QUESTION SUBMITTED TO CHATGPT 2025/12/21

** Which company is providing vpn monitoring data for ofcom

Ofcom is using third-party commercial data to monitor VPN use in 
the UK — but it has not publicly disclosed the name of the 
company providing that data, at least initially. According to 
reports based on Ofcom’s communications and internal disclosures:

# What is known

Ofcom has confirmed it uses a third-party provider — described 
as a leading industry tool that combines multiple data sources and 
AI-based models to estimate VPN usage — but did not name the 
vendor in earlier statements. The regulator says the data is fully 
aggregated at the app level and does not include personally 
identifiable information. 

# What was later disclosed

In response to a Freedom of Information (FOI) request, Ofcom 
revealed that part of its VPN usage data comes from Apptopia, a 
mobile app market intelligence platform. The FOI explanation also 
mentioned that Ofcom accesses data from SimilarWeb and Ipsos Iris 
for broader internet monitoring activity. 

# Summary

Apptopia is specifically named as one of the data sources used by 
Ofcom for VPN usage statistics. 

SimilarWeb and Ipsos Iris are also involved in Ofcom’s internet 
data gathering efforts according to the FOI disclosures. 

Earlier general statements from Ofcom did not identify a specific 
company, leading to public questions about transparency. 

** If you’d like, I can provide links to the primary sources or 
** explain what each of these companies (Apptopia, SimilarWeb, Ipsos 
** Iris) does in terms of data collection and analytics.

Here’s what’s publicly known about the companies providing 
VPN-related monitoring data to Ofcom under the UK’s Online 
Safety Act:

# Third-party data providers named by Ofcom
According to a Freedom of Information response from Ofcom, the 
regulator uses multiple commercial data sources to analyse 
internet traffic and VPN usage.

Specifically:

# Apptopia — supplied the data used to estimate daily VPN usage 
in the UK.

# SimilarWeb and Ipsos Iris — provided other internet traffic 
and adult-site visit data used in Ofcom’s analysis. 

From the official FOI document:

"Our data sources were Apptopia, SimilarWeb and Ipsos Iris. The 
information regarding daily users of VPNs was obtained from 
Apptopia. The information regarding visits to adult websites was 
obtained from SimilarWeb and Ipsos Iris".

# What each company does

# Apptopia

A mobile app market intelligence firm that provides data on app 
usage, downloads, engagement and behavioural trends across iOS and 
Android. Ofcom used Apptopia’s data specifically for estimating 
the number of daily UK VPN users. 

# SimilarWeb

A digital intelligence platform that tracks web traffic and online 
behaviour across websites and apps. Ofcom used SimilarWeb’s data 
as part of analysis of visits to adult websites and broader 
internet usage. 

# Ipsos Iris

A UK web-tracking panel run by Ipsos that gathers representative 
data on internet use (sites visited and apps used) from a panel of 
participants. Ofcom incorporated this data into its broader 
internet traffic and trends analysis. 

** What Ofcom originally said publicly

Before the FOI disclosure, Ofcom had only stated that it used a 
“leading third-party provider” to gather VPN usage data — 
without naming it — which raised questions about transparency. 
It described the tool as combining multiple data sources and using 
AI-style modelling, with only aggregated (non-identifiable) 
app-level data shared. 

** explain how these analytics tools collect VPN usage data and 
** what privacy or accuracy concerns experts have raised

Here’s a clear explanation of how analytics firms like Apptopia, 
SimilarWeb (and panel providers like Ipsos Iris) estimate VPN 
usage for clients (including regulators like Ofcom) — and the 
main privacy and accuracy concerns experts raise about these 
methods.

# How These Analytics Tools Collect or Estimate VPN Usage Data

1. Aggregating Multiple Data Sources

Platforms like Apptopia and SimilarWeb don’t directly look 
inside someone’s VPN traffic. Instead, they build estimates by 
combining many indirect data sources:

# App store and developer data

They use publicly available or licensed data from app stores and 
analytics dashboards that show app installs, downloads, rankings 
and usage trends.

Apptopia, for example, combines analytics from hundreds of 
thousands of apps with modelling to estimate usage and trends for 
millions of apps globally. 

# Panel-based measurement

Companies like Ipsos Iris operate panels of volunteered users 
whose devices collect data (with consent) about websites visited, 
apps used, traffic types, etc. This can include whether a VPN app 
has been opened or how often it’s used. This data is then 
extrapolated to estimate broader population behaviour.

# Inferred and third-party data

Tools may use ISP data feeds, browser plugin data, or public web 
telemetry where available. They train models (sometimes described 
as AI-based) to infer patterns — e.g., changes in VPN app 
activity — from these combined inputs. 

# None of these methods involve decrypting or inspecting the 
contents of individual VPN user traffic (which would typically 
break encryption protections) — instead they estimate patterns 
of app usage and prevalence.

# Main Privacy Concerns Experts Raise

1. Transparency & Consent Issues

Ofcom hasn’t publicly disclosed all specifics of which provider 
or exactly how the estimates are generated, making it hard to 
independently assess privacy safeguards. 

Even if data is “aggregated at the app level,” users may not 
be fully aware that their usage patterns (from panels or telemetry 
sources) are contributing to market intelligence or regulatory 
analyses — raising questions about informed consent.

2. Risk of Re-identification

Even aggregated data can sometimes be re-identified, especially if 
combined with other datasets. Experts caution that anonymised 
datasets are not immune to re-identification attacks if malicious 
actors access underlying models or joins.

3. Hidden Collection Practices

Research into app analytics generally shows that many analytics 
libraries collect much more data than users expect, and privacy 
policies often lack detail about what is collected or how it’s 
used — even if it’s "only for estimation.

# 4. Users May Not Understand the Trade-Off

Users might consent to “usage analytics” without realising 
that such telemetry can feed into wider datasets used for 
commercial or regulatory monitoring — potentially affecting 
perceptions of privacy.

# Main Accuracy Concerns Experts Raise

1. Estimates, Not Direct Measurement

All these tools create estimates based on modelling and indirect 
signals, not direct measurement of every user’s VPN connections. 
This means:
Results can be imprecise, especially for smaller apps or niche use 
cases. There can be wide margins of error that aren’t obvious in 
headline statistics.

2. Model Bias & Assumptions

Machine learning models and extrapolation can embed assumptions 
that skew results — for example:
Overweighting data from one panel relative to another.
Misclassifying VPN usage spikes due to unrelated app updates or 
market changes.

3. Uneven Data Coverage

Some sources (e.g., app install data for mobile apps) may be far 
more reliable than others (e.g., inferred web traffic), leading to 
inconsistent accuracy across platforms. 

4. Lack of Ground-Truth Validation

It’s often difficult for outsiders (or even regulators) to 
independently verify these models against true ground-truth data 
(like actual user connections measured from network 
infrastructure), so results may be more indicative than 
definitive. 
TechRadar

# In Summary

Data Collection	- Uses aggregated app data, panels, inferred 
signals. Lack of transparency & consent clarity.

Privacy Protection - PII claims to be excluded	Risk of 
re-identification remains.

Accuracy - Modelled estimates, not direct measurement	Possible 
errors or biased conclusions.

Public Transparency - Providers often undisclosed	Hard to 
evaluate safeguards.

** break down how app telemetry and panel systems work in practice

Below is a practical, step-by-step breakdown of how app telemetry 
and panel-based measurement systems work in the real world, using 
plain language and concrete examples. This applies to companies 
like Apptopia, SimilarWeb, and Ipsos Iris, but the mechanics are 
broadly the same across the industry.

# App Telemetry: what actually happens on a phone or tablet

Step 1: An app includes an analytics SDK

Most apps (including VPN apps, games, shopping apps, etc.) include 
analytics software called an SDK (Software Development Kit). 
Examples: analytics for crashes, performance, usage statistics. 
This SDK is added by the app developer — not by regulators.

Step 2: The SDK records usage events

When someone uses the app, the SDK may record events such as:

App opened / closed
Time spent in the app
App version and device type
Country or region (derived from IP or device settings)

Importantly:

It does not see what traffic goes through a VPN.

It usually does not know what websites you visit.

It tracks that the app is being used, not what you do inside the 
internet.

Step 3: Data is aggregated and anonymised

Before data is shared outside the company:

Individual users are not named.

Identifiers are removed or replaced with random IDs.

Data is aggregated (e.g. "X thousand daily active users in the 
UK").

Analytics firms like Apptopia don’t get raw user logs — they 
receive statistical summaries or licensed datasets.

Step 4: Market-wide estimates are modelled

Because no single SDK covers all apps or all users:

Companies combine many datasets.

They compare trends across similar apps.

They use statistical models to estimate total usage

# Result:

"Estimated daily VPN app usage in the UK" —not a list of users, 
devices, or connections.

# Panel Systems: how “volunteer tracking” works:

Panel systems (like Ipsos Iris) work very differently.

Step 1: People explicitly sign up.

Participants: Volunteer to join a research panel.  Agree to 
monitoring as part of market or media research. Often receive 
incentives (vouchers, points, payments).

They are told:

What data is collected.

On which devices.

For what purpose (audience measurement, internet usage stats).

Step 2: Monitoring software is installed.

Panel members install:

A browser extension.

A background app.

Or use a specially configured device profile. This software can 
record:

Which apps are used.

Which websites are visited (domain level).

How long apps or sites are used.

Whether a VPN app is active.

# Panels usually do not record passwords, messages, or encrypted 
content.

Step 3: Data is weighted and extrapolated.

Because panels are small compared to the whole population:

Researchers adjust the data to match national demographics.

They extrapolate trends (age, location, device type)
Example:

"If 3% of our representative panel used a VPN app daily, we 
estimate similar usage nationally".

Step 4: Only aggregated results are shared.

Regulators and clients receive:

Statistics.

Charts.

Trend lines.

They do not receive:

Individual browsing histories.

Names or addresses.

Identifiable device data.

# How this turns into “VPN usage data”
Putting it together:
Source: What it shows, What it doesn’t show.

App telemetry: How often VPN apps are opened. What traffic flows 
through them.

Panels: Whether panel members use VPNs. What VPN users actually do 
online.

Modelling: National-level estimates. Exact user counts or 
identities.

So when Ofcom says it monitors VPN usage, it really means tracking 
trends in VPN app usage, not monitoring individuals or their 
internet activity.

# Why experts still raise concerns:

Even with safeguards, experts point out risks:

# Transparency gaps:

Users often don’t realise analytics data can be reused for 
regulatory studies. Privacy policies are long and vague.

# Consent complexity:

Panel consent is explicit. App telemetry consent is often bundled 
into "analytics" terms people don’t read.

# Estimation errors:

Panels may not fully represent all groups. Some VPN usage (e.g. 
built-in system VPNs) may be missed. Results are indicative, not 
exact.

## Key takeaway (plain English):

No one is watching individual VPN users.

No VPN traffic is being decrypted.

The data is about how popular VPN apps are, not what people do 
with them.

Accuracy depends on modelling, not direct measurement.

## Via ChatGPT.com 2025/12/21