The Virtual Private Network (VPN) landscape has evolved into a complex ecosystem, teeming with providers that tout security, privacy, and anonymity. It’s a minefield for the average consumer to navigate. Among this myriad of options, PlatoVPN, developed by MongoTech, has gained considerable attention. At the time of this post, it boats 6.4k reviews on the iOS app store. But how does it fare on the metrics of privacy and security? In this article, we dive into the technical and policy aspects of PlatoVPN, offering an unbiased and evidence-based review.
Location: Based in Shanghai
PlatoVPN is developed by MongoTech, a company based in Shanghai. While the location of a VPN provider might not seem immediately relevant, it can be a factor when considering privacy laws and regulations. China has stringent data retention and surveillance laws, which could potentially affect the privacy of users. Being in a jurisdiction with such policies should be a point of consideration for those concerned about privacy and anonymity.
Advertising and Marketing Scripts
Embedded Scripts: A Privacy Red Flag
Upon initial inspection, one of the standout features of PlatoVPN’s software is the presence of numerous advertising and marketing scripts embedded within it. These scripts not only consume additional bandwidth but also have the potential to compromise user privacy. They can collect a range of data from user behavior to device information, and there’s no guarantee this information is kept secure or confidential. During our testing, we found numerous connections to
No Independent Audit
A Blind Spot in Credibility
Independent audits are a crucial factor in establishing the credibility and reliability of a VPN service. An audit typically assesses whether the VPN is doing what it claims in terms of privacy and security. Unfortunately, PlatoVPN has not undergone any independent audits. This lack of verification leaves users to rely solely on the company’s claims without any third-party validation.
Collection and Sharing of Personal Information
Personal Data Collection
- Broad Definition of Personal Data: The policy defines personal data very broadly. It can include your name, business name, email, physical address, telephone number, activity and performance information, payment information, and government ID or tax-related information.
- Collection from Third Parties: The policy explicitly states that your personal data may be collected not just directly from you but also from third parties, affiliates, and subsidiaries. This implies that your data may be aggregated from multiple sources.
- Automatic Collection: Your device and system information, including device IDs and IP addresses, are automatically collected. This can potentially be used for tracking.
Usage of Personal Data
- Consent vs Legitimate Interest: The policy states that they either get your consent or rely on “legitimate interest” for data processing. The term “legitimate interest” is a bit vague and could be a catch-all justification for various types of data usage.
- Marketing and Telemarketing: The policy states that with your consent or sometimes for their “legitimate interest”, they may contact you for marketing purposes, including telemarketing calls.
- Sharing for Business and Legal Purposes: The policy says your data might be used for security, to prevent fraud, and for legal obligations. This could potentially be another broad category under which data might be shared or used.
Sharing of Personal Data
- Affiliates and Service Providers: Your data can be shared with affiliates and third-party vendors, potentially increasing the surface area for data mishandling or breaches.
- Advertisers: Your personal data may be shared with advertisers. This could mean targeted advertising, possibly based on profiling.
- Law Enforcement: Data may be shared with law enforcement agencies based on the company’s “sole judgment,” which is a somewhat subjective criteria.
- Business Transfers: Your data can be transferred to a third party in case of a sale, merger, or reorganization of the company. This may be of concern if the acquiring company has a different privacy stance.
- Legal Processes: Your data can be shared in response to legal processes, which is pretty standard but worth noting.
- Cookies and Web Beacons: The policy indicates the use of tracking technologies like cookies and web beacons. While common, this enables tracking your behavior across services.
- Tailoring User Experience: Your data may be used to personalize your experience, which could include profiling.
- Consent for Third-Party Sharing: It mentions that with your consent, data may be disclosed to “certain third parties,” but it doesn’t specify who these third parties are.
- Notification of Business Transfers: The policy claims they will use “reasonable efforts” to notify you if your personal data is transferred to an unaffiliated third party. The term “reasonable efforts” is not clearly defined.
PlatoVPN, developed by MongoTech, fails to meet several critical benchmarks that are essential for a VPN service aiming to provide privacy and security. From its base location in Shanghai, embedded advertising scripts, absence of audits, to its explicit admission of collecting and sharing personal information, the service raises multiple red flags for anyone serious about online privacy.