Are you sure you can trust your VPN?

Today, virtual private networks are an indispensable attribute of privacy. But try to determine which ones really make your life safer.

Everybody can give such advice: from Consumer Reports to the New York Times and the Federal Trade Committee : if you want your web activities to remain private and secure, consider using a virtual private network, or VPN.

VPN encrypts Internet traffic and redirects it through remote services, protecting your data (browsing history, downloads, chat messages) and masking your location. VPN services have long been popular with hackers and pirates, and inevitably should have become a mass phenomenon - like ad blockers before them - as the average Internet user takes privacy more seriously. It is difficult to find reliable data on their use, however, two VPN services have recently hit the 30 most popular applications in the Apple App Store, ahead of such serious players as Lyft, PayPal and Yelp. One analysis of this industry estimated that using VPNs from 2016 to 2018 was four times more likely , and the Global Market Insights forecast suggests that the VPN market in the US will grow by 2024up to $ 54 billion.

So maybe I should get a VPN? After all, I write articles on technical topics, and I know perfectly well the groundlessness of our assumptions about privacy online. I occasionally connect to unsafe WiFi networks at airports or coffee houses, and although I have never downloaded pirated movies, it happens that I circumvent the geographical restrictions on web content. I definitely don't like the idea of ​​trusting my Verizon ISP with all the details of page browsing. And yet, for many years, I resisted the urge to subscribe, or even sort out the technology in detail, which many privacy and security experts consider necessary for safe browsing.

However, when I went looking for a suitable VPN, I ran into an uncomfortable problem: how to determine which of the many VPN providers to trust.

The search for a trustworthy VPN pushed me onto a winding path leading through accusations and counterclaims, past companies with unintelligible leadership and conflicts of interest, sites with VPN ratings that look even more suspicious than the companies they review. Many VPNs seem like outright fraud . Others make internet access slow. Free versions overwhelm you with advertising. This is such a confusing world that even leading companies and experts cannot even agree on what constitutes a good reputation for the service, not to mention which companies fit this description.

The director of one of the largest VPN companies, AnchorFree, based in Silicon Valley, told me in a telephone interview that he suspects that one of his main rivals is secretly located in China - and this would immediately cause objections to privacy advocates because of aggressive surveillance, implemented by the regime of China. One of the directors of this competitor, ExpressVPN, insisted that this was not so, although he refused to disclose the location of the company’s owners and their identities. The company is registered in the Virgin Islands. He argues that such secrecy is even good, because governments cannot put pressure on ExpressVPN administrators and demand that they give out user data if they don’t know who they are and where they are. And many users in the US really prefer foreign VPN providers over American.

AnchorFree itself is accused of being a free VPN, which exists through advertising, which is why some experts express concern about a conflict of interest arising on this basis (the company also provides a paid service). Both companies point to competing reviews regarding trust in these firms, each of which, due to different methodologies, is inclined to favor the company that advertises it.

“The amount of rival advertising for these companies is amazing,” said Joseph Jerome, who studied VPN in detail due to his role as a policy consultant in the Privacy and Data project , organized by the Center for Democracy and Technology (CDT). "They instantly switch to knives."

It is possible that AnchorFree, claiming that ExpressVPN is of Chinese origin, simply trolls the company, but this risk cannot be called fictitious. On February 7, when I was working on this story, Senators Ron Weiden and Marco Rubio called on the US Department of Homeland Security to begin investigating the risks of foreign governments spying on Americans via VPN.

I just wanted privacy on the Internet, and did not sign up for a knife fight.

* * *

VPNs work by redirecting your Internet connection through remote servers that hide your location and make it harder for websites to identify you. They also hide your Internet activity from your own Internet provider, who otherwise has access to almost everything you do on the network - like, say, any police agency that received a warrant to study your actions (or, to be completely paranoid, at the intelligence bureau).

Although VPN services do not advertise this directly, they can be used to circumvent the laws of your own country or restrict legal traders by connecting through servers located in another country. Access to entertainment content is the most popular reason for using VPNs worldwide, according to the report.from 2018 GlobalWebIndex. Among other popular reasons are access to social networks and news in the countries where they are blocked (VPNs are especially popular in China, despite their official ban) and maintaining privacy while browsing sites.

If you need a stronger reason to use a VPN, in 2017 the U.S. Congress rejected a bill that was supposed to ban Internet service providers from monitoring and selling information about your online activity without your consent. In fact, your ISP can now legally mine your Internet habits for profit.

At the same time, the end of network neutrality in the USA opens up the possibility for providers to prohibit or restrict access to certain content or to charge you more money for access to it. A VPN may offer a way to circumvent restrictions — although if they become too popular, providers may try to deny the VPN itself.

VPN is not a new phenomenon. Their appearance dates back to 1995, when Microsoft programmers developed a way to allow business customers to make Internet communications safer. In the 2000s, they began to gain popularity among technology-savvy individuals, open source software helped reduce their cost, and sensational hacks drew public attention to Internet security issues. AnchorFree was founded in 2005, ExpressVPN - in 2009.

But only recently, VPN providers have become very popular in the technology world. They spun thanks to the development of unsafe public WiFi networks and online content available in some countries and not available in others. For example, the British could watch the 2012 Olympics on the BBC for free, while in the United States they could watch it only on pay-TV. The popular VPN provider TunnelBear, founded in 2011, was purchased in March 2018 by McAfee, a computer security giant, and the deal was not disclosed. In September 2018, AnchorFree received an investment$ 295 million, an unprecedented amount for a VPN startup. She has every chance of becoming the first VPN unicorn - a startup that is valued at $ 1 billion - if that hasn't happened already. AnchorFree director David Gorodiansky told me that as of February, his company’s VPN, Hotspot Shield, was downloaded 400,000 times a day.

Now is the best time for a boom VPN. Which brings us back to this nasty problem of trust. If it’s so difficult to evaluate the reliability of the industry’s biggest names, such as AnchorFree and ExpressVPN, imagine how difficult it is to evaluate a carriage of lesser known alternatives. A January study on the site Top10VPN reportedthat more than half of the 20 most popular VPN applications in stores for iOS and Android are either Chinese or located in China. This is all the more suspicious, given that VPNs were officially banned in China last year . If China allows them to continue to work, perhaps this is due to their cooperation with the Chinese government.

Using a VPN, you trust this service at the same deep level that is usually available to your Internet service provider. That is, the service now knows what you are doing when you use the Internet. These services may focus more on privacy than large Internet providers, but they are also smaller, less transparent, and less responsible to the public.



And while any VPN provider will swear to you that it is your personal privacy that cares the most, some of them tend to point fingers at their competitors and claim that they cannot be trusted.

* * *

So how to choose? One could start with the largest provider — but it’s almost impossible to find out who he is. Most of the largest firms are private and do not disclose the size of the user base. The easiest way to become a major VPN provider is to offer free services - usually with the support of advertising - and this complicates the situation even more. Free VPNs also typically limit traffic and geography. Many experts will say that you should stay away from such services, because in this case, the interest in maintaining privacy conflicts with the interest of palm off targeted ads to users.

AnchorFree, which offers a free version of the Hotspot Shield program for Android users, says that as a measure to resolve this conflict, it shows users only general Google ads that don’t use AnchorFree user data. Advertising appears periodically when using the application, and it must be viewed in order to continue browsing sites. There is no advertising in the free version of Hotspot Shield for iOS, but there is limited traffic and connection is allowed to be established only through servers in the USA.

What about the best rated VPNs? There are dozens of sites with reviews, their reviews often contradict each other, and the criteria are not always transparent. Two of the most respected sites where VPN reviews are published, namely PCMag and CNET, gave the Panamanian service NordVPN the best ratings, positively assessing its speed, ease of use and privacy features. And the other two, Wirecutter and Tom's Guide, found NordVPN slow and full of mistakes. And like ExpressVPN, NordVPN is trying hard to hide the true owners of the service. As noted in Tom's Guide, the company is a subsidiary of the Panamanian holding Tefincom SA, which, apparently, is a shell company . And, as with ExpressVPN, you can come up with excuses for this anonymity .

ExpressVPN is at least first on the top of the two charts appearing on the first pages of Google search, TechRadar and TheBestVPN.com . Both sites emphasize good service speed and usability; none mention the fact of concealment of service owners.

Gorodiansky, director of AnchorFree, has an idea about why his service does not soar in ratings. Many sites with VPN reviews earn on affiliate links, receiving small deductions from each registered user who came to these provider via these links. “These sites have no motivation to tell the truth,” he says. He claims that they either downgrade Hotspot Shield or simply ignore it because they cannot make money on recommendations from the free service.

Harold Lee, vice president and sole public face of ExpressVPN, protects the degree of privacy of his company by putting it at the level of the best in this field, not despite the opacity of the company, but thanks to her. He says this is a matter of both job security and personal privacy. Is it so surprising that people who created one of the best virtual private networks back in 2009 will carefully protect the secrets of their own personalities?

Lee himself works in Hong Kong, outside the mainland of China's Great Firewall, and should not be subject to cumbersome Internet censorship. The ExpressVPN team is scattered around the world, Li says, and all claims that they are based in mainland China or affiliated with the Chinese government are incorrect. “If people rush with unconfirmed accusations, then what's the point of describing them,” he said. It is also worth noting that a VPN provider with dishonest intentions would offer a free service to attract more users. ExpressVPN, the cost of which varies from $ 8 to $ 13 per month, is one of the most expensive on the market, and does not offer free versions, which adds credibility to them.

After the original article was released, Lee sent a more detailed statement to the editor, where he denied any connection with the Chinese government. “ExpressVPN is inherently opposed to government censorship and surveillance, and our service every day helps many people in China and around the world circumvent censorship,” it says. - For this reason, the Chinese government periodically tries to block our service and remove the application from the Chinese App Store. Any allusions to our relationship with the Chinese government are 100% false. ”

To establish trust in ExpressVPN, Lee offered to take a look at the history of her work. He pointed to an international incident when the practice of working with data in the company was tested. In 2017, the Turkish government confiscated ExpressVPN servers as part of an investigationthe tragic murder of Russian ambassador Andrei Karlov . The authorities hoped that the data could shed light on the communication of the murder suspect and Turkish public figure Fethullah Gulen , hiding in the United States. However, no logs were found on the servers , which proves ExpressVPN claims that the company does not keep records of user activities.

Perhaps the protection of individuals suspected of an international conspiracy should not be added as a plus to the VPN provider. Some members of the VPN industry believe that such facts highlight the dubious side of a product that should deal with online security, rather than helping people circumvent laws.

When a VPN hides the owners ’identities and signs up offshore,“ it usually happens because the company is breaking the law, ”said Francis Dinha, co-founder and director of OpenVPN, an open source service for business customers. Dinya considered ExpressVPN accused of having links with the Chinese government far-fetched, and said that service owners were hiding, most likely because their service was primarily intended for piracy or other illegal activities. From his point of view, VPNs should be used primarily for cybersecurity, not anonymity. He notes that a VPN will not prevent platforms such as Facebook and Google from identifying and tracking you in ways other than determining an IP address.

However, in the security world, the Karlov episode can be considered serious evidence: if ExpressVPN is suitable for political hitmen, its services should be enough for other people. Many VPN providers say they do not store user activity logs, but this statement is difficult to confirm in the absence of international incidents that suit them.

Jerome from the Center for Democracy and Technology (CDT) is very familiar with ExpressVPN. To confirm its honest intentions, ExpressVPN last year, along with four other VPN providers, formed a partnership with CDT to launch an initiative to increase trust in VPNs. He compiled a list of " signs of bona fide VPN"by inviting other providers to answer eight questions related to topics such as company ownership, a business model, and privacy practices. The question of ownership asks the company to disclose its full legal name, all parent companies and the location of their headquarters. He does not ask only the names of company directors.

Jerome apologized to my question about the managers of ExpressVPN and said that he could not comment on anything. “We worked with these companies on trust,” he said. “Our final product reflects some of the difficulties we have encountered.” Jerome says that he initially hoped to conduct a more detailed audit, but that would require more resources and closer cooperation on the part of the providers. “It was very difficult to get them to agree on how we will evaluate them, and who specifically will evaluate them,” he said. - I think they all consider themselves honest players. But I think that there is a fear that if people look under them under the hood, they will see something bad there. ”

* * *

AnchorFree was not involved in the CDT project. She ordered her version of the audit from the German company AV-TEST, which evaluates antiviruses and software for computer security. It is not surprising that in her report disclosure of information about the owners and managers of the company became the main criterion , and the providers ExpressVPN and NordVPN were criticized for the lack of transparency. AV-TEST also noted those companies that issue an annual transparency report - and AnchorFree recently started doing this. And, and AnchorFree also came in first place among providers in terms of connection speed.

Given the popularity of the company's free service, aggressive investment collection and partnerships with companies such as Samsung - whose phones now come with the built-in free version of Hotspot Shield VPN - AnchorFree may be the best among companies trying to monetize the popularity boom of VPN. However, it does not appear in many ratings, partly due to the bias of experts in relation to a free VPN, partly due to poor performance in speed tests conducted by third-party companies.

It turns out that the most serious blow to the reputation of AnchorFree was received by the CDT in 2017, when the latter sent a complaintto the Federal Trade Commission, arguing that Hotspot Shield misleads free VPN users by writing more data about them than necessary, and in some cases redirecting them to advertising partner sites. Gorodiansky from AnchorFree calls these statements “regrettable misunderstandings,” but AnchorFree soon afterwards changed its terms of service. In 2018, the Commission published a blog entry regarding the benefits and risks of VPNs, but no other actions were taken from it.

ExpressVPN almost won the long-awaited recommendation from Wirecutter, which published a very detailed and extensive VPN review. There are hints in the text of the review that ExpressVPN could take the first place if not for one “but”: refusal to disclose information about the owners. Wirecutter editor Mark Smirniotis noted that ExpressVPN suggested organizing a confidential conversation with the owners, but he decided that this would not be enough to change his assessment.

Instead, Wirecutter recommended a smaller IVPN service, which, according to the author of the article, "copes with issues of trust and transparency." The IVPN is officially located in Gibraltar, which, like the Virgin Islands, belongs to the British Overseas Territories.. VPNs are often chosen as a base for offshore territories, since they lie outside the direct jurisdiction of the governments of the major world powers, and rarely have large national security agencies.

With the growing demand for VPNs, the industry has a strong motivation to grow out of the Wild West phase. Partnerships with nonprofit companies and audits conducted by third parties are a step in this direction. NordVPN recently took this path after AnchorFree and ExpressVPN, ordering an auditPricewaterhouseCoopers to confirm their privacy statements. However, such audits would be much more meaningful if they were not requested by individual VPN providers. People like Jerome are trying to push industry standards, but for now, VPN providers are shying away from audits whose methodology they cannot control.

More serious changes may follow when some of the market leaders decide to become public companies or sell to such companies. Of course, public companies are not immune from dubious actions, but they must obey the laws on the publication of information and undergo an audit. Other providers will remain private companies, at the risk of provoking skepticism about themselves for the sake of being able to remain in the shadows - or out of reach of the governments of major powers.

Starting this article, I thought I would choose a VPN that I can trust for personal use. Several weeks passed, dozens of calls were made, thousands of words were written - and I can’t say that I have come close to a clear choice.

One of the definite conclusions, besides “staying away from free VPNs”, is that the choice of VPN should depend on what you are going to use it for. If you just want to use the Internet safely, it makes sense to choose a large American company that clearly talks about its owners and how it relates to user data. If you want to download pirated files from torrents, watch blocked content, kill an ambassador or somehow escape from the long arm of your government (and other governments with which it cooperates ), it is better to choose an offshore VPN - if you are sure that the provider does not secret communications with the government from which you are trying to hide.