False sense of security: FSecure's freedome VPN service

Every now and then, political events in different parts of the world can trigger situations where internet freedom is reduced. Such is the case at the moment in the South East Asian country where I reside; due to a recent military coup, some people are now afraid of increased monitoring, censorship, or other moves to reduce freedom of information by those in charge. This fear has led to an increased interest in using VPN services.

Earlier today, I came across an advertisement from Finnish antivirus company F-Secure where they used current events in Thailand to push their VPN client and VPN service for Android and iPhone, dubbed FreedomeVPN. This is one of their twitter ads:

I thought it would be a good idea to take FreedomeVPN for a test-spin, so I installed it on my Samsung Galaxy S4, a fairly up-to-date and modern smartphone.

This is what the the VPN app's main screen looked like once it was running on my phone:

A few swipes later, the app showed this reassuring statement in the "tracking protection" ring. It was very nice to read that they protect me from hackers, advertisers, and data collection companies...

I would like to know more about how that works, so I clicked on the "How does this work?" statement and got another warm and fuzzy/reassuring statement:

My interpretation of the statement shown in that screen is that FSecure's VPN service will not only give me a new exit point in another country, but it would also block tracking cookies from advertisers and data collection companies.

That's nice to hear, so I took it for a test spin and hit a server where I could see server side what was sent in the HTTP header, or in layman terms in the information that your web browser will send to every web server you visit. This is what my HTTP header looked like when masked by FSecure's FreedomeVPN service:

...and this is what it looks like when I hit the same server from the same device without running FSecure's FreedomeVPN with "tracking protection" enabled:

Guess what: they're exactly the same. NOTHING is masked when it comes to cookies and other http header data.

Tracking cookies from Google (one of the world's largest advertising companies), latest referral URL from a Google tracked site, and other semi-unique things (that combined can form a unique-enough combination to identify an individual user, such as the combination of user-agent, accepted languages, etc) are passed through as-is.

Nice move of F-Secure to offer a "free for a few months" VPN service, but maybe a good idea to cut down on feature claims that don't stand up to a 3 minute test-spin?