Summary of "EXPOSING The Billion Dollar SECRET VPN Companies Are Hiding"

Core story and technical abuse

Onavo (acquired by Facebook in 2013) was marketed as a data‑saving VPN/app but routed all phone traffic through Facebook servers. This gave Facebook full visibility into app usage, durations, and in some cases content, and was used to monitor competitors (notably Snapchat).
Facebook engineers allegedly created Project Ghostbusters to intercept HTTPS by installing fake root certificates via a VPN profile — effectively a man‑in‑the‑middle (MITM) decryption/reencryption pipeline. Teenagers (13–17) were reportedly paid to install these tools and grant deep access.
After Apple banned Onavo, Facebook rebranded and redistributed similar tooling (Facebook Research / Project Atlas) using Apple’s enterprise distribution to bypass App Store controls. TechCrunch exposed this in 2019 and Apple revoked Facebook’s enterprise certificates. Data collection reportedly continued on Android.
The “Onavo blueprint” — using a product marketed as “privacy” to harvest user data — spread across the VPN industry. Adware makers, spyware vendors, and shell companies acquired or created VPN brands and review sites, monetizing both ends (product + promotion).

Big industry problems and examples

Consolidation and hidden ownership: companies with problematic histories (e.g., Crossrider → Cape Technologies) acquired major VPN brands and review sites, skewing rankings and trust signals. Cape’s acquisitions reportedly include CyberGhost, ZenMate, Private Internet Access, and ExpressVPN.
Ownership masking: many popular VPN apps are owned via offshore shells (Cayman/Singapore) and route through risky infrastructure; some top store apps trace back to Chinese parent firms flagged for national‑security concerns.
Questionable hires: some VPN firms hired staff with histories in surveillance or military hacking (example: Project Raven).
False “no‑logs” marketing: claims mean little without full, ongoing proof. Audits are often limited, out‑of‑date, scoped to parts of infrastructure, or fake.
Leaks and breaches: in 2020 multiple “no‑log” VPNs were exposed with 1.2 TB of user logs (usernames, IPs, timestamps). Many VPNs run on white‑label infrastructure and use opaque company names.
Influencer‑driven marketing: creators are heavily paid to promote VPNs and many reviews are unverified. Research of 243 YouTube ads found ~80% made false claims.

What a VPN actually does (and doesn’t)

What a VPN does:

Encrypts traffic between your device and the VPN server (a private tunnel).
Masks your real IP from websites and local networks.
Protects on insecure Wi‑Fi.
Can bypass geo‑blocks and some censorship.

What a VPN doesn’t do:

Provide anonymity by itself (the VPN endpoint can see your traffic).
Block trackers, fingerprinting, or device IDs.
Prevent apps from “phoning home.”
Stop DNS leaks unless properly configured.
Erase metadata (connection times, session data) unless the provider explicitly does not collect it.
Protect from phishing, malware, or malicious browser extensions.

Checklist — what you should demand before trusting a VPN

Before trusting a VPN, look for:

Full‑scope third‑party audits (clients, servers, policies) that are ongoing, not one‑off.
Transparent ownership and team disclosure.
Open‑source clients so behavior can be inspected.
Anonymous payment options (cash, Monero/other crypto).
A strict no‑connection‑metadata policy — no timestamps, session IDs, or bandwidth logs.
Privacy‑first features: kill switch, DNS leak protection, modern protocols (WireGuard), Tor bridge/multi‑hop, and custom DNS resolvers.
A paid product only — “free” VPNs generally monetize users.

VPNs the presenter called trustworthy

(Note: names corrected where the transcript likely mis‑typed.)

Mullvad (transcript “Mulpad”)
- Based in Sweden, minimal ID required.
- Cash-by-mail and crypto payment options.
- Audited, open‑source clients, Tor bridge support.
- Strong choice for privacy‑max users.
iVPN (transcript spelled “iVPN”; based in Gibraltar)
- Transparent audits and team disclosure.
- Network‑level ad/tracker blocking.
- Anonymous signup and crypto payments.
- Good ethical privacy option.
ProtonVPN
- Based in Switzerland, same team as ProtonMail.
- Transparent ownership, audited, open‑source, has a free tier.
- Note: potential Swiss legal changes could impact metadata obligations; Proton has said it would relocate infrastructure if laws force logging.

Practical guidance — what to use instead of or in addition to a commercial VPN

DNS over HTTPS (DoH) / DNS over TLS (DoT)
- Encrypts DNS queries so ISPs can’t see domain lookups.
- Use trusted resolvers (Cloudflare, NextDNS) or self‑host.
Tor Browser
- Multi‑relay obfuscation. Not perfect if misused — avoid logging into personal accounts when anonymity is required.
- Best for high‑risk threat models.
Hardened Firefox
- Use privacy extensions and settings: uBlock Origin, disable WebRTC, disable telemetry, container tabs.
- Reduces fingerprinting and third‑party tracking.
Browser isolation / compartmentalization
- Use separate browsers or virtual machines for banking, personal accounts, work, and research to prevent cross‑linking and profiling.
Self‑hosted WireGuard VPN
- If you only need encrypted Wi‑Fi traffic, run your own server on a VPS. You control the endpoint and the logs.
Layered threat model
- A VPN is only one layer. Combine DoH, hardened browsers, Tor (when needed), compartmentalization, and good data hygiene for meaningful privacy.

Guides, reviews, and tutorial elements in the video

A practical checklist for evaluating VPN trustworthiness (see checklist above).
Recommendations of specific VPNs and reasons they were considered acceptable.
Step‑by‑step hygiene: set up DoH, harden Firefox, use Tor correctly, compartmentalize browsers, spin up a WireGuard server.
Warnings about influencer ads, fake audits, white‑label VPNs, and shell ownerships — practical caution when reading reviews.

Main speakers and sources referenced

Video narrator / investigative journalist (presenter).
Documentation and reporting sources: leaked emails, court documents, buried privacy policies, TechCrunch (exposé on Facebook Research), and security researchers/industry analysts.
Corporate actors discussed: Facebook (Onavo, Project Ghostbusters, Facebook Research / Project Atlas), Apple (App Store and enterprise certificate enforcement), Cape Technologies (formerly Crossrider) and its VPN acquisitions, and multiple VPN brands (ExpressVPN, CyberGhost, ZenMate, PIA, TurboVPN, VPN Proxy Master, ThunderVPN, UFOVPN, SuperVPN).
Security community and academic/industry researchers (audits, 2020 leak reporting, 2023 ad analysis).

Bottom line

Many VPNs have been structured or repurposed to harvest data; “privacy” is frequently sold as a product. A trustworthy VPN requires verifiable ownership, continuous audits, open code, anonymous payments, and strict no‑metadata policies. For most users, larger privacy gains come from DNS encryption, browser hardening, compartmentalization, Tor when needed, and self‑hosting a VPN endpoint rather than relying solely on commercial VPNs.