services Centre, Wickhams Cay II, Road Town, Tortola, VG1110, BVI

China Links

Turbo VPN:

  • Both current company directors are Chinese citizens, one with a mainland Chinese address
  • As recently as December 2019, prominent Chinese internet entrepreneur Chen Danian (Danny Chen) was a director
  • Sole shareholder Lemon Seed Technology has the same Cayman Islands business number as former sole shareholder Linksure Telecom Sea Holding Ltd, which was notable for sharing a name with Linksure – whose founder and CEO is the same Chen Danian (Danny Chen) mentioned above
  • Director Sun Kaixuan is also director of Lemon Clove Pte, a VPN company previously found to have links to China

VPN Proxy Master:

  • A company director is a Chinese citizen, with a mainland Chinese address
  • Clear connections to China-linked Turbo VPN (see below for further details)

Snap VPN:

  • Both current company directors are Chinese citizens, one with a mainland Chinese address
  • China-linked director Li Chenguang is also a director at Turbo VPN
  • Director Sun Kaixuan is also director of Lemon Clove Pte, a VPN company previously found to have links to China
  • Previously operated by Lemon Clove Pte, a VPN company previously found to have links to China, and which is still the name of their developer domain

Corporate Credibility Issues:

  • No transparency about the close connections between the companies, which includes:
    • Innovative Connecting (Turbo VPN) and Autumn Breeze (Snap VPN) have the same directors
    • The corporate websites all share the same branding, assets and copy
    • All Connected (VPN Proxy Master) offers email support via the same domain as Innovative Connecting (Turbo VPN): inconnecting.com
    • The Developer Website link on the VPN Master App Store listing leads to snapmastervpn.com before redirecting to the current site.[4] At the time of writing, clicking this link prompted a browser security warning based on the expiration of the SSL certificate 10 days prior.
    • All three companies use the same distinctive privacy policy template
    • VPN Master’s privacy policy refers to Lemon Clove rather than its Listed VPN Developer All Connected.[5] Lemon Clove is the former name used by the developer of Snap VPN.
    • Previous investigations by Top10VPN revealed the following connections that have been covered up since publication of our findings:
      • Turbo VPN was previously listed on the App Store[6] with All Connected as the developer but as Innovative Connecting on Google Play[7]
      • The Turbo VPN App Store listing linked out to the VPN Master website as its developer
      • Prior versions of the VPN Master website were attributed to Innovative Connectingin the footer[8]
      • Lemon Clove (as the developer of Snap VPN was formerly known and is still an active company as of the time of publication) shared a company secretary and key addresses with Innovative Connecting
  • All three companies have re-structured since our prior investigation, appointing all new directors
  • The developers of Snap VPN also re-registered their business under a new name with a new business company number. Despite now being Autumn Breeze 2020, their Google Play listing still links to lemonclove.net while listed email support also remains on that domain.[9]
  • The corporate websites are all low-quality with little meaningful information about the companies they purport to represent
  • Turbo VPN’s Google Play listing still shows the company’s old address of South Beach Tower, Singapore.[10]
  • Snap VPN hosts its privacy policy on a generic non-HTTPS Cloudfront domain: d32z5ni8t5127x.cloudfront.net

Privacy Policies

Note: The privacy policies for these three apps are identical and so the following analysis applies to all three.

  • Do have VPN logging policies
  • Misleading as they prominently state they log nothing at all, falsely giving the impression that not even connection metadata is logged
  • Further down the policies they state that connection date, VPN server country, user ISP/country and bandwidth are actually logged
  • Bandwidth policy suggests they can link sessions to users
  • Collect information related to which Apps and Apps version(s) you have activated – unclear whether this relates to VPN app only
  • No log retention/deletion policy
  • Claim to not target ads based on personal info but allow for ad partners to track users
  • Appear to be in breach of Apple developer guidelines over third-party data sharing by VPN apps
  • While still substandard, the policies are significantly improved compared to previous versions

Privacy Policy Verdict: SUBSTANDARD

X-VPN

VPN Info

  • VPN Installs 15 million (iOS) | 10 million (Android)
  • Listed VPN Developer: Free Connected Ltd
  • App ID: 1250312807 (iOS) | com.security.xvpn.z35kb (Android)
  • VPN Website: xvpn.io
  • Support Email: support@xvpn.io

Who’s behind this VPN?

  • Company Name: Free Connected Ltd
  • Company No: 2553621
  • Corporate website: freeconnectedlimited.com
  • Office Address: Flat/Rm A40, 9/F Silvercorp International Tower 707-713 Nathan Road Mongkok, Kowloon Hong Kong
  • Registered Address: Room 1501, Grand Millennium Plaza (Lower Block), 181 Queen’s Road Central, Hong Kong
  • Company Director: Li, Jin (李進), Chinese citizen with a Sichuan address (full details redacted but available on public record)

China Links

  • The sole company director is a Chinese citizen, with a mainland Chinese address
  • This is not disclosed anywhere on the X-VPN or Free Connected websites

Corporate Credibility Issues:

No further credibility issues beyond lack of transparency regarding ownership. Corporate information appears to have remained unchanged since our previous investigations, which is positive.

Privacy Policy

  • It has a generally credible logging/data retention policy
  • X-VPN has some privacy issues around advertising and geolocation but they are generally within bounds of acceptability

Privacy Policy Verdict: ACCEPTABLE

SkyVPN

VPN Info

  • VPN Installs 10 million
  • Listed VPN Developer: 2nd Phone Number & VPN Ltd (formerly Sentry SkyVPN Security Technology)
  • App ID: me.skyvpn.app
  • VPN Website: skyvpn.net
  • Support Email: support@skyvpn.net

Who’s behind this VPN?

  • Company Name:
    • Tengzhan Technology Ltd – known to operate as Dingtone internationally
    • Parent company: Tenghzan Group 杭州腾展科技股份有限公司
  • Company No:
    • Tengzhan Technology Ltd: 2787571
    • Tengzhan Group: 913301065898564843
  • Corporate website:
    • Tengzhan Technology Ltd: no website.
    • Tengzhan Group: tengzhangroup.com
  • Office Address:
    • Tengzhan Technology Ltd: None published (address on Google Play[11] is out of date and refers to dissolved company)
    • Tengzhan Group: 17th Floor, Huaxing Century Building, 317 Wantang Road, Xihu District, Hangzhou, China
  • Registered Address:
    • Tengzhan Technology Ltd: Rm 702 Hollywood Plaza 610 Nathan Rd, Kowloon, Hong Kong
    • Tenghzan Group: 17th Floor, Huaxing Century Building, 317 Wantang Road, Xihu District, Hangzhou, China
  • Company Director:
    • Tengzhan Technology Ltd: Yang Dan, Hong Kong citizen and address (full details redacted but available on public record)
      • Former director of dissolved company Tengzhan Hong Kong Ltd (1650349): You Xiumei (游秀妹), Chinese citizen with address in Guangdong Province (full details redacted but available on public record)
    • Tenghzan Group: Chairman Wei Songxiang (AKA Steve Wei, 魏松祥), Chinese citizen. Address unknown but as the company is based in Hangzhou it’s likely to be in mainland China.

China Links

  • Parent company is prominent Chinese company Tengzhan Group
  • Tengzhan Group acquired Dingtone brand in 2015, according to a Chinese-language disclosure document we discovered.[12][13] Dingtone is also mentioned on the Tengzhan Chinese-language site and recent corporate press releases.
  • Current staff member profiles on LinkedIn.cn link Dingtone to Tengzhan Technology Limited
  • China media reports also link the Tengzhan Chairman Steve Wei (AKA Wei Songxiang) with SkyVPN
  • Nowhere on the SkyVPN site is the relationship with Tengzhan Group referenced

Corporate Credibility Issues:

  • Timing of reincorporation as a new company shortly following publication of SkyVPN’s ownership structure
  • Address on Play store is still for dissolved company and has not been updated
  • Listed VPN Developer on the Play Store has now been changed to an entirely fictitious entity unrelated to SkyVPN or its true owners

Privacy Policy

  • SkyVPN collects aggregate bandwidth info
  • Real-time traffic management means SkyVPN detects internet activity (ie destination websites and source IP addresses) but claims this is never logged
  • Uses in-app analytics technologies
  • Automatically collects Android, Apple iOS, or other ID, device maker & model, mobile web browser type & version, IP address, MAC address, the OS’s maker & version, location information, MCC (Mobile Country Code) information, the mobile application name, a list of mobile applications installed on your device and other technical data about your device
  • SkyVPN claim they forward no data to third parties. They make express reference to the fact that they do not share data with social networks or advertising networks.
  • Ads in the app do drop cookies for targeted ads

Privacy Policy Verdict: SUBSTANDARD

Thunder VPN, Secure VPN

VPN Info

    • Thunder VPN
      • VPN Installs 10 million
      • Listed VPN Developer: Signal Lab
      • App ID: com.fast.free.unblock.thunder.vpn
      • VPN Website: thunder.free-signal.com
      • Support Email: signallab07@gmail.com

  • Secure VPN
    • VPN Installs 10 million
    • Listed VPN Developer: Signal Lab
    • App ID: com.fast.free.unblock.secure.vpn
    • VPN Website: secure.free-signal.com
    • Support Email: signallab07@gmail.com

 

Who’s behind these VPNs?

  • Company Name: Official name unknown
  • Company No: Unknown
  • Corporate website: No corporate site
  • Office Address: 1000 S. Fremont Ave. Bldg. A1, Alhambra Arkansas 91803 US
  • Registered Address: Unknown
  • Company Director: Identity unknown but confirmed as Hong Kong Chinese

China Links

  • The developers confirmed to Top10VPN that they are from Hong Kong, however they declined to reveal their identities or divulge further information about their company
  • Due to lack of official company registration information, it’s impossible to verify whether there are links to mainland China as well as to Hong Kong
  • The developers mislead users into believing they are based in the US, which raises red flags

Corporate credibility issues

  • This VPN developer trades as Signal Lab but hides the details of its registered company. It’s therefore impossible for consumers to have any idea with whom they are entrusting their data.
  • The US address on the Google Play listing is not actually Signal Lab’s offices and is instead used for payment purposes only. This has been confirmed to us by the developers via email.
  • Support Emails are on the generic Gmail domain, which is not a good trust signal.

Privacy Policy

  • Does have a logging policy but it’s extremely basic
  • Collects significant non-browsing data: IP address, ISP, OS version, language of device, app identifier, app version, independent device identifier, ad identifier, device manufacturer and model, email address, time zone, network state (ie WiFi), connection times, choice of server location, bandwidth consumed per day
  • This data is “stored” but no storage/deletion timeframe is specified
  • Shares diagnostic data with third-party analytics but claims it does not contain any personally-identifiable information

Privacy Policy Verdict: POOR

Free VPN by vpnify

VPN Info

  • VPN Installs 5 million
  • Listed VPN Developer: vpnify
  • App ID: com.vpn.free.hotspot.secure.vpnify
  • VPN Website: vpnifyapp.com
  • Support Email: vpnify.app@gmail.com

Who’s behind this VPN?

  • Company Name: Neonetworks Solution Limited
  • Company No: 2874364
  • Corporate website: Does not have a website
  • Office Address: Unit D 16/F, One Capital Place, 18 Luard Road, Wan Chai, Hong Kong
  • Registered Address: Unit D 16/F, One Capital Place, 18 Luard Road, Wan Chai, Hong Kong
  • Company Director: Yin Yu (殷瑜), Chinese citizen with Anhui Province, China address (full details redacted but available on public record)

China Links

  • Sole company director is a Chinese citizen with an address in mainland China
  • This is not disclosed anywhere on the vpnify website

Corporate credibility issues

  • Company has only been in existence since September 2019 and there is little public information about it
  • Neonetworks Solutions Ltd has no online presence
  • About page is lorem ipsum placeholder text, showing a disturbing lack of professionalism and attention to detail
  • Support Emails are on the generic Gmail domain, which is not a good trust signal.

Privacy Policy

  • No VPN specific privacy policy (ie no logging / data retention policy)

Privacy Policy Verdict: VERY POOR

VPN

VPN Info

  • VPN Installs 5 million
  • Listed VPN Developer: VPN Master LLC
  • App ID: com.open.hotspot.vpn.free
  • VPN Website: None
  • Support Email: freeinternnet@gmail.com

Who’s behind these VPNs?

  • Company Name: Unknown
  • Company No: Unknown
  • Corporate website: No website
  • Office Address: Basement, 31 Ko Shing St, Sheung Wan, Hong Kong
  • Registered Address: Unknown
  • Company Director: Unknown

China Links

  • Based in Hong Kong but extremely secretive about their location, which was removed from their store listing in 2019
  • Investigations into related apps revealed a connection to an individual based at some point in Guangzhou City
  • A total lack of transparency means it impossible to confirm or deny possible China links

Corporate credibility issues

  • Listed app developer VPN Master LLC is not a registered company name
  • There’s no website available for either the VPN app nor its developer
  • In 2019, the developer removed their location from their Play Store listing, which is their only “official” online presence
  • The previously-listed Hong Kong address is in a store basement on Ko Shing Street, an area better known as the heart of the wholesale trade of Chinese herbal medicine than for tech company headquarters
  • The privacy policy link on the Play Store directs to a parked domain offering ads
  • There has been at least one change of name for both app and developer. In early 2019, the developer name was “FREE VPN (Unlimited Fast VPN Master)” an the app name “FREE VPN – Fast Unlimited Secure Unblock Proxy”, as shown by archived versions of the store page listing and our own investigation.
  • We discovered a web of related apps, none of which offer any transparency about the developer:
    • Super VPN Proxy by Word Connect Master has the same Ko Shing St address as this app
    • Super VPN Proxy has the same privacy policy template as that of another app called Rolling Ball that is featured on archived versions of the dappium.co domain linked to from this app’s store listing
    • rolling.ball.master@gmail.com is the contact on yet another app called Ultimate VPN
    • The privacy policy of yet another Word Connect Master app com.open.hotspot.vpn.free contained links whose hover state indicated weimengll.top as the domain. Weimengll is a user on yingjiesheng.com with a residence of Guangzhou City.

Privacy Policy

  • No privacy policy whatsoever

Privacy Policy Verdict: VERY POOR

Super VPN Unblock Master

VPN Info

  • VPN Installs 1 million
  • Listed VPN Developer: Hotspot VPN & Proxy Master
  • App ID: com.supervpn.vpn.free.proxy
  • VPN Website: supershell.me
  • Support Email: contacts@hotspotvpn.com

Who’s behind these VPNs?

  • Company Name: Hotspot VPN Pte Ltd
  • Company No: 201937726W
  • Corporate website: supershell.me
  • Office Address: 1 Yisun Industrial Street 1 #03-26 A’Posh Bizhub, Singapore 768160
  • Registered Address: As above
  • Company Director: Chua Hong Yean, Malaysian citizen with Singapore address (full details redacted but available on public record)

China Links

  • Multiple similarities with other China-linked VPN services, including:
    • Identical corporate/VPN Website template
    • Very similar developer name
    • Identical privacy policy
  • However given lack of specific links to China, it’s possible that this is simply a copycat site that has chosen to plagiarize popular Chinese-owned apps

Corporate credibility issues

  • Plagiarized online presence and policies
  • Typos on the corporate website suggest lack of professionalism
  • The director’s registered address is a public housing property

Privacy Policy

Privacy Policy URLs:

  • SuperVPN’s privacy policy linked from store listing is not VPN-specific
  • A further privacy policy is linked from the corporate site:

Privacy Policy Verdict: SUBSTANDARD

Sec VPN

VPN Info

  • VPN Installs 1 million
  • Listed VPN Developer: Sec VPN
  • App ID: com.free.unlimited.vpn.proxy
  • VPN Website: secvpns.com (lacks SSL)
  • Support Email: secvpn10@gmail.com

Who’s behind this VPN?

  • Company Name:
    • TCL Mobile Communication (HK) Company Ltd
    • Parent company: TCL Corporation (part Chinese state-owned)
  • Company No:
    • TCL Mobile Communication (HK) Company Ltd: 0672845
    • TCL Corporation: 91441300195971850Y
  • Corporate website: tcl.com
  • Office Address:
    • “Sec VPN”: Sea Side Road, Ma Liu Shui, Hong Kong
    • TCL Corporation: TCL Technology Building, 17 Huifeng 3rd Road, Zhongkai Hi-Tech Development District, Huizhou City, Guangdong Province
  • Registered Address:
    • TCL Mobile Communication (HK) Company Ltd: 8/F, Building 22E, 22 Science Park East Avenue, Hong Kong Science Park, Shatin, New Territories, Hong Kong 999077
    • TCL Corporation: TCL Technology Building, 17 Huifeng 3rd Road, Zhongkai Hi-Tech Development District, Huizhou City, Guangdong Province
  • Company Director:
    • TCL Mobile Communication (HK) Company Ltd:
      • Lyu Xiabin (呂小斌), Chinese citizen with Guangdong address (full details redacted but available on public record)
      • Tang Haixia (唐海霞), Chinese citizen with Shanghai address (full details redacted but available on public record)
    • TCL Corporation: CEO and Chairman of the Board Li Dongsheng (李东生), Chinese citizen

    China Links

    • An older version of the privacy policy previously linked from a now-deleted version of the Sec VPN Play store listing contains address of TCL Group and has a TCL corporate email for GDPR enquiries.
    • The Hong Kong Science Park address noted as the registered company address appears in the older version of the Sec VPN privacy policy but is also the published address of the HK subsidiaries of TCL
    • TCL is a highly prominent partially state-owned Chinese electronics company, which also owns other VPNs
    • Steps have been taken to apparently obscure the relationship between Sec VPN and TCL

    Corporate credibility issues

    • The Sec VPN Website is very poor indeed: lacking in all expected footer information and legal policies
    • Sec VPN (AKA Sec VPN Internet Co.) doesn’t appear to be a registered HK company. This entity also used to be known as Free VPN Internet Co. Ltd – also not a HK-registered company.
    • It required significant digging to uncover any corporate information whatsoever

    Privacy Policy

    • Does have a logging policy but it’s extremely basic and is clearly plagiarized from Thunder VPN and Secure VPN (whose policies predate this one)
    • Collects significant non-browsing data: IP address, ISP, OS version, language of device, android_id, app identifier, app version, independent device identifier, ad identifier, device manufacturer and model, email address, time zone, network state (ie WiFi), connection times, choice of server location, bandwidth consumed per day
    • This data is “stored but no storage/deletion timeframe is specified
    • Shares diagnostic data with third-party analytics but claims it does not contain any personally identifiable information

    Privacy Policy Verdict: POOR

    Free VPN Tomato

    VPN Info

    • VPN Installs 1 million
    • Listed VPN Developer: IronMeta Studios
    • App ID: com.ironmeta.security.turbo.proxy.vpntomato.pro
    • VPN Website: ironmeta.com
    • Support Email: vpntomato.dev@gmail.com

    Who’s behind this VPN?

    • Company Name: Lovinpal Pte. Ltd.
    • Company No: 201924002Z
    • Corporate website: ironmeta.com
    • Office Address: 35 Selegie Road #09-16 Parklane Shopping Mall Singapore 188307
    • Registered Address: 60 Paya Lebar Road #07-43C Paya Lebar Square, 409051
    • Company Director: Tian Yuan, Chinese citizen, Singapore address (full details redacted but available on public record)

    China Links

    • Sole director is Chinese citizen
    • Very secretive about ownership structure, which raises red flags

    Corporate credibility issues

    • Corporate website is empty of content beyond privacy policy. It has a blank homepage with “Hi, IronMeta” in plain text
    • No references linking company to published address anywhere on web outside of app store listing. Only other unrelated companies are publicly linked to that address.
    • ToS not linked to from Play Store (found on App Store)
    • Found official name via an Apple App Store listing for the pro version of the app
    • Support Emails are on the generic Gmail domain, which is not a good trust signal.
    • Tian Yuan is an office holder at 72 other live companies (and 5 that have been struck off) – none of which have any online presence or physical address – all addresses are incorporation company addresses (mainly SproutAsia)
    • Director registered address is in a public housing property

    Privacy Policy

    • No VPN-specific privacy-policy

    Privacy Policy Verdict: VERY POOR

Detailed Findings

Methodology

We reviewed the ownership of the companies operating the 20 most popular VPN mobile apps in the US in both Google Play and Apple’s App Store. We identified those with ties to China and conducted further investigation and analysis.

We investigated the corporate structure and credibility of each VPN service, and assessed its privacy policies.

We graded privacy policies on the following basis: VPN-specificity, detailed VPN logging policies, data storage and retention, collection of personally identifiable information and sharing of data with third-parties. We penalized VPN services for blatant plagiarism of other providers’ policies and for signs for obvious lack of care, such as generic domains or typos.

The authors of all our investigations abide by the journalists’ code of conduct.

References

[1] https://www.theguardian.com/commentisfree/2020/jan/28/the-guardian-view-on-huawei-and-5g-the-risks-are-real

[2] https://www.bbc.co.uk/news/business-48441814

[3] https://www.nytimes.com/2020/06/29/world/asia/china-hong-kong-security-law-rules.html

[4] https://drive.google.com/file/d/1-EzVowUTRYLVRhuuH8yWQI_ZmPHr2zLi/view?usp=sharing

[5] https://drive.google.com/file/d/1Jg0GytrjluaKdJ2iOVh12PKqsIxMVKbM/view?usp=sharing

[6] https://drive.google.com/file/d/1bCfKYFtIiUCz5l1SyV04KhVjbzGu4OvX/view?usp=sharing

[7] https://drive.google.com/file/d/18REm_Y6zjAJ73O4P3FZsPJuxGbrLy0It/view?usp=sharing

[8] https://web.archive.org/web/20181124195931/https://vpnmaster.co/

[9] https://drive.google.com/file/d/1Ot6u7Sj_9344NJKniuhQ8RsKw0-_3Uf5/view?usp=sharing

[10] https://drive.google.com/file/d/150hEid3UpmPdE7Z1gF0nNvpi0OtxT4XH/view?usp=sharing

[11] https://drive.google.com/file/d/1aesawBQm2XNV71dWwWhIUmapActxcOCk/view?usp=sharing

[12] https://drive.google.com/file/d/1EiYyDHCjBnPV3d0DTsPqmgO4jrmnH7V-/view?usp=sharing

[13] http://www.neeq.com.cn/disclosure/2016/2016-07-29/1469790060_481182.pdf