Nothing in Security Is Actually Free
I understand the appeal. Security software is expensive, the threats feel abstract, and free options are everywhere. But in cybersecurity, free has a specific meaning: you are not the customer, you are the inventory.
This isn't speculation. In the last five years, three of the most downloaded free security products were caught doing exactly this.
The Free VPN Problem
A VPN protects your internet traffic from being read by your ISP or anyone on the same network. A free VPN often does the opposite: it logs your traffic and sells it to data brokers, advertisers, or in some documented cases, foreign intelligence services.
In 2021, an investigation found that seven popular free VPN apps — collectively downloaded over 500 million times — shared ownership with companies in China, despite claiming to be US or UK-based. Your encrypted tunnel ran through infrastructure owned by the entity you were trying to hide from.
What to use instead: Mullvad ($5/month, no-logs, accepts cash), ProtonVPN (paid tier), or NordVPN. The $5 monthly cost buys you a provider whose business model is your privacy, not your data.
The Free Antivirus Problem
Avast was fined $16.5 million by the FTC in 2024 for selling "precise browsing data" collected through its free antivirus software — including which medical conditions users researched and their religious beliefs. The data was sold to over 100 companies.
The antivirus was real. The surveillance was also real.
What to use instead: Windows Defender (built into Windows 10/11, independent testing shows it's competitive with paid options) or Malwarebytes Premium for active protection. macOS users: the built-in XProtect handles most threats; add Malwarebytes if you want a second layer.
The Free Password Manager Problem
Password managers are more nuanced. Bitwarden's free tier is genuinely trustworthy — it's open source, independently audited, and the free tier is a donor/community model. The risk is with obscure free password managers from unknown developers, where you have no visibility into what happens to your vault.
What to use instead: Bitwarden free or paid ($10/year), 1Password (family plan), or Proton Pass. Avoid any password manager you haven't heard of from a recognized security community.
The Rule
Security tools touch your most sensitive data. Apply this standard: can you verify how this company makes money? If the answer is "I'm not sure," that's your answer. The cost of a $5 VPN is nothing compared to having your browsing history sold to anyone who'll buy it.