Can VPN providers be trusted?
Using a VPN service is a great way to protect your privacy online.
However, not all VPN services are as private as you might think. In fact, some are known to keep extensive logs that can easily identify specific users on their network.
This is the main reason why we publish a yearly VPN review, asking providers about their respective logging policies as well as other security and privacy aspects.
It’s worth keeping in mind though that not all VPN protocols and encryption algorithms are equally secure. PPTP is known to be vulnerable for example, and pre-shared keys are also a risk.
Also, VPN users should always do a proper IP-leak test to confirm that their setup is safe from IPv6, DNS, WebRTC and other leaks.
In response to a growing threat of Internet surveillance and censorship, VPN services have surged in popularity in recent years. Encrypting one’s traffic through a VPN connection helps to keep online communications private, but what more does your VPN provider do to keep you anonymous?
Everyone who uses a VPN service puts an incredible amount of trust in the company they sign up with. While the highest encryption standards offer protection against direct monitoring, VPN service providers can still see everything you do, if they want to.
Perhaps it’s a disappointing conclusion, but despite all the state of the art encryptions these VPN companies offer, complete security remains a matter of trust. In reality this means that you have to carefully vet the VPN service you sign up with, asking yourself whether you really trust company X with all your data.
For an industry that’s worth hundreds of millions of dollars a year it is quite a surprise that these concerns haven’t been addressed more systematically. But perhaps this may change in the future.
Ask your VPN providers:
- Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?
- What is the name under which your company is incorporated, and under which jurisdiction does your company operate?
- What tools are used to monitor and mitigate abuse of your service, including limits of concurrent connections if these are enforced?
- Do you use any external email providers (e.g. Google Apps), analytics, or support tools ( e.g Live support, Zendesk) that hold information provided by users?
- In the event you receive a DMCA takedown notice or a non-US equivalent, how are these handled?
- What steps are taken when a court orders your company to identify an active or past user of your service? How would your company respond to a court order that requires you to log activity going forward? Has any of this ever happened?
- Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?
- Which payment systems/providers do you use? Do you take any measures to ensure that payment details can’t be linked to account usage or IP-assignments?
- What is the most secure VPN connection and encryption algorithm you would recommend to your users?
- Do you provide tools such as “kill switches” if a connection drops and DNS leak protection?
- Do you have physical control over your VPN servers and network or are they outsourced and hosted by a third party (if so, which ones)? Do you use your own DNS servers? (if not, which servers do you use?)
- What countries are your servers physically located? Do you offer virtual locations?
So how do you know if you can trust your provider?
The honest answer is that you don’t.