A virtual private network (VPN) is one of the best and increasingly essential security tools to protect your data and your privacy.
Whether for accessing a streaming video, a webpage blocked in your country, or to use the web more securely while on public Wi-Fi, a VPN offers plenty of value.
But not all VPNs are created equal — some are downright shady. Universities in Australia, with the help of the Commonwealth Scientific and Industrial Research Organization (CSIRO), studied 283 Android VPN apps and found 38 percent injected malware or malvertising, an astonishingly bad result for apps meant to protect you — and these are just the bad actors.
A further 18 percent bizarrely didn’t encrypt users’ traffic at all, leaving users exposed. Despite this, the report found less than 1 percent of users had “any security or privacy concerns about these apps.”
It’s a jungle out there, and a frightening one at that.
Don’t worry. We’re here to help you figure out how to use a VPN, and explain both security and privacy features.
If you’d like to start with understanding how a VPN works, check out Android Authority’s own Gary Sims’ video. It’s an invaluable lesson on how a VPN works.
To seriously review the privacy of your VPN, head over to ipleak.net as a basic starting point. For more detailed information you can review tools and techniques from ExpressVPN’s privacy lab.
You have no privacy if you use a free VPN
Privacy and a free VPN just don’t go together. Free VPNs might look ok if you’re desperate, but we’d never recommend using one. Your data is the cost of use, and it can be even worse than that as well.
Hola is a popular free VPN. It works by routing data through a peer-to-peer network, rather than using their servers. If you use the service, it routes other people’s data through your local router and IP address. It’s great if you want to act like you’re from Australia, but if someone routes dodgy data through your connection, you might be liable for any consequences. It’s almost impossible to prove to an outsider examining your connection it didn’t come from you.
Another decidedly unethical “free” VPN model is offering a free service that examines all the data you use on your phone. It’s how Facebook waged war on Snapchat. The social media juggernaut purchased Onavo, the Tel Aviv-based VPN company that developed an app for Android and iOS ironically called Protect, which we won’t link here, that collects data from users who install it. This data included how much the Snapchat app was in use.
The Wall Street Journal reported Facebook knew about Snapchat’s slowing user growth “months before” the information was publicly disclosed.
These are just a few examples of how free VPNs can be problematic. If you’re at all serious about privacy and data protection, free VPNs are not compatible.
Privacy and paid VPNs
Just like free VPNs, there are a lot of paid options and it can be challenging to understand exactly what you need and what you’re getting. Price is also an influencing factor, of course.
Often we are swayed by deals or a Black Friday offer, but there’s more to it than that. Your VPN choice starts with what you want it for, and which VPNs match this.
Even legally done torrenting is disabled by the well-known service TunnelBear.
TunnelBear doesn’t mention you can’t use torrents, but if you just want to browser from another country, that might not be an issue.
Others might log all your data, which could be harmful if you live in a place with censorship, or have aggressive services which attempt to extort money from you for file-sharing.
Here are the key considerations that emerge from the depths of the Terms of Service and Privacy Policies.
What happens when your VPN connection leaks, or drops out?
If you’re browsing and your VPN connection leaks, cuts out, or drops, you’re at risk.
Leak checkers are also important because they monitor for problems like a DNS or WebRTC leak. Better VPNs will also provide tools for you to check if all your data is going through the provided VPN tunnel. To seriously review the privacy of your VPN, head over to ipleak.net as a basic starting point. For more detailed information you can review tools and techniques from ExpressVPN’s privacy lab.
For connection dropouts, better VPNs offer a “kill switch” or network monitor to constantly check your connection and halt all data if the VPN connection has dropped out. A kill switch is mandatory, and better VPNs will offer customizable kill switch configurations to fine-tune operations.
Your VPN must offer a kill switch, otherwise disconnects will leave you without security
Why does this matter? According to The Daily Beast, a notorious hacker known as Guccifer 2.0 was exposed as working from Russia (not from Romania as claimed), when they either forgot to turn on their VPN client before logging in to social media, or their VPN dropped out during connection.
It’s also important to have your VPN use connections based on the OpenVPN protocol. This is a technical area, but the short story is that this open-source protocol is superior to the PPTP and L2TP/IPsec protocols which are commonly used, due to security flaws and other disadvantages. The best will use OpenVPN with at least AES 256-bit encryption and with in-house DNS servers as well. Tick that box.
VPN privacy: Data logging
VPNs that log your data may choose to do so for their own gain, like those terrible free VPNs, or they may be forced to log for other reasons, like some kind of restrictive country law.
If privacy is your concern, avoiding VPNs that log ensures you aren’t defeating the purpose of securing your data at the first hurdle. Some VPNs claim not to log anything and then still do it anyway. These VPNs may say they don’t store any data logs, but by law must retain connection logs, which might be able to show something about your perfectly normal movements or whereabouts. The country of origin for a VPN will tell you more, though laws change rapidly. Panama doesn’t require logs, nor does Hong Kong.
Connection or download limits? That’s a log, so be careful if you need a zero-log VPN.
A big clue is in the nature of the kind of offer a VPN will make to customers. If they enforce connection or download limits on subscriptions, they must be keeping some kind of connection logs. It’s the only way they can manage this.
Therefore, it’s essential to review respective terms and privacy policies.
Here are some of the better VPNs and their policies:
Each of these services is explicit about not storing your data. Take ExpressVPN:
We do not collect logs of your activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of your IP address, your outgoing VPN IP address, connection timestamp, or session duration.
Payment info: Another important piece of your data
Now, if you are handing over your payment information to pay for your VPN service, much of your anonymity can be lost. Not all payment options are the same, and it’s really only possible to guard your information using Bitcoin or other cryptocurrency, cash, or gift cards purchased through another service.
If your payment details are being stored, you’re leaving yourself open yet again.
Paying with crypto limits this; it generally only requires an email address. Both ExpressVPN and NordVPN offer this, though IPVanish does not.
The Lip Service problem
Unfortunately, over the years, many VPNs have said one thing and done another. It’s part of the territory of VPNs — not just looking at what they claim, but reading the fine print as well. HideMyAss was infamously embroiled in a dispute with Anonymous after allegedly giving up a LulzSec member. PureVPN went through a similar issue where the company assisted the FBI in a cyberstalking case. These are just two of the higher profile cases over the years.
Last week it also emerged that IPVanish had given up logs to the FBI as well.
IPVanish, under then parent company Highwinds Network Group, appears to have released logs sometime in 2016, before the service was acquired by the operator StackPath in 2017, approximately seven months later.
However, IPVanish claims it is a zero-logs VPN service provider, and always has been. Note the wording used in 2016. It’s a simple claim, and an important one.
Yet Highwinds Network Group did provide user information to an FBI criminal investigation regarding alleged child pornography in 2016. Leaving aside the obviously heinous morality, the VPN parent company provided the very information that the VPN said they didn’t log.
How could they if they keep zero logs?
As noted, this has happened before with other VPNs, who insist they’ve responded in line with their privacy policies. Many providers keep IP logs to show connections, connection times, amounts downloaded, and which country the VPN connected to. Most of that is required just to be able to provide you a support service if something goes wrong, or for engineers to watch in the case of tracking unexpected downtime. It’s metadata about your connection.
VPNs may also be coerced by law enforcement via a National Security Letter, or NSL, to log user accounts. It’s not always clear when that’s the case, but the court complaint doesn’t seem to suggest that.
The problem is when a VPN markets itself as one thing, and then behaves as another.
StackPath CEO Lance Crosby made two posts on Reddit in response to the claims, although those posts are at this stage made by an unverified account. In response to emailed questions from us, StackPath Vice President, Product & Marketing Jeremy Palmer further clarified the company’s position.
We are glad you asked. That incident was from 2016 – long before StackPath acquired IPVanish in 2017. IPVanish does not, has not, and will not, log or store logs of our users as a StackPath company. I can’t speak to what happened on someone else’s watch, and that management team is long gone. But know this – in addition to not logging, StackPath will defend the privacy of our users, regardless of who demands otherwise.
It’s difficult to know what’s happened with IPVanish, and hard to blame StackPath for an incident outside of its ownership or control. Ultimately, it shows VPN usage is only a deterrent. It’s a good option for protecting yourself on public Wi-Fi, preventing websites from tracking you, or stopping your ISP from tracking you while you’re streaming or downloading.
It’s clearly not enough if you want to prevent governments actors from tracking you, you probably shouldn’t be doing whatever that very bad thing is at all, let alone doing it online, and a VPN is no guarantee of protection against the long arm of the law.
I want to be secure and not use a VPN
As we’ve shown, using a VPN isn’t foolproof — it’s just one way of protecting your information.
Another highly-secure method is using the Tor network. Whereas a VPN knows and can log your real IP, data sent and received through Tor is routed through a number of nodes. The key to the network is that each node only knows one point previous and in advance.
At no point can anyone know the whole path between your computer and where you try to connect.
The problem with Tor is that it’s very slow. It also can’t be easily used as a way to access data only available to certain countries, as it’s not always possible to appear from anywhere you like.
Edward Snowden uses Tor, but that’s because his data is hugely sensitive. Tor isn’t for everyone.
Tor is a solution people like Edward Snowden use, because his data is some of the most sensitive in the world and privacy is everything.
For most people a VPN is a necessary first step in securely browsing the internet more. The belt-and-suspenders types may want to use Tor, or even Tor along with a VPN for the additional layer of security. Because of the speed lack of control over location, you can more or less forget streaming or downloading using Tor.
Every recommendation for a VPN comes with its own backstory, with experiences good and bad. The consistent top performers can fall from grace in a moment and sometimes costs are a major limitation for some users.
ExpressVPN is the one we recommend most highly, but that doesn’t mean other VPNs are not suitable for you. ExpressVPN happens to meet every serious technical requirement, and has nice things like support for every major platform, high speeds, an almost unsurpassed network of countries, strong support, and genuinely keeps zero logs (court records have shown seized servers contained no logs).
Of course, it’s not the only VPN out there and competitors are coming on the tough market regularly.
The main lessons here: don’t trust a VPN until you do the research, don’t touch a free VPN unless you have no other option and even then, probably don’t do it. Finally, be aware that no logs doesn’t always mean no logs, unless the VPN in question has been tested in some way. Stay safe!
Powered by WPeMatico