There are different factors to consider,even if Microsoft intentionally infected people with ruddiam malware, at worst they get a fine and bad PR with tech circles -- their cash cows windows and azure remain unaffected. With a VPN provider like say Freedome , any sign of malice will cost them not only their VPN business but Fsecure's ability to provide infosec services. Same with ProtonVPN and ProtonMail, and unlike Microsoft the CEOs are much more likely to be held accountable since they reside in countries like Finland and Switzerland where privacy laws are very strict. Those countries may not like it if Microsoft did the same thing but they can't extradite Microsoft's CEO and even if they do the company is not incorporates in those countries. You want a VPN provider to be run by well known people that are not too powerful or too connected and reside in countries that will hold them accountable. Their main revenue stream needs to also depend on the reputation of the VPN service.
> Their main revenue stream needs to also depend on the reputation of the VPN service.
I disagree with your last statement completely. A company dependent on VPN revenue will be incentivized to do whatever they can to get and monetize VPN customers. A company that offers VPN services as a side operation that isn't financially key to their operations won't be incentivized to lie to gain users, cut costs to compete with other VPN operators, or use malware to monetize their user base.
Microsoft could not care less if you pay them a few dollars a month for a VPN. They're certainly not writing software to target people running VPNs on Azure and inject tracking and ads to make a minuscule profit. But - if news broke that they were abusing any Azure users - Microsoft would lose a significant amount of corporate and government business.
Can you name a single example of Microsoft exploiting anyone with malware? No, because the resulting reputational crisis would devastate their ability to sell their "cash cows".
Fsecure's infosec business is worth a minuscule fraction of Microsoft's businesses, and thus the potential losses from being exposed as a scam are much less.
In contrast, 57% of the top 150 free VPN apps on the Google Play Store contain code to get the user's last location, and a small number request permission to read SMS messages and take pictures https://www.bleepingcomputer.com/news/security/malware-user-...
Your comment on extradition isn't particularly relevant. Users abused by Microsoft could sue Microsoft in US court, and Microsoft would face significant legal and reputational penalties if they broke the law.
In contrast, while Finland and Switzerland do have strong privacy laws, that doesn't mean it's impossible for a "Finnish" or "Swiss" VPN provider to get away with violating user privacy. A criminal VPN provider could for example claim to operate in a country they didn't, or incorporate in a country while residing in a country less likely to prosecute them. Not saying I have evidence this happened, I am however saying that the fact that European countries in general care more about privacy doesn't make it impossible for a European company to get away with violating user privacy.
