It is common practice among most school districts to restrict their students’ access to the Internet to prevent them from browsing porn and “inappropriate” websites — from social media platforms to educational websites about racial identity, mental and reproductive health. And, increasingly, it’s common practice among many kids to use apps that bypass these restrictions so they can view these sites anyway.
Today, 1 in 4 American high school students now use solutions to avoid school internet restrictions, which, in addition to blocking websites, can also monitor their personal online lives, including social media posts, emailsand browsing history. The most common of these solutions is a VPN, or virtual private network, which hides a user’s IP address from the websites they browse and the apps they use. However, VPNs – especially the free types that teenagers are more likely to use – often collect sensitive personal information such as location and browsing history.
Many unscrupulous free VPN companies then sell this information to data brokers. Some of them have ties with China, where the Chinese Communist Party has the power to compel any company to hand over such data. And others may contain malware that allows hackers to take control of the devices they are installed on.
Just last week, the US Department of Justice accused Chinese national who allegedly used a free VPN to access 19 million IP addresses, more than 600,000 of which were in the United States, and rent them to criminals who used them to stalk and defraud people and engage in exploitation children.
New research from Reset Tech, which will be shared with lawmakers this week, shows that these China-linked VPN companies were popular among school children. The researchers found that the companies behind these apps openly target teenagers, advertising theirs products as a way to bypass school Wi-Fi. Dozens of app store reviews suggest the campaigns are working — they claim they were written by teens, for teens trying to access information, play games, or watch TikToks in class.
“Me and many other friends all use it at school and it works like a charm on wifi!” Would 100% recommend it to any teen or adult looking for a VPN for free,” reads a VPN – Super Unlimited Proxy review.
VPN – Super Unlimited Proxy, owned by Singapore company Mobile Jump Pte Ltd. where previously mentioned its headquarters in Beijing, can collect and sell users’ approximate location, network activity, unique device identifiers and IP address, in accordance with its privacy policy. Mobile Jump Pte Ltd. did not respond to a request for comment.
Another similar app called Turbo VPN, which has more than 300 million users worldwide and has advertised that its product team is based in Guangzhou, China, has aggressively targeted children. In 2022, the company published a blog post on how to use its app to unblock Instagram at school. On its homepage, where the company has featured 5-star reviews of Turbo VPN, someone says, “This is the best app because my school blocks apps that are in different languages and also blocks access to some of my games. I want to say thank you now, I can listen to all my music and even play all my games.” TurboVPN did not respond to a request for comment.
Concerns about foreign VPN companies collecting Americans’ data are not new. In early 2019, months before the administration first began investigating the national security risks posed by TikTok, Senators Ron Wyden and Marco Rubio wrote to Chris Krebs, director of the Cybersecurity and Infrastructure Security Agency at DHS, asking the agency conduct a threat assessment of the risks foreign VPNs pose to US government employees and service members.
“If US intelligence experts believe that Beijing and Moscow are leveraging Chinese and Russian technology to track Americans, surely DHS should also be concerned that Americans are sending their web browsing data directly to China and Russia,” they wrote at the time.
Chris Krebs, then director of the Cybersecurity and Infrastructure Security Agency, he answered to Wyden and Rubio confirming that the apps posed a national security risk, especially if they were downloaded to US government devices.
In 2022, Senators Wyden and Anna Eshoo as well he urged FTC to ‘restrict abusive and deceptive data practices’ by VPN companies that could compromise the privacy of women seeking abortions, Supreme Court says Dobbs reversal of decision Roe v. Wade.
Senator Marsha Blackburn also expressed concern about VPN companies targeting children: “I am extremely concerned to hear that our children’s data is being exploited and sold to actors, including the DPRK. When consumers use a VPN, they expect their data to be secure,” he said Forbes.
Ironically, VPNs face severe limitations in China, where they are popular with people seeking to circumvent the government’s censorious Great Wall.
Beyond concerns about China, there is a broader privacy threat from data breaches. In 2023, SuperSoftTech, a VPN based in Singapore with ties to Chinaaccidentally exposed 360 million user data files online, including users’ email and IP addresses, location data, and referrals to websites they visited.
Not all critics have limited their concern to international applications. When asked about the threat of the Chinese government collecting the private information of minors, Girard Kelly, senior counsel and head of the privacy program at Common Sense Media, said he thinks that concern may be overblown.
“We think that the Chinese government has access to information and is gathering all this information to persuade [kids], perhaps with advertising or other information campaigns. But the social media services and apps we use already do that.”