Your VPN could be giving your browsing data to China, watchdog says

Using a free app to hide your internet traffic? The company behind it could be quietly tied to China, where the government maintains the ability to surveil all user data, according to a report published Thursday by the Technology Transparency Project.

The report accuses 17 Apps — six on Apple’s App Store, four on the Google Play Store and seven on both — of having undisclosed ties to China. In several cases, the TTP linked the app developers to a prominent Chinese cybersecurity company, Qihoo 360, which is under U.S. government sanctions.

The apps are all virtual private networks, or VPNs, which allow a user to divert their internet traffic through a company’s internet connection. With names like VPNify, Ostrich VPN and Now VPN, none of them make overt references to China or Chinese ownership on the app stores.

VPNs are primarily used to either protect a user’s privacy by making it harder for a website to know who’s visiting them, or to skirt around censorship measures. But unless a VPN company takes significant steps to automatically and permanently delete its users’ search histories, a company is likely to keep records of its customers’ internet activity.

That is particularly notable if the company is Chinese, as national law there stipulates that intelligence and law enforcement agencies do not need a warrant to view any personal data that is stored there.

“VPNs are of particular concern because anyone using a VPN has the entirety of their online activity routed through that application,” said Katie Paul, the TTP’s director.

“When it comes to Chinese-owned VPNs, that means this data can be turned over to the Chinese government based on China’s state laws,” Paul said.

Justin Sherman, a nonresident senior fellow at the Atlantic Council who studies data privacy, told NBC News that using a Chinese-owned VPN would be tantamount to handing over one’s browsing history to Beijing.

“Capturing data via a VPN could let the Chinese government see everything from websites a person is reading that criticize the Chinese state, to the corporate databases and private portals that person might pull up (and then log into) on the internet for work,” he said.

The TTP, a tech-focused arm of the Campaign for Accountability, an investigative nonprofit that seeks to expose “corruption, negligence, and unethical behavior,” previously published a report on Chinese VPN apps on April 1. Apple soon took down three of the apps with alleged ties to Qihoo 360: Thunder VPN, Snap VPN and Signal Secure VPN. The other apps — Turbo VPN and VPN Proxy Master, which are also available on the Google Play Store, as well as three others that Google offers — are all still available.

None of the apps are listed as being developed directly by Qihoo 360. Instead, they are developed by Singapore-based companies including Lemon Seed, Lemon Clove, Autumn Breeze and Innovative Connecting. The TPP cited business filings in China that show Qihoo 360 saying it had acquired those companies in 2019, and Corporate registration documents for those companies in the Cayman Islands from March that all list the director as a top Qihoo 360 employee.

NBC News reached out to developers listed for the 17 apps. Only one claimed not to have ties to China: WireVPN, where an employee claimed in an email that the company is “an independent service” with “no ties to Chinese entities or government organizations.”

“We are neither affiliated with Qihoo 360 nor any other PRC-based enterprises, and our operations are entirely autonomous,” the employee said.

However, WireVPN’s privacy policy makes clear that users are expected to adhere to Chinese law and bans them from “Violating the basic principles established by the Chinese Constitution” and “Violating the traditional virtues of the Chinese nation, social morality, rational morality, and socialist spiritual civilization.”

Qihoo 360 didn’t respond to a request for comment. But China Daily, a state-run newspaper, has reported that its cybersecurity clients include the Chinese military and “at least eight ministries” of the Chinese government. In a 2016 press release, the company seemed to indicate it was in the VPN business, saying “Qihoo 360 also provides users with secure access points to the Internet via its market leading web browsers and application stores.”

Both Apple and Google declined to address the specific apps that TTP highlighted as tied to Qihoo 360 and told NBC News that they follow U.S. laws regarding sanctions. Neither bans VPN app developers simply for following Chinese law.

Peter Micek, general counsel at Access Now, a tech policy and human rights advocacy nonprofit, told NBC News that he was surprised to see the tech companies had potentially overlooked a sanctioned company offering apps under innocuous developer names.

“It seems like this project has done the homework and due diligence that Apple and Google should have done, and it does seem like those ties would constitute indirect contact with, transactions with folks who are sanctioned,” he said. Tech companies can sometimes face significant fines for violating sanctions, Micek said.

Sanctions are put in place by the federal government as a penalty on foreign entities and individuals, preventing U.S. companies and individuals from doing business with them. They are often imposed after a foreign entity or individual is shown to have conducted some sort of condemned behavior or have links to condemned groups, such as cybercriminals or terrorist organizations. Qihoo 360 faced sanctions from the Commerce Department in 2020, which said the company could become involved in supplying materials to the Chinese military. The sanctions prevent American companies from exporting technology or software to Qihoo 360. It’s not clear if app stores hosting apps tied to Qihoo could be in violation of those sanctions.

The Commerce Department did not respond to a request for comment.