Backstabbing, Disinformation, and Bad Journalism: The State of the VPN Industry
I’ve been testing and reviewing security software and VPNs for seven years, and I’m convinced that VPNs are critically important but also that the industry may be headed toward a self-inflicted disaster. This is an open letter to VPN companies: Do better.
By Max Eddy
I review VPNs for PCMag, and that means I spend a lot of time trying to explain to people that I am not actually a paid shill or actively working against the safety of others. Why? Because the culture around VPNs and how some of these products are marketed has become incredibly toxic.
Let me first say that, broadly speaking, my interactions with VPN vendors have been positive. I genuinely believe that most vendors in the VPN space really are making the best product they can, and are trying to do right by their customers. Yet I’ve seen flashes of bad behavior, big and small, across the entire industry.
(Editors’ Note: IPVanish and StrongVPN are owned by j2 Global, the parent company of PCMag’s publisher, Ziff Davis. We’ll talk more about this below.)
From my experience working with VPNs, I can say with certainty there is a culture of sabotage and paranoia among some vendors. Anonymous dumps of damning information about one VPN vendor get blamed on another VPN vendor. Tips come in, suggesting that the corporate ownership is tied to the Russian mafia, or other criminal operation. Commentators hold up one VPN review site as an example of rectitude, while others say that same site is secretly run by a VPN vendor with an agenda. When there is this much disinformation and counter-disinformation (which may also be disinformation) it’s impossible to tell who is telling the truth.
Neil Rubenking has been working for PCMag for as long as I’ve been alive, and I asked him if he’d seen anything similar covering antivirus products. He hasn’t. Those companies occasionally snipe at each other, and sometimes are accused of cheating, but the major players are smart enough to realize that stability of their market as a whole depends upon their perception as trustworthy players.
Moreover, there’s an entire industry of holding antivirus vendors accountable. The AMTSO (Anti-Malware Testing Standards Organization), of which Rubenking is an Advisory Board member, has set guidelines and released tools so that anyone can verify that their antivirus software does something. There’s also an industry of antivirus testers such as AV-Test, AV Comparatives, and others that not only verify that these products work, but actually quantify how well they work. Other researchers provide live feeds of malware that Rubenking can use to verify on his own that antivirus software actually does what it promises.
That kind of community doesn’t yet exist for VPNs. Nor is it particularly easy to verify if VPNs are actually doing anything. How can we tell that a VPN is actually preventing an ISP or a hacker from figuring out who you are or intercepting your traffic? How can we verify that every single one of the company’s servers and apps are configured properly? How can we be sure the company isn’t selling our data or injecting ads into our web traffic? Even checking that a given VPN product is actually encrypting your traffic is difficult and time-consuming.
Here’s another example: In late April, the Register ran a story about unusual traffic coming from NordVPN that looked like botnet traffic. The company has provided various explanations, mostly boiling down to it being expected behavior designed to conceal user activities. That makes sense, but the options for verifying that claim are limited. Besides, how do I know that the accusations themselves aren’t coming from another VPN company with an agenda? When trust becomes eroded, even basic assumptions are questioned.
How Did This Happen?
VPNs aren’t new in the slightest, but for most of recorded history, they were used in a corporate context, not a consumer one. The big exception was political dissidents operating in countries with restrictive internet policies. Then all of a sudden, dozens of new players appeared and pushed their products harder than ever. This mass proliferation and the questionable practices that followed are the result of unique forces aligning.
First, streaming services like Netflix offered a compelling alternative to pirating movies and TV shows. Once people found out they could use a VPN to unlock even more legal-ish content by spoofing their location, everyone wanted one. I actually have data to back this up. According to PCMag’s surveys, the majority of people are using a VPN to access streaming content online. According to some in the VPN industry, this may be the real reason why people buy VPNs, and everything else is just window dressing to give it an air of legitimacy.
Second, the global rise of far-right politics has spurred interest in VPNs. People in places that usually weren’t concerned about privacy or censorship suddenly had reason to get a VPN. In the US, specifically, the collapse of our net neutrality rules, ISPs monetizing user activity, and a generalized concern over surveillance in a post-Snowden world hasn’t helped.
Third, and finally, is money. Starting a small VPN company is comparably cheap. Thanks to cloud servers and open-source VPN protocols, spinning up a few servers is pretty easy. Hell, I made my own VPN and it was the work of perhaps 30 minutes. Now, mine had only one server and not the thousands of servers in multiple locations offered by major players, but the low barrier for entry has certainly made it easier for bad actors to enter the market.
The problem for VPN entrepreneurs isn’t building the product, it’s getting people to buy it. That’s where affiliate marketing comes in. Wikipedia defines affiliate marketing the best: “in which a business rewards one or more affiliates for each visitor or customer brought by the affiliate’s own marketing efforts. “If you’ve ever wondered why there are 10 million sites with URLs that are some combination of “VPN” and “Review” or why every site from CNet to Wirecutter has started reviewing VPNs, it’s because of affiliate marketing.
As mentioned above, PCMag’s parent company j2 Global just established a connection to the VPN market with the purchase of IPVanish and StrongVPN last month. And like CNET, Wirecutter, Tech Radar, The Verge, and many more, PCMag itself also participates in an affiliate commerce program. But our analysts (that’s me) are salaried and do not receive a cut of any money generated by our reviews. Additionally, we’re intentionally kept ignorant of business arrangements between our employers and vendors, and have a strict policy of editorial integrity. That means I test VPNs extensively, I publish reviews with ratings based on actual test results, and that and my editors back my findings and defend them, regardless of vendor influence. Sometimes companies don’t agree with our reviews, oftentimes it’s a catalyst for them to improve their products.
That’s not necessarily true for other sites, and a good chunk of the VPN review sites appear to be affiliate marketing farms with questionable concerns for editorial integrity. By posting SEO-optimized content, these sites shuttle eyeballs to pages and rake in the affiliate cash.
To be clear: there are good VPN reviews out there from sites like PCMag that rely on their reputation for authority. Other are just empty posts peddling sloppy analysis, or, worst of all, perhaps purely pay-for-play. Affiliate programs can enable bad behavior. In the case of VPNs, this makes it even harder to sift through the conflicting information about a given product.
We got a whiff of the rot inside this industry recently when my colleague Michael Kan investigated TheBestVPN.com. That site, headed by an individual with an ever-shifting set of names, aggressively sought backlinks from other sites to move up the search rankings, which in turn got the site more visitors and more affiliate dollars. His efforts were enormously successful, climbing the search results and earning links even from PCMag. Now, we don’t know if the content produced on TheBestVPN (or any of its other incarnations) is bogus, but it’s not looking good if the owner (and perhaps sole employee) can’t put his name on the work or defend it when we ask questions.
Trust But Verify
Consumer journalism faces this problem all the time. Only the vendor knows what their processes really are, and that stays true unless information leaks, law enforcement gets involved, or intelligent and trustworthy third parties verify. I think VPN companies know this, and it has helped the proliferation of both legitimate and bogus VPN products.
In my own work, my solution has been to directly ask VPN companies about their practices and policies. Sure, they can lie to me (and some probably do), but if they have to lie, then can be caught lying. What we need now is a means to do that catching.
There is an opportunity here for VPN companies to fix their own industry. If the major players came together, agreed to a set of technical and ethical principles, and provided methodologies to verify those principles, almost all of these problems would go away. I think the industry is inching closer to this future, as more and more companies employ third-party testers to audit their products and publicly release the results.
It’s Time to Clean Up the Industry
I fear that the confusion and vitriol surrounding VPNs will make the market unsustainable. All companies, but especially security companies, have to rely on customers believing that they are good actors. Their reputations are their business. When customers no longer trust a product, they don’t use it, and when they don’t trust an industry, they abandon it. Consider antivirus companies again. Abusive practices and sloppy engineering through the 90s led to a public that was suspicious of this entire category of products-and rightly so. When the public needed protection the most, the industry failed to meet those expectations and paid a heavy price. There are still people out there who buy the “antivirus companies actually make the viruses” school of conspiracy.
Similarly, when VPN companies directly or indirectly fund bogus review sites, generate misinformation, and rely on opacity to sell their products, they poison the well of consumer confidence. As the atmosphere around VPNs becomes more toxic, more customers will get frustrated and give up altogether. And that’s a shame, because in the internet era, everyone needs a VPN. Rather than race to the bottom, the industry needs to wise up now, before it’s too late.
Originally published at https://www.pcmag.com on May 6 2019.