Hypocrisy Plaguing Major VPN Providers

The issue of online privacy is a hot topic in the post-Snowden world. One would think world governments would scale down on their efforts to track everything and everyone online, however that hasn't been the case. Bill C51 in Canada, new data retention laws in Australia, CISA in the US, and the upcoming Trans-Pacific Partnership (TPP) agreement are just some of the frameworks that threaten the future of the free and open internet, and user privacy.


If you already know how VPNs work and their inherent limitations, skip to the “Top VPN Provider Analysis” section.

One of the most widely used “solutions” to the privacy issue have been Virtual Private Networks, or VPNs as they are commonly referred to. In layman’s terms, a VPN creates a secure connection between your computer the the servers of the VPN provider of your choice. All your internet traffic then flows through this secure connection, so your Internet Service Provider (ISP), place of work, school, government cannot see what content you access online. The transit security is assured through encryption.

When you use a VPN to access content online, whether its someone’s blog, Facebook, Youtube, or acquiring the latest Avengers movie from TPB, your ISP assigned IP address is masked, and replaced with the IP address of your VPN provider. In theory that’s a fairly solid solution, as long as your provider doesn’t store extensive logs, however this alone will not protect you in most cases.

Most websites you access don’t just give you information that you seek, they also love to store information on your computer in form of cookies, browser’s local storage, and fingerprint your browser’s signature. They also utilize a wide range of external tracking services that are meant to track your behavior and preferences, in order to sell you more stuff. Google has built an empire based on this, however there are hundreds of these services.

Simply changing your IP address and continuing the same behavior online will do almost nothing to truly protect your privacy and anonymity, as data stored in your browser will link your ISP IP address with your VPN provided IP, effectively making use of a VPN futile.

3rd party tracking services are embedded into millions of websites, most likely all the websites you are using on a daily basis. If you ever accessed any of them without a VPN all of your subsequent “anonymous” activity will have a high chance of being linked to you, unless you take extreme precautions. Having more trackers on a single page, maximizes this chance.

Most VPN providers claim they stop tracking, but only some offer tools to strip online trackers from the webpages you access. At the same time, all of the major VPN providers are actively engaged in tracking right on their own websites (sometimes to an extreme level), and in one case, using as many as 7 external services. Every single one can be used to connect your activities while using a VPN to your ISP provided IP address, across most of the websites that you may use.

Update (10/30/2015)

Some people pointed out that its not VPN provider’s job to modify the traffic and strip “unwanted” content from the data that passes through their servers, and that’s absolutely correct. However, then most of the providers should drastically change how they market their product, and stay away from mentioning things like “total privacy”, “complete privacy”, “fully protected”, “100% secure and private” (all copy/pasted from homepages of the above mentioned providers), because that goes way beyond the scope of what VPN technology makes possible. That kind of marketing is reminiscent of the tobacco industry in the 1950s.

“Use a VPN: It will give you complete and total privacy and anonymity online.” *

Blatant deception of the uninformed consumer which is used to sell more cigarettes (premium accounts).


Top VPN Provider Analysis

Here is a break down of top 11 VPN providers that are guilty doing exactly what their service is meant to prevent.

ExpressVPN

  • Sets 17 cookies, 13 of them associated with various tracking services.
  • Contains 10 external trackers
  • Utilizes 4 external analytical services
  • 3rd party (Google) hosted email

IPVanish

  • Sets 7 cookies, 6 of them associated with various tracking services.
  • Contains 6 external trackers

VyprVPN

  • Sets 5 cookies, 3 of them associated with various tracking services.
  • Contains 7 external trackers
  • Utilizes 4 external analytical services

CyberghostVPN

  • Sets 5 cookies, 0 of them associated with various tracking services.
  • Contains 1 external tracker
  • Uses CloudFlare DNS + proxying service. SSL certificate is held by Cloudflare.

Hide.me

  • Sets 5 cookies, 1 of them associated with various tracking services.
  • Contains 9 external trackers

HideMyAss

  • Sets 11 cookies, 2 of them associated with various tracking services.
  • Contains 5 external trackers
  • 3rd party (Google) hosted email

PrivateInternetAccess

  • Sets 9 cookies, 5 of them associated with various tracking services.
  • Contains 6 external trackers
  • Utilizes 5 external analytical services
  • 3rd party hosted email

NordVPN

  • Sets 6 cookies, 2 of them associated with various tracking services.
  • Contains 9 external trackers
  • Utilizes 4 external analytical services
  • Uses CloudFlare DNS + proxying service. SSL certificate is held by Cloudflare.
  • 3rd party hosted email

StrongVPN

  • Sets 11 cookies, 10 of them associated with various tracking services.
  • Contains 11 external trackers
  • Utilizes 7 external analytical services (seriously, 7!)
  • 3rd party hosted email

PureVPN

  • Sets 24 cookies, 15 of them associated with various tracking services.
  • Contains 10 external trackers
  • Utilizes 4 external analytical services
  • 3rd party hosted email

TorGuard

  • Sets 6 cookies, 2 of them associated with various tracking services.
  • Contains 5 external trackers
  • Uses CloudFlare DNS + proxying service. SSL certificate is held by Cloudflare.
  • 3rd party (Google) hosted email

Summaries

  • 11/11 used Google Analytics
  • 7/11 used 3rd party service for email hosting
  • 5/11 had Facebook integration (why you’d integrated a social network into a privacy service, I really don’t know)
  • 5/11 used Optimizely platform
  • 4/11 used Adroll platform
  • 3/11 used Kissmetrics platform

Every single one of the above mentioned services also offered the PPTP protocol, which is widely known to be insecure . Granted, some services did mention that it shouldn’t be used for anything sensitive, however that information is buried deep in their FAQs, tutorials and knowledge bases .

Additionally, IPsec protocol (which is also offered by all of the above mentioned services) came under scrutiny for being potentially insecure against state-level actors.

As it stands now, if you’re concerned with your privacy online, you shouldn’t be using anything other than the open source OpenVPN protocol. All the above mentioned providers support this protocol, however they failed to make it the de facto standard.


So, is all hope gone, and are all VPN providers selling diluted snake oil? I’ve identified 3 that live up to the name of a “security company”.

AirVPN.org

  • Contains no external trackers of any kind
  • Only offers OpenVPN protocol, with a huge variety of firewall penetrating connection methods
  • SSL keys are in their sole possession
  • Hosts its own email

IVPN.net

  • Contains no external trackers of any kind
  • Operated by a team with exceptional technical expertise
  • SSL keys are in their sole possession
  • Hosts its own email

Mullvad.net

  • Contains no external trackers of any kind
  • Truly anonymous number based accounts
  • Sets no cookies (except your language preference)
  • SSL keys are in their sole possession
  • PROBLEM: Don’t host its own email (uses Google!)

Some (most?) people will say, “But I have nothing to hide, I just want to have access to US Netflix, or torrent a Linux ISO, why do I need Snowden-level security?”. Tomás Touceda of Spideroak hit the nail on the head in his blog post. I highly recommend you read it.

Disclosure: I own and operate Windscribe.com which is a privacy solution that provides VPN services, among other things.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.