Back to blog
Consumer privacy·13 min read

Free VPN vs paid VPN in 2026 — the actual cost of free

Running a VPN service costs real money — servers, bandwidth, abuse-handling staff, legal fees. If a provider charges you nothing, something else is paying for it. Sometimes that's fine (a small free tier subsidized by paid customers). Sometimes it's the real business model, and the real business model is selling something the provider extracts from you. Here's how to tell which is which, with named historical examples.

By Casper's Cloak Security Team

The short version: there are three honest categories of "free" VPN. (1) Limited free tier from a real paid provider (Proton, Windscribe, TunnelBear) — subsidized by paid customers, deliberately capped so heavy users upgrade, business model is straightforward. (2) Free-for-a-purpose VPN (corporate, university, embedded in another product) — paid for by an entity that wants you on their network, business model is whatever the parent product sells. (3) Free-as-monetization VPN — the VPN provider IS the business, and they monetize you. That third category is where the documented harm has historically lived: device-as-exit-node botnet models, data-broker resale, ad-injection, malware bundling. The first two can be fine. The third has caused most of the "is using a VPN unsafe" headlines. This is the field guide for telling them apart.

Disclosure up front: Casper's Cloak is a paid VPN service. We have a commercial interest in this topic. That's why this post focuses on verifiable, documented historical incidents — facts you can check against original sources — rather than vague "free is bad" warnings. The aim isn't to scare you off free VPNs; it's to help you pick one whose business model you actually understand.

What "free" actually costs the provider to deliver

Concrete numbers, since this is where the rest of the analysis lives. A modest VPN provider running 1,000 servers across 30 countries pays:

  • Server hosting: $40–150/server/month depending on region (Western Europe, US-East cheap; APAC, Latin America, Africa expensive) → $40K–150K/month minimum.
  • Bandwidth: dominant cost. A VPN exit pushes more traffic than almost any other workload — typical user pulls 50–200 GB/month, providers run at 80%+ utilization. Bandwidth bills dwarf server bills at scale.
  • Abuse handling: someone's full-time job is responding to DMCA notices, hosting-provider abuse complaints, payment-processor questions, and the occasional law-enforcement letter. This is non-optional and gets expensive at scale.
  • Engineering: protocol stack maintenance (WireGuard, OpenVPN), client apps for iOS/macOS/Windows/Linux/Android, audits, security response.

For a provider to run 1,000+ servers, employ a real ops team, get audited annually, and charge $0 — the money has to come from somewhere. The honest question is: where? The three patterns below cover roughly all of what we've documented in the wild.

Pattern 1 — Limited free tier from a paid provider (usually fine)

The cleanest version. The provider sells a paid product to most of its users, and offers a deliberately-capped free tier as a marketing funnel. Caps usually take one of three shapes:

  • Bandwidth cap (Windscribe: 10 GB/month free; TunnelBear: 2 GB/month free). Heavy users hit the cap and upgrade, or stop using the service. Free users cost the provider less than they're worth as a funnel.
  • Server-location cap (Proton Free: 3 countries; ProtonVPN Plus: 110+). The free tier is enough for "I want my coffee-shop traffic encrypted"; the paid tier is required for streaming-from-other-countries use cases.
  • Feature cap (no streaming, no torrenting, fewer concurrent connections). Same logic as server caps.

How to verify the provider is in this category: (a) they have an obvious, transparent paid tier with real customers (look at their app-store ratings count, not just the rating); (b) their privacy policy is plain about not logging or selling traffic data, and they've ideally published an external audit confirming it; (c) they're a real company with named executives and a known jurisdiction; (d) they make most of their money from paid subscriptions, which they'll usually disclose in marketing material.

Pattern 2 — Free-for-a-purpose VPN (depends on the purpose)

Free because someone else wants you using it. Three sub-cases:

Browser-embedded VPNs (Opera VPN, Brave Firewall + VPN, Cloudflare WARP). The parent company has a different business model — selling ads, selling enterprise services, selling DNS — and the VPN exists to feature-differentiate the browser. These are usually honest about their scope: Opera VPN is a free encrypted proxy, not a true VPN (only protects in-browser traffic), and they say so. Cloudflare WARP is funded by Cloudflare's enterprise CDN business and is roughly the most-audited free network service in existence.

Apple's iCloud Private Relay sits in this category — it's bundled with iCloud+, so technically not "free" in the strict sense, but it's free at the margin if you already pay for iCloud storage. It's also Safari-only, double-hop, and explicitly not a general-purpose VPN. We covered the scope in detail in What iCloud Private Relay actually covers — and what it doesn't.

Corporate / university VPNs. Free to you because the institution pays. Honest about it. Use them for what they're for (accessing institution resources), don't use them for personal privacy (the institution can see all your traffic by design).

How to verify: read the privacy policy, look at the parent company's main business model. If the main business is browser ads (Opera) or enterprise CDN (Cloudflare), the VPN's incentives align with not screwing it up — bad press from a VPN scandal would damage the more profitable business.

Pattern 3 — Free-as-monetization VPN (where the documented harm has lived)

This is the category every "is using a VPN risky" article is actually about. The VPN provider has no other business; the VPN IS the business; the user IS the revenue. Three documented historical mechanisms:

3a. Device-as-exit-node (the Hola / Luminati model)

Hola, marketed as a free VPN for browser geo-unblocking, gained millions of users in the early 2010s. The business model — disclosed in the terms of service, but in the way "disclosed in the terms of service" usually means — was that your device served as an exit node for Luminati (now Bright Data), Hola's commercial proxy network. Paying enterprise customers routed traffic through Hola free users' residential IPs.

The fallout, well-documented: in 2015, security researchers showed Hola users had been used as exit nodes for an 8chan DDoS botnet — meaning Hola users' IPs originated attack traffic they had no idea they were sending. The Luminati network has since rebranded, added consent flows, and continues to operate; the model remains roughly the same.

How to spot it: the provider talks vaguely about "peer-to-peer" architecture or "community-powered" network. Their terms of service describe a "right to use bandwidth from idle devices." They sell a paid commercial proxy product alongside the free consumer product, and they're the same network.

3b. Data-broker resale (the Onavo / Facebook model)

Onavo Protect was a free VPN app — Facebook bought the parent company in 2013 and operated it as "Onavo Protect" on iOS and Android. The privacy policy disclosed that Facebook used the network-traffic visibility to learn which apps users were using, how often, and for how long. This intelligence informed Facebook's product strategy: famously, Onavo data tipped Facebook off to WhatsApp's growth before the acquisition, and to TikTok's growth before Reels.

Apple eventually removed Onavo from the App Store in 2018 citing data-collection violations, and Facebook shut it down in 2019 after the Cambridge Analytica fallout made the optics untenable. The mechanism — free VPN as competitive-intelligence funnel for a parent company — recurs periodically; the names change but the structure repeats.

How to spot it: the parent company's actual business is advertising, social networks, or competitive analytics. The privacy policy contains language about "anonymized aggregate usage data" or "improving our services" with broad scope. The free VPN has no obvious paid tier — there's no reason for it to exist as a standalone product.

3c. Ad injection and malware bundling (the long tail)

The least sophisticated and most common: the free VPN app injects ads into web pages, redirects traffic through affiliate links, or ships with bundled adware/spyware. Studies of free Android VPN apps repeatedly find a meaningful percentage embedding tracking SDKs, requesting unnecessary permissions, or in extreme cases carrying outright malware. The CSIRO published a frequently-cited 2017 study finding 38% of 283 surveyed free Android VPN apps contained some form of malware; follow-up work in subsequent years finds the situation improved but not transformed.

How to spot it: the app has aggressive ad placement in its own UI, requests permissions beyond what a VPN needs (contacts, SMS, location-always), has very few app-store reviews, and the developer name is unfamiliar. Generic "Best Free VPN" Play Store apps that look slightly different from each other are usually the same SDK rebranded.

The privacy-policy red-flag checklist

Before installing any VPN — free or paid — read the privacy policy and look for these specific concerns:

  • Vague "aggregated usage data" language with broad permitted uses ("to improve our services, for our partners, for marketing purposes"). The honest paid providers usually list specifically what they log: account info, payment info, sometimes bandwidth usage at the aggregate level, nothing else.
  • No third-party audit, or a vague reference to one without a link. Honest paid providers link to the full audit report (Proton, Mullvad, ExpressVPN, NordVPN all publish theirs).
  • Jurisdiction that's hostile to user privacy — US (subject to NSL gag orders), UK (Investigatory Powers Act), or jurisdictions in the Fourteen Eyes intelligence-sharing arrangement. Not automatically disqualifying, but worth weighing.
  • Anonymous ownership. If you can't figure out which company owns the product and where they're based from a few minutes of research, that's a signal.
  • "P2P / peer-to-peer / community network" architecture language — see the Hola pattern above.
  • App-store permissions far beyond what a VPN needs. A VPN needs the VPN service permission and, on Android, foreground service. It does not need contacts, SMS, calendar, or precise location.

When free is genuinely the right answer

Three honest use cases where a free VPN (specifically Pattern 1 or Pattern 2) is genuinely the right tool:

  • Occasional coffee-shop encryption. You want your traffic encrypted from observation on hostile WiFi, your monthly volume is under a few GB, and you're not doing anything that benefits from speed. ProtonVPN Free, Windscribe Free, TunnelBear Free, and Cloudflare WARP all do this fine.
  • Trying before buying. Use the free tier of a paid provider to validate the app quality, speed, and country list before committing to a year-long subscription. Free tiers exist for this reason.
  • You're already in someone's bundle. If you pay for iCloud+ and your traffic is mostly Safari, iCloud Private Relay is free at the margin. If you use Brave, Brave Firewall + VPN is bundled. If your employer provides a corporate VPN, use it for work and pair it with something else for personal use.

What a paid VPN actually buys you (honest version)

Skipping the marketing claims, here's what subscription revenue lets a provider deliver that an ad-funded or data-resale provider structurally can't:

  • An incentive aligned with your privacy, not against it. The subscription IS the revenue; selling your traffic data would destroy the brand and the customer base. The economic argument for honest behavior is the strongest one.
  • Capacity to handle abuse without dropping you. Paid providers can afford abuse-response staff; free providers under-resource this and either let abuse harm reputation or kill features (P2P/torrenting often disappears from free tiers for cost reasons, not policy reasons).
  • Third-party audits. External security audits cost real money; free providers rarely commission them. The major paid providers publish audit reports on a regular cadence.
  • Speed and server density. Bandwidth is the dominant cost. Paid providers can over-provision; free providers ration. This shows up as slower speeds during peak hours, fewer countries available, smaller pool of IPs.
  • Real customer support. Free-tier users get a community forum; paid customers get email response within hours.
  • A clear business model. When you can name how the company makes money, you can predict how it will behave under stress (acquisition, financial trouble, regulatory pressure).

Why VPNs aren't the whole picture either (the honest paid-provider position)

Even a perfect paid VPN — properly audited, no-log, well-engineered — only solves a specific subset of privacy problems. The traffic-encryption part: yes. The "your ISP can't see what sites you visit" part: yes. The "the coffee-shop network can't read your sessions" part: yes. But:

  • The sites and apps you talk to still see you — and on phones, the in-app tracking SDKs phone home regardless of network path. iOS App Tracking Transparency blocks the IDFA but not fingerprinting; see What iOS App Tracking Transparency doesn't stop.
  • Ads, trackers, and malicious domains are still loaded at the DNS layer. A VPN encrypts your traffic to the destination; it doesn't filter what destinations get reached. That's why DNS-level filtering is the natural pairing — see How DNS-level filtering actually works.
  • Traffic-analysis attacks at the metadata layer — patterns of bytes-per-second, timing, who you connect to and when — work through encrypted tunnels. Most users don't care; some do.

Casper's Cloak combines VPN tunneling with DNS-level ad/tracker blocking (we run a Pi-hole instance per user as the resolver) and AI-driven threat detection — explicitly because the VPN-alone proposition leaves the DNS-layer surface area open. Honest framing: paid VPN is necessary for a meaningful set of privacy problems and insufficient on its own for others.

Bottom line

Free VPNs aren't a category, they're three different categories with very different incentive structures. Limited free tier from a paid provider: usually fine, deliberately constrained, paid users subsidize you. Free-for-a-purpose VPN: depends on who's paying and why, but usually honest about it. Free-as-monetization VPN: this is where the documented harm has lived — peer-as-exit-node networks, data-broker resale, ad-injection, malware bundling. The way to tell the third category from the first two is the privacy-policy red-flag checklist above and, more reliably, asking yourself: where is the money coming from? If you can name it, you're probably fine. If you can't, you're probably the product.

And whichever you pick: free, paid, or none, layer it with DNS-level filtering at minimum and don't expect any one of these things to be the whole answer. The honest stack is VPN + DNS filtering + sensible OS defaults — that's the architecture Casper's Cloak ships; it's also the architecture you can assemble yourself from free parts if you want to.

Related: Public WiFi attacks in 2026 covers the threat model VPNs are supposed to address; How DNS-level filtering actually works covers the layer VPNs leave open; What iCloud Private Relay actually covers covers Apple's not-quite-a-VPN privacy feature. The Casper's Cloak vs traditional VPNs comparison goes deeper on the technical differences.

Related reading

Public WiFi attacks in 2026DNS-over-HTTPS in 2026The best way to protect iPhone privacy What is split tunneling — VPN per-app routingWhat is a VPN kill switch

Try Casper's Cloak

Paid VPN-class encryption + Pi-hole DNS filtering + AI threat detection in one app. Honest business model, no logs, full-device protection — see pricing or our threat protection feature.

Get Casper's Cloak