Choosing A VPN? Be Careful! Here’s Why.

Virtual Private Networks allow you to access the Internet in a more secure way. More and more people rely on VPNs for a number of reasons: to be anonymous online, to avoid Internet censorship, to access geo-restricted content, and to try and escape surveillance. In some cases, protected access to the Internet can even be a matter of life or death, as it is with many activists and human rights defenders who rely on privacy for security purposes. It’s therefore important to know what a VPN can and cannot protect you from. As it is important to know that not all VPNs are equal and, while they can enhance privacy, there’s no real guarantee of anonymity.

At the bottom of the page: Interactive table with specs on 100+ services, to find the most suitable VPN for you.

All content of this page is released under CC BY-SA license. So share, remix and reuse it as you want (under the proper attribution)!


About the data: In a popular Reddit thread, the user ThatOnePrivacyGuy shared a spreadsheet in which he categorized more than 100 VPN services on the basis of their privacy and technical specs.

Disclaimer: we don’t take responsibility for the accuracy of the data and you should do your research before signing up for a VPN service! The data is compiled by ThatOnePrivacyGuy, and it seems that he welcomes the community’s feedback and is ready to amend information if it’s proven inaccurate. So ping him if you think you spot anything wrong!

Note: Silk has been discontinued as of Dec. 15th 2017 so links are broken and visualizations are static. Will replace them asap.


VPN Services by Jurisdiction (Country Base)

Most VPN services are based in the US. However, privacy experts recommend opting for non-US VPNs, because of the country’s mass surveillance laws and programs (PRISM, Patriot Act, DMCA, SCA…). For example, a US National Security Letter can force a VPN company to disclose any information it stores. And this could mean disclosure of your online behavior, possibly linked to your personal information, if the VPN company’s privacy policy mentions logging of such data.

Of the 112 VPN services reviewed, more than half (55%) are based in one of the “Fourteen Eyes” countries. Edward Snowden’s leaks revealed how these countries maintain a “special relationship” with the United States in terms of surveillance, collaborating in monitoring each other’s citizens and sharing signal intelligence information. In short, this means that users’ data can be shared beyond a country’s jurisdiction. While VPNs may guarantee you more privacy, there’s still no guarantee of anonymity. Even if VPNs aren’t directly logging online behavior and personal information, IP addresses, timestamps and other metadata can reveal your identity.

Note: countries technically not part of the “Fourteen Eyes” group, but in practice they’re part of British Oversea Territories / Commonwealth

Also, consider that some VPN companies based in these “Fourteen Eyes” countries do log users’ traffic (WiTopia and Unlocator), or IP addresses and timestamps (HideMYAss, AceVPN, Anonymizer, IPredator and SaferVPN), at least according to data by ThatOnePrivacyGuy.

While we cannot verify his data to the level of detail the Reddit user provides, we looked into some of the privacy policies of these companies.

Ace VPN, for example, clearly advertises as a service offering “No logs. 100% Private & Anonymous”. Reading the fine print of their privacy policy, it is hard to discern what information the service actually does log. They vaguely report that “…we do not spy on our users and we don’t monitor their Internet usage”. Yet this is posted without a clear definition of what classifies as “spying” and “monitoring”. Further, they also claim that “if we have reasonable grounds to suspect that an end user is involved in criminal
activities, we reserve the right to notify law enforcement agencies
”. How they manage to do so in practice, while not logging users’ data to the point of guaranteeing 100% anonymity, is unclear.

VPNs, filtered for: based in a “Fourteen Eyes” country and logging timestamps/IP addresses

Finally, consider that, other than logging a user’s details, many VPNs use proprietary APIs on their website. This is not a direct a sign of how secure and private a VPN is, but it does say something about the extent to which a certain company is independent.

Check out the list below, and find which VPN would best suit your needs.

Top 25 VPN services reviewed for number of proprietary APIs


Find the most suitable VPN for you: Interactive table with specs on 100+ services


Notes

The following text is all directly quoted from ThatOnePrivacyGuy’s spreadsheet

Note that these metrics are collected from the official websites and other reputable sources. This section takes each company at their word. It’s up to the user to decide which is trustworthy.

Bandwidth: Some services limit the bandwidth of the user. When a company’s privacy policy explicitly states no bandwidth usage logging, you can be more sure they’re serious and don’t have an invisible, unadvertised cap.

Requires Personal Info: Personal Info includes things like First Name, Last Name, Phone Number, Address, etc. Email alone is considered better than a Yes, since it may or may not be tethered to an individual’s identity.

Warrant Canary: Note that not all companies use effective warrant canaries. A “yes” in this field does not guarantee quality, only that they claim to have a system in place. Please research the details for yourself. Also note that there is some debate as to the effectiveness of a warrant canary between experts — as force can be used by governments to coerce companies into maintaining them.

Blocks SMTP: A “Some” in this field means that the companies’ support team may be willing to whitelist your E-Mail providers SMTP server upon request. Another possibility is the company supports some workaround method.

Blocks P2P: Services marked as blocking “Some” P2P, usually only blocks it on servers dedicated for streaming. Other possibilities are that P2P user is throttled — or worse banned. The user is responsible for researching further based on their needs.

# of Proprietary API’s Used on Website: This field is derived from a urlquery scan of each service’s website. Not all services are of equal concern (or even concern at all). This is a loose indication of how dependent on proprietary software a given company is.

Server SSL Rating: Run using Qualys SSL Labs — SSL Server Test Tool

# of Simultaneous Connections: A 10 in this field actually indicates no advertised limit for simultaneous connections. (Done this way for conditional formatting purposes only).

# of Servers: Note that some companies report physical server count, and some report potential virtual server count (to inflate the numbers). Do your own research on a case by case basis if this is an important metric for you.

Refund Window: Often, payments made by cash or bitcoin CANNOT be refunded. Users should research as needed.

Like what you read? Give Alice Corona a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.