VPNs are often sold as a way to obscure your web activity from the world because they route your internet traffic through private servers. They’ve been a part of online privacy culture since pretty much the advent of the internet. And yet, for equally as long, they’ve also been a source of contention, with ongoing questions into their efficacy and trustworthiness.
Here to add to that debate is Consumer Reports, which recently published a 48-page white paper on VPNs that looks into the privacy and security policies of 16 prominent VPN providers. Researchers initially looked into some 51 different companies but ultimately honed in on the most prominent, high-quality providers. The results are decidedly mixed, with the report highlighting a lot of the long offered criticisms of the industry—namely, it’s lack of transparency, its PR bullshit, and its not always stellar security practices. On the flip side, a small coterie of VPNs actually seem pretty good.
Here are a few of the takeaways.
The CR report makes note of the fact that VPN providers often exaggerate or make misleading claims about the effectiveness of their services—usually promising the moon and delivering far less. Consumers may often believe that by using a VPN they are able to become completely invisible online, as companies promise stuff like “unrivaled internet anonymity,” and the ability to “keep your browsing private and protect yourself from hackers and online tracking,” and so on and so forth.
In reality, there are still a whole variety of ways that companies and advertisers can track you across the internet—even if your IP address is hidden behind a virtual veil. The report elaborates:
Websites often request data that can pinpoint people’s geographic location, such as WiFi networks, device location based on GPS, cell tower identification (CDMA or GSM cell IDs), and more. Various companies collect wide-ranging data, beyond IP addresses, and sell that information to data brokers. Many of the risks that consumers use VPNs to try to protect against are already largely mitigated through the use of HTTPS. And many risks, such as social engineering, are not mitigated by using a VPN.
Similarly, VPNs use terms that sound impressive but actually don’t really mean that much. One of those terms, apparently, is “Military Grade Encryption”—a phrase that gets tossed around a lot in VPN advertising and promotional material. The report, referencing a more honest VPN provider’s thoughts on the matter, helpfully points out that “a fixed encryption standard for militaries doesn’t exist, and that 42 implementations vary across different segments of armed forces.” Good to know.
Your online privacy is only as good as your cybersecurity and, unfortunately, VPN companies don’t always have the best track records when it comes to protecting customers’ data.
The CR report cites research conducted via a tool developed by a group of University of Michigan researchers, dubbed the “VPNalyzer” test suite, which was able to look at various security issues with VPN connections. The research team found that “malicious and deceptive behaviors by VPN providers such as traffic interception and manipulation are not widespread but are not nonexistent. In total, the VPNalyzer team filed more than 29 responsible disclosures, 19 of which were for VPNs also studied in this report, and is awaiting responses regarding its findings.”
The CR’s own analysis found “little evidence” of VPNs “manipulating users’ networking traffic when testing for evidence of TLS interception,” though they did occasionally run into examples of data leakage.
And, as should hopefully go without saying, any VPN with the word “free” near it should be avoided at all costs, lest you accidentally download some sort of Trojan onto your device and casually commit digital hari-kari.
According to CR’s review, four VPN providers rose to the top of the list in terms of their privacy and security practices. They were:
Apparently in that order.
These companies stood out mostly by not over-promising what they could deliver, while also scoring high on scales of transparency and security. Three of the top four companies (the exception being PIA) conducted publicly available audits using third-party companies to verify their security protections. Those reports are published to the companies’ website, giving users an opportunity to inspect the findings themselves.
And you may want to check out Mullvad, the leader of the pack. We’ve written about the company before, which has a number of cool features that make it stand out from its competitors (you can pay for your service in cash, for instance). If, after this whole run-down, you still want to invest in a VPN, it’s probably one you’d want to take a peek at.
All this said, the full CR white paper goes into significantly more detail, so it’s worth checking out if you’re interested. You can find it here.