Opera VPN is not a real VPN

Opera VPN is not a real VPN

 

Recently Opera announced that its browser now integrates a “Free VPN for better online privacy“.

It should be pointed out that this is simply not true: It is not a VPN and it does not provide better online privacy. In fact, the opposite may be the case.

Opera VPN does not protect you

In short: What Opera praises as VPN is nothing more than a web proxy server. And due to Opera’s business model it should be assumed that traffic and usage data is being collected and sold to advertising partners.

In March 2015, Opera bought SurfEasy in order to offer a VPN solution to its customers. However, as several security researchers have shown, this is not the case at all: Instead, the users are simply using a web broxy to browse the internet. HelpNet Security describes how this works:

“Once the user enables the feature in settings, Opera VPN sends API requests to https://api.surfeasy.com to obtain credentials and proxy IPs. The browser then talks to a proxy like de0.opera-proxy.net, and its IP address can only be resolved from within Opera when the VPN feature is turned on. It’s an HTTP/S proxy that requires authentication.”

Security researches warn about privacy risks

Security researchers also note that there is a potential privacy issue: When setting up the proxy, the browser requests a “device_id” which contains a unique user ID. This device_id is sent to the proxy for every browsing request and will remain permantly tied to the browser.

This becomes worrisome when you look at Opera’s business model. According to their privacy statement Opera reserves the right to pass on data to third parties for advertising and marketing purposes. Addtionally, SurfEasy logs Usage and Bandwifth data.

In summary: Not only is Opera’s “Free VPN” no VPN at all but you also potentially compromise your privacy when using it. As the saying goes: If you are not paying for the product, chances are that YOU are the product.

Users who want to be sure that they are browsing anonymously and that all their traffic is being strongly encrypted should better use a paid service like Perfect Privacy which business model does not rely on third party advertising.