The controversial Online Safety Act is driving many users—including minors—toward free VPN services as a way to protect their privacy. Yet a new investigation exposes a troubling irony: in trying to escape surveillance and data collection, many people are routing their traffic through VPNs that connect to servers in China and Russia, potentially exposing the very information they hope to protect.
Designed to make the UK the “safest place in the world to be online,” the Online Safety Act places a duty of care on tech companies to protect users from harmful content. A central element of the law is stricter age verification for sites hosting adult material.
While the aim appears protective, critics warn the legislation risks significant overreach. Opponents argue it could threaten free expression and digital privacy by compelling platforms to monitor user activity, weaken end-to-end encryption, and remove content deemed harmful—including legitimate protest. High-profile data breaches have shown that uploading personal information to services can carry real risks, reinforcing those concerns.
As a result, VPN adoption has surged. VPNs mask IP addresses and encrypt internet traffic, enabling users to bypass ISP-level blocks and age gates. For younger users in particular, free VPNs provide an easy workaround to access restricted content without submitting personal identification.
However, many people choosing free VPNs may be trading one risk for another. Research from Comparitech examined popular free VPN apps on Apple’s App Store and the Google Play Store and found that numerous apps communicate with servers located in jurisdictions with poor privacy safeguards.
Building on prior reporting by the Tech Transparency Project, Comparitech analyzed 24 widely used VPN applications. The earlier TTP study revealed that more than 20 of the top 100 free VPNs in US app stores showed signs of Chinese ownership, with such ties rarely disclosed to users.
Comparitech’s follow-up confirmed those concerns. The researchers found that six of the apps they tested—including Turbo VPN, VPN Proxy Master, and Signal Secure VPN on Android, and Now VPN on iOS—were communicating with Chinese domains.
Even more worrying, eight Android apps, such as QuarkVPN and VPNify, were found to connect to Russian IP addresses associated with major tech companies like Yandex and Mail.ru. This means users routing their traffic through these services could unintentionally send data to servers under the control of entities based in China or Russia.
In attempting to escape perceived surveillance and censorship under the Online Safety Act, users may be funneling all of their online activity through services that present their own privacy risks. The very tool intended to restore privacy can become a conduit for foreign-state surveillance, eliminating any intended protection.
Identifying where a VPN truly operates from is rarely straightforward. Many providers obscure their origins with complex corporate structures and shell companies registered in privacy-friendly jurisdictions, while their infrastructure and staff may be located elsewhere. This opacity makes it difficult for ordinary users to know who is handling their sensitive data and under which legal regime those handlers operate.
For UK residents and others worried about digital privacy, the safest approach is careful due diligence rather than defaulting to free services. Before installing a VPN—especially a free one—investigate its background. A WHOIS lookup can reveal the domain registrant’s country, and checking official corporate registries can provide further insight into ownership.
Reputable VPN providers publish transparency reports and submit to independent audits of their no-logs policies. If a VPN is opaque about its ownership, jurisdiction, or operational practices, users should treat that as a red flag. In the quest for online freedom amid laws like the Online Safety Act, individuals must ensure they are not simply exchanging one form of surveillance for a potentially more dangerous one.
See also: UK full fibre adoption surges despite stagnant broadband market
Interested in learning more about cybersecurity and cloud technologies from industry experts? Consider events such as Cyber Security & Cloud Expo, which take place in Amsterdam, California, and London and run alongside other industry gatherings including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.
Explore other enterprise technology events and webinars powered by TechForge.