I get it. A VPN sounds like the kind of thing you should probably have, and when you see a free one sitting in the App Store with 50 million downloads and four stars, it is genuinely tempting to just grab it and move on with your life.
I did exactly that for longer than I’d like to admit. The logic seemed fine. It encrypts my traffic, it costs me nothing, and everyone seems to be using it. What’s the downside?
Turns out, quite a lot. And for Australians in particular, there are some specific reasons why the free VPN decision deserves more scrutiny than most people give it.
First, Why Australians Should Care About VPNs at All
Before getting into the free-versus-paid debate, it’s worth understanding why VPNs matter here specifically.
Australia’s Data Retention Act 2015 requires internet service providers and telcos to store your metadata for two years. That includes who you contacted, when, how long for, and your IP address. A VPN encrypts your browsing activity so your ISP can only see that you’re connected to a server, not what you’re actually doing through it. That stored metadata becomes a lot less useful to anyone looking at it.
VPNs are completely legal in Australia. Using one to protect your privacy, access content, or secure your connection on public Wi-Fi is not against the law. What you do through a VPN still is, if it’s otherwise illegal. But the tool itself is fine.
So there are real, legitimate reasons for Australians to use one. The question is whether a free service actually delivers what it promises.
The Business Model Problem
Here is the thing that should give anyone pause. Running a VPN costs real money. You need servers, infrastructure, bandwidth, and staff. A provider offering you all of that for free has to be covering those costs somehow.
Sometimes that’s advertising. Sometimes it’s something worse. Research predicts that up to 60% of free VPNs could be selling user data to third parties, with up to 80% embedding tracking features. You read that right. The tool you installed to protect your privacy may be actively monetising your data in the background.
The cruel irony is not lost on me. Instead of paying with money, you are paying with your browsing habits, your IP address, your location, and potentially more. That is not a trade-off most people understand they are making when they tap install.
The Malware Problem Is Real and Getting Worse
This is where things get genuinely alarming. Not all free VPNs are quietly selling your data. Some of them are actively hostile.
A 2020 study of Android VPN apps found that 38% contained malware or malicious code. Adware, credential-stealing trojans, cryptocurrency miners running silently on your device. And things have not improved. In Q3 of 2024, malicious VPN app detections rose 2.5 times compared to the previous quarter.
Then there’s the botnet problem, which sounds technical but has very practical consequences for the person holding the phone. Hola VPN was caught routing other users’ traffic through its customers’ devices without their knowledge. Your internet connection. Your IP address. Used by strangers for whatever they liked. The 911 S5 botnet, dismantled by the US Justice Department in 2024, used the same approach, recruiting devices through free VPN apps. Users themselves risked being treated as accomplices in criminal activity they had absolutely no idea was happening.
These are not theoretical warnings. These are documented cases involving apps that sat in mainstream app stores with enormous download numbers.
The SuperVPN Story Is Worth Knowing
SuperVPN is probably the most instructive example of how badly this can go, and it’s worth knowing about before you trust any random free app.
It had over 100 million installs on Google Play and prominently advertised a no-logs policy. In plain English, that means it claimed not to store any record of what you did while connected.
In 2023, a security researcher discovered a 133 GB database containing over 360 million records of SuperVPN user data. Email addresses, real IP addresses, VPN servers used, websites visited, device information, geolocation. Everything the no-logs policy said they weren’t keeping. A similar breach in 2022 exposed 21 million user records, including names, payment data, and location logs.
The worst part? The exposure came not from a sophisticated cyberattack but from basic backend negligence. Developers had left default database credentials in place. One of the most downloaded VPN apps in the world, logging everything it said it wasn’t, and leaving it sitting in a database anyone could find.
Weak Encryption: The Technical Side
Even setting aside data selling and malware, plenty of free VPNs simply don’t work very well on a technical level.
Some use outdated encryption protocols, or in some cases no meaningful encryption at all. Paid VPNs typically use AES-256-GCM or ChaCha20 as standard. Some free services still rely on PPTP, a protocol that has been considered broken for well over a decade. I remember thinking encryption was encryption. It really isn’t.
There’s also the kill switch issue. When a VPN connection drops, your device reverts to your regular unprotected connection. A kill switch blocks all traffic until the VPN reconnects, so your real IP address never gets exposed. Most free VPNs lack this feature entirely. So even in the moments you think you’re protected, you might not be.
Research found that 88% of the top 100 free Android VPNs leaked user data. That number is almost hard to sit with.
What About the “Freemium” Exceptions?
It would be unfair not to mention that not every free VPN is a disaster. There are a handful of legitimate providers that offer free tiers as a way to attract paid subscribers. Proton VPN’s free option is probably the most widely trusted. It’s run by a Swiss-based privacy organisation with a genuinely audited no-logs policy, and unusually for a free tier, it has no data cap, though it limits you to servers in a small number of countries.
These freemium options tend to be slower, more restricted, and won’t always unblock streaming services. But they are not working against you, which already puts them in a very different category from the bulk of free VPN apps.
If you are going to use a free VPN, look for one attached to a legitimate paid product from a company with a verifiable track record and independent audits. Be deeply sceptical of anything that appears out of nowhere with a generic name and a suspiciously glowing rating.
Red Flags to Watch For
A few things worth checking before you install anything, free or paid.
The privacy policy is vague or contradictory. If it says “no logs” in the headline but reserves the right to share data with “partners” three paragraphs later, that is not a no-logs policy. It’s marketing copy with an escape hatch.
Excessive app permissions. A VPN has no business asking for access to your contacts, camera, or microphone. If it does, that is a signal it is collecting far more than it needs to function.
Anonymous developers. Some free VPNs are operated by companies that actively obscure who runs them and where they are based. If you cannot find out who is behind the product, you cannot meaningfully evaluate whether to trust it.
No independent audit. Reputable VPN providers pay third-party security firms to audit their infrastructure and no-logs claims. If a provider has never been independently audited, their privacy promises are unverifiable.
It’s based in Australia. This sounds counterintuitive, but Australian-based VPN companies are subject to the same data retention laws as your ISP, and to the encryption legislation that requires companies to give law enforcement access to encrypted communications when asked. Most recommended VPNs for Australians operate out of jurisdictions with stronger privacy protections.
So What Should You Actually Use?
If you’re spending money on a VPN, you don’t need to spend much. Mullvad, Proton VPN’s paid tier, ExpressVPN, and NordVPN all sit in a range most people can manage without noticing. Mullvad in particular has a strong privacy reputation and accepts anonymous payment methods, which is a nice touch if you’re serious about this stuff.
If cost is the real barrier, Proton VPN’s free tier is worth trying before you reach for a random app. It is slower and more limited than the paid version, but it will not log your data, sell your browsing history, or quietly recruit your device into a botnet.
The broader point is this. A VPN’s entire value is that it protects your privacy. If the service you’ve chosen is monetising your data to pay for itself, you haven’t gained anything. Around 43% of VPN users are on free services, and a significant portion of them almost certainly believe they are protected when they are not.
The free VPN I was using? I deleted it. Took thirty seconds. Paid about six dollars a month for a reputable one instead, and I haven’t thought about it since. That is probably how it should feel.
This article is for informational purposes only. VPN performance, availability, and legal considerations can change. Do your own research before selecting a provider.