A free VPN allegedly takes screenshots of Chrome users

“If the product is free, you are the product.”

You can apply that thinking to pretty much anything supported by advertising or data collection, including tools like Chrome and Gmail. (And you’re not paying to read these words, are you? Food for thought.) But one VPN tool, claiming to increase user privacy and security, might be snooping on the people it’s claiming to protect.

That’s the claim put forth by Koi Security, a software vendor that also investigates other applications. According to its report, the “FreeVPN.One” virtual private network, available as an extension of the Chrome browser, is peeping on its users in a variety of ways. First and most concerningly, the extension appears to take a screenshot of every single website the user visits, even waiting a second after the page loads to make sure everything is rendered.

This automatic screen recording may be related to the tool’s “Scan with AI Threat Detection” feature. This little button lets you “scan” a website visually and then it sends the screenshot off to FreeVPN.One’s servers, where it gets analyzed for threats. That sounds neat, I suppose… but it’s not really doing anything that couldn’t be done faster and more efficiently just by sending the URL in. And, as Koi reports, the tool appears to have taken a screenshot of every single page the browser visits already, without informing the user.

The extension is also recording the user’s location via IP address, and has access to all of the user’s URLs via elevated permissions. “With the  permission, the extension gains the ability to access every site you visit,” says Koi’s report. “This broad reach lets it inject a content script everywhere you go.”

Koi says that FreeVPN.One has massively updated its permissions and alleged spying starting in April of this year, after amassing hundreds of thousands of installations, and has covered its tracks in some of the recent releases with updates meant to obfuscate its activity. Though the developer claims that screenshots are not permanently saved or transmitted, and that user data is never sold, they remain anonymous with no notable business or contact information. The developer stopped responding to Koi’s emails after being asked to provide any sort of evidence of legitimacy.

VPN tools are skyrocketing in popularity, as more countries and US states enact laws that limit user access to adult websites, and more users become wary of their online safety. But free VPNs are a gamble at best — the very nature of the system requires a good amount of trust, literally funneling all your web traffic through a third party. This particular extension, which is still available on the Chrome Web Store, went well beyond the basics for that via its elevated permissions.

If you need a VPN for anything more than a few basic, low-risk browsing sessions, it might be best to invest in a paid option. Paid VPNs aren’t necessarily any more trustworthy… but they do have an incentive to keep the user happy, instead of collecting valuable data and finding a way to monetize it. For a deep dive into the best options for VPNs, be sure to check out this PCWorld report.