How Can You Decide Which VPN To Trust?

Slate's senior technology writer reports that his hunt for a reliable ISP "led me on a convoluted journey through accusations and counteraccusations, companies with shadowy leadership and those with conflicts of interest, and VPN ratings sites that might be even shadier than the companies they're reviewing." Many VPNs appear to be outright scams. Others make internet browsing sluggish. Free versions bombard you with ads. It's a world so thicketed that the leading firms and experts can't agree on the basic criteria for what counts as "reputable," let alone which companies best meet that description. The CEO of one top VPN company, Silicon Valley-based AnchorFree, told me in a phone interview that he suspects one of his top rivals is secretly based in China -- which would raise a red flag for many privacy advocates because of the Chinese government's aggressive surveillance regime... [But] many VPN users consider offshore providers preferable to U.S.-based firms. AnchorFree, for its part, has been dinged by reviewers for running a free, ad-supported VPN, which some privacy experts consider a conflict of interest. (It also offers a paid VPN service.) The two companies point to dueling trust reports by outside groups, each of which appears to reflect well on the firm that's touting it, thanks to different methodologies. "It is fascinating the amount of sniping that goes on" between VPN companies, said Joseph Jerome, who has closely studied VPNs in his role as policy counsel for the Privacy and Data Project at the nonprofit Center for Democracy & Technology. "They are very quick to pull out knives and shiv each other...."

If it's so hard to assess the credibility of the industry's top names...you can imagine how difficult it might be to suss out the myriad lesser-known alternatives. A January investigation by the site Top10VPN found that more than half of the top 20 free VPN apps on the iOS and Android app stores either have Chinese ownership or are based in China. That's all the more suspicious given that China officially banned VPNs last year. The concern: If China is allowing them to continue operating, it could be because they're sharing data on their users with the Chinese government. When you use a VPN, you're trusting that VPN with the same deep level of access to your online activity that you'd normally give your ISP. In other words, now they can see what you're up to whenever you're using the internet. VPNs may be more privacy-focused than big, corporate ISPs, but they're also smaller, more opaque, and less publicly accountable.
"I just wanted internet privacy. I hadn't bargained on a knife fight..." the author writes, concluding that "Several weeks, dozens of calls, and thousands of words later, I can't say I'm much closer to a clear-cut answer... One of the only definitive takeaways, besides 'steer clear of free VPNs,' is that your choice of VPN should depend on what you're using it for.

"If you're just trying to stay safe online, it may make sense to steer toward a larger, U.S.-based company that's clear about both who owns it and how it treats your data."

Ones you

[oldgraybeard]

setup, manage and monitor yourself!

Just my 2 cents ;)

Re: Ones you

[Anonymous Coward]

It really depends on the threat model you are working from.

Use to hide from communication tracking. This sort of thing happens on open free WiFi networks, as well as home internet connections in countries with draconian monitoring of internet use (like Australia and UK). This kind of VPN requires anonymity at the end point, which must operate without tracking or logs.

Use to avoid geolocation fences around online content. This is a clear advantage offered by many VPN companies.

Use to avoid state level monito

Re:Ones you

[Aighearach]

Never trust. Never.

Even if I set it up myself, I don't trust it. It still might have been compromised.

Even if I set up the VPN myself, I still need to encrypt the traffic. Because trust is for fools.

And if I already encrypt the traffic, I still need a VPN. Because trust is for fools.

Re:

[93 Escort Wagon]

setup, manage and monitor yourself!

That’s somewhat more difficult to do if you’re trying to “VPN” out of your home country.

But for, say, accessing work materials when you’re away from your home base... definitely.

Re:

[WCMI92]

Bingo. I only trust servers that I set up and manage. Involve any other party and you cannot trust it.

You're already hooked to the trust chain, moron.

[Anonymous Coward]

You're also incompetent, trust a known traitor apologist and liar, and have no idea what handshake methodology is at all secure or even which that you're currently utilizing. FTFY. And since you didn't write your own compiler, it's pointless.

Re:

[tepples]

And since you didn't write your own compiler, it's pointless.

The diverse double-compiling construction [dwheeler.com] described by David A. Wheeler reduces the probability of a meaningfully compromised compiler to a negligible level, so long as at least three independent compilers for the language exist and one of them is free software.

Re:

[Yaztromo]

That’s somewhat more difficult to do if you’re trying to “VPN” out of your home country.

That entirely depends on the reasons why you want to use a VPN in the first place.

If you're trying to VPN for the purpose of evading geo-restrictions on video, then setting up a VPN out of your home country is easy (for most people in the world at least): sign up for Amazon AWS/Microsoft Azure/Google Cloud Platform, fire up a Linux instance, install and configure OpenVPN, and you're done. You can go from nothing to having your own VPN in another country in less than an hour (if you know what you're doing,

DIY VPN is not a solution...

[bradley13]

A DIY VPN in not really a solution, at least, not beyond the trivial case of dialing in to your home server. If you want an encrypted connection with an exit point in country X, are you going to buy and pay for a server in country X? What about country Y? How are you going to pay for and maintain those exit points anonymously? And anyway, if only you and maybe a few friends/family are using it, traffic analysis can make the VPN encryption pretty much useless.

The point of a commercial VPN service is not only the encryption, but also the anonymity that occurs when your traffic is mixed with thousands of other users.

Re:

[Anonymous Coward]

It's called an AWS instance or some other cloud service provider running OpenVPN. Of course then you have to trust that cloud provider your data is going though

Re:

[Galactic Dominator]

If you want an encrypted connection with an exit point in country X, are you going to buy and pay for a server in country X?

Something like that, it's easy.

What about country Y?

Even easier than country X

How are you going to pay for and maintain those exit points anonymously?

Same way you pay for your commercial *anonymous* vpn, except that I have bit more control over things. And my vpn isn't some target for mass surveillance like a commercial vpn solution. And I can actually know that no logs means no logs, to an extent at least.

And anyway, if only you and maybe a few friends/family are using it, traffic analysis can make the VPN encryption pretty much useless.

That is a valid concern for a few people who have need for a vpn, but it's even easier to overcome that the trivial setup of the vpn to begin with. So if you happen to be among the vast minori

Re:

[Yaztromo]

If you want an encrypted connection with an exit point in country X, are you going to buy and pay for a server in country X?

Why not? With cloud-based services like Amazon EC2 you can setup a cloud computing instance suitable for running a private VPN in various data centres around the world in minutes. Heck, Amazon provides t2.micro instances free for the first 12 months to new accounts -- so this is neither difficult nor expensive to accomplish.

I agree with your other points concerning traffic analysis -- this isn't exactly a great solution for privacy (although more than sufficient for bypassing georestrictions), but you mak

Re:

[DarthVain]

Agreed. I had the initial thought about not trusting commercial VPN's, and then only trusting one I might create myself. While I don't really know how to do it off hand, I'm pretty sure I could figure it out. Unfortunately it became pretty clear before I even got that far that anything reasonable would be more expensive, and perhaps more importantly I would have to basically get into an agreement for hosting someplace else, which boils down to the same thing but somewhat worse. Do you trust the company and/

Re:

[Anonymous Coward]

I know CowboyNeal VPN doesn't keep logs, because CowboyNeal eats them all.

There can be no privacy when...

[blahplusplus]

... all states and their respective corporate elites fear the political awakening potential of the internet and mass communication technology. Privacy under a capitalist model is a fantasy when the state actor on behalf of the corporate elite will use the state against other businesses who enable resistance to their authority.

All states are preparing for the political awakening of the masses of the globe, they are expecting conflict. Zbigniew Brezinski former nationa security advisor of the united states:

Re:

[Aighearach]

Fear-based responses are unlikely to produce outputs like "privacy."

Re:

[phantomfive]

.. all states and their respective corporate elites.....All states are preparing for the political awakening

There is almost certainly a state somewhere that is not preparing for that. When someone tells you "All" whatever, they are usually being intellectually lazy, and don't deeply understand the topic they are talking about.

I'm behind 7 proxies

[rsilvergun]

you insensitive clod!

Re:

[macraig]

Says the Anonymous Coward. Hmmmm....

My own VPN search was also a nightmare

[macraig]

There's so little objective information available to make an informed decision, and that absence is largely at the discretion of the VPN providers. Forcing people to choose randomly or base their decision on non-objective criteria serves the interests of the VPN providers. It's like voting for President these days, given how candidate campaigns are run.

Re:

[pepsikid]

And also, you can arrange to have a TOR web address for your web server to make it encrypted 100%. Teh Pirate Bay has a TOR address that works even when their domain names have been seized.

Re:

[pepsikid]

Ahem, - Yupp. "It" being the connection between your TOR browser and the https resource. Unless you're going to split hairs about the packets being unencrypted in RAM somewhere.

SSH on a remote server

[phantomfive]

If you have SSH on a server you can set up a proxy using SSH: ssh -D 8080 user@server -p 443 You can configure your browser to go to your local port 8080 using SOCKS. The remote server can be something at home, or on AWS, or on Cloudflare, etc. More info [daniel.haxx.se]. Don't trust any proxy, build your own.

Re:

[phantomfive]

Obviously that doesn't meet the needs of people who want to be able to have "local" access in foreign countries.

You can spin up an AWS in many different foreign countries.

Re:

[phantomfive]

Your endpoint is AWS. You think that isn't monitored lol.

There is no endpoint that is not potentially monitored. VPNs are not effective at preventing that kind of monitoring, that is why TOR was invented. (Whether TOR is successful or not is another question).

Re: SSH on a remote server

[phantomfive]

How do you know? I hope you're not making stuff up.

Re:

[AHuxley]

Communist China has no problem finding many VPN users in real time.
The NSA and GCHQ have no problems working back from a VPN to a user.
The FBI is getting as good too?
Do VPN products stay secure in Ireland?

Re:

[basketcase]

That isn't a VPN. It is just a proxy and it only works with stuff that supports SOCKS.

OpenSSH can make a VPN with ssh -w but it kinda sucks at it.

Re:

[phantomfive]

You are right, but most of what people use a VPN service for is to act as a proxy. They don't want their country or their company to know what they are browsing to on the internet.

Re:

[basketcase]

Yes, you are right. Most people have no idea that there is more to the internet than web sites and email. You start talking TCP vs UDP to them and they have never heard of either of them.

Re:

[thegarbz]

So instead of tracing to one thing you own they trace to another thing you own? Personally I'd rather use a big company knowing my data will be obfuscated by a mass of other shit going through the pipe which any trace is likely to write off as "too difficult" (at least if the provider doesn't keep logs as they claim).

Re:

[phantomfive]

Then go through AWS.

Re:

[thegarbz]

Or I could do something orders of magnitude easier and achieve the same result with a complete VPN rather than a SOCKS proxy.

Re:

[phantomfive]

Or I could do something orders of magnitude easier

If you're computer illiterate, I guess it is orders of magnitude easier.

Opera

[darkain]

"Free versions bombard you with ads." Opera Browser has a built in VPN without any ads whatsoever. *shrug-emoji*

Re:Opera

[williamyf]

Opera is Owned and run by a Chinese company. If you trust them, fine, but chinese ownership was a concern raised in the article.

I live in Venezuela, and for what is worth my choice is ProtonVPN

JM2C, YMMV

Re:

[Anonymous Coward]

What a fucking retarded response. He has the most to lose if his government finds out, asshole.

Comment Subject:

[Falos]

https://thatoneprivacysite.net... [thatoneprivacysite.net] is an attempted chart of jurisdictions, practices, etc. so reference away. I think torrentfreak or such also do a top-ten or something, every few (12?) months.

I went PIA (supposedly keeps no logs, has anonymous payment models) but for casual use, don't come to me if your drug/human trafficking gets busted. Service is mostly stable, occasionally sites are inaccessible (or just blacklisting). They got bonus points for calling out repu- er, congressmen voting on ISP tracking bills and such.

It's a sick joke that I have to pay two web-connecting services to connect to each other, but here we are.

I also use PIA

[bradley13]

I use PIA as well, and I am pretty happy with the service. It's generally fast, it's easy to pick an end-point in whatever country you want to be in. They do get blacklisted by some organizations (example: BBC), but that's life.

The only thing I don't like is that PIA is US-based, land of secret courts and secret warrants.

But then, I'm not doing anything illegal, I just don't particularly want my ISP nosing around in my browsing, and sometimes I want to access services that are geo-blocked for no good reason

Re:I also use PIA

[jwhyche]

I use NordVPN myself. It's based out of Panama and has a no log policy. I really don't believe that but it has a policy. I also don't use it for anything super illegal but I'm not above poaching a video or two over p2p.

I don't believe for a moment that a vpn makes me untrackable but it does throw extra road blocks in the way. If I'm leaching something out of South Africa then any US based warrant has to be brought up in South Africa. Which will make it more difficult to spy on me.

All a vpn does is make you higher fruit on the tree. It's the low hanging fruit they go after. If all the MPAA has to do is serve a search warrant to your US based ISP to get your traffic logs, then you are low hanging fruit. If they have to serve a search warrant to a company based in Panama to get the logs off a server, if they exist, in South Africa, then its more complex. Doesn't mean it can't be done, but it does make it more complex and more expensive.

Re:

[thegarbz]

I don't believe for a moment that a vpn makes me untrackable but it does throw extra road blocks in the way.

And that's just the thing. Unless you're running a dark web market place for drugs you don't need to be untrackable, you just need to be less trackable than someone else doing your activity.

Think automatic monitoring of torrents. You're IP address will be bunched in a pool of many others, the MAFIAA will send these to the ISP, the ISP will reply with addresses and MAFIAA will will pursue. They'll get a percentage of legit IP addresses to follow up on, a percentage that they throw in the too hard basket, and

Re:I also use PIA

[jwhyche]

You may want to read a world atlas. Panama is in Central America (continent of North America). It is not in South Africa.

You might want to bone up on the subject and your reading comprehension. VPNs, like nordVPN, have servers in countries all around the world. The company is headquartered in Panama, but the physical server is one located in South Africa. So to obtain any logs an entity must deal with South African legal processes as well as Panama's. And which I believe Panama does have a habit of telling outside agencies seeking such logs to take a hike.

Re:

[fafalone]

The thing is, if the service retains the information that allows the 'drug/human trafficking' people to get busted, you effectively have as little privacy as them. That is the modus operandi of government, they develop the tools and access under the guise of busting serious, horrible crimes, then immediately start using that to go after less and less serious stuff, and monitoring everyone 'just in case' or 'to detect hidden criminals'.
There is absolutely no way to trust any service that allows killing pri

Why yes, that oneprivacysite.net *is* useless

[radarskiy]

From the site itself: "My data simply reflects what is officially and publicly avaiable[sic] for a given service on their own official website."

No attempt is made to independently verify claims of the VPN providers. But just because someone is running a shady VPN service doesn't mean they would LIE about running a shady VPN service, right?

Chinese VPN ban

[Solandri]

That's all the more suspicious given that China officially banned VPNs last year. The concern: If China is allowing them to continue operating, it could be because they're sharing data on their users with the Chinese government.

Isn't that obvious? The Chinese government doesn't want its citizens using a VPN, because they'd probably pick one hosted outside China and thus pierce the Great Firewall. But it's more than happy to let people from other countries pipe their traffic through Chinese VPN servers, so they can figure out who's visiting where..

Remember, with most of the web switching from http to https, most of your traffic is already encrypted. So a VPN doesn't help in that regard. What a VPN does is obfuscate you as the source/destination of that traffic, by making it appear as if the traffic is coming from the VPN server instead of your computer (acting as a proxy). But the company running the VPN obviously knows who you are, and has to know which traffic is yours in order to function properly. If the VPN provider is logging that info or handing it over to the government, that defeats the purpose of using a VPN.

More than ads

[xlsior]

Many of the 'free' ones don't just throw ads at you, but work by a reciprocal agreement -- your traffic has an exit point in a different country, and you become a random other user's exit point in return... So even if you are on the up-and-up yourself, who knows what shady shit other people are doing and which now appears to originate from your IP address.

Only trust VPN where P == Private

[Morgaine]

Public is not the same as Private. Most commercial "VPNs" are actually Virtual Public Networks. Rule of thumb:

- Any VPN in which a corporation or an untrusted individual is a participant node should be regarded as Public.

- Any VPN running code which you haven't compiled yourself from known-good sources should be regarded as Public.

- Any VPN using non-standard encryption or pre-generating keys for member nodes should be regarded as Public.

If you really need to trust a VPN then don't deceive yourself --- do

Re:

[AHuxley]

Most people just want to be safe from NGO, city, state, federal governments collect it all and crypto removal efforts on their nations ISP services.
A VPN keeps their ISP connection encrypted until out of their own nation.
That month after month of IP logs by their ISP and gov show nothing.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re: you're better off with a foreign VPN

[dwater]

Exactly. I started reading "Silicon Valley based" and thought, "God no. The US government are *proven* to be terrible at spying and privacy"... And then the sentence went on to complain about China for some reason!?

Re:

[DNS-and-BIND]

There are a lot of racists who are delighted to finally have a socially acceptable outlet for their vile hatred. Sinophobia is back in a big way.

Re:

[jwhyche]

This exactly. I really don't believe the Chinese government gives two shits and a Popsicle if I'm leaching the latest season of The Flying Nun or some shit. But that being said, I'm not really worried about my government. I figure that if I'm on some list to be watched it wouldn't matter if my internet traffic is going through vpn or not.

I use a vpn to keep my local isp from seeing what I'm doing. I don't want them seeing what I'm leaching, if I'm leaching, then turning me over to MPAA or some shit

Re:

[account_deleted]

Comment removed based on user account deletion

PIA

[Anonymous Coward]

privateinternetaccess.com is a good vpn.

None

[Artem S. Tashkinov]

You shouldn't trust any except the one you've set up on your own and then you still need to use TOR over VPN 'cause otherwise the company which is renting you a server will know all the IP addresses you ever connect to. And then the same company still has full access to your server, so consider yourself burnt.

In short, use TOR over VPN if you want to remain incognito, or/and chain several VPN providers and hope they are not under the same jurisdiction.

Re:

[AHuxley]

A VPN is good for keeping an IP and ISP logs issues away within a nation.
Once the mil/security services/police notice a comment, IP, they will find the VPN IP, contact the VPN and put in a request to that nation.
To find that account next time the VPN is used and on that site.
The next time a VPN user is online trusting that secure VPN IP, their ISP IP will be discovered and recovered by law enforcement in the VPN nation.
The VPN will work until someone starts a real time police investigation into that VPN

Not even TOR is perfectly safe

[bheerssen]

The FBI, among other three letter agencies, has been known to operate end points in the TOR network. TOR is a useful, but not entirely sufficient way to stay anonymous on the internet. If that's your goal, you have to use TOR, a good VPN, and a dedicated operating system such as TAILS. And you have to properly configure each of these at all times. Anonymity on the internet is hard, and requires careful stagecraft. And even if you do everything perfectly every time, it still might not be good enough.

Totally not starting a rumor, but ...

[fahrbot-bot]

The CEO of one top VPN company, Silicon Valley-based AnchorFree, told me in a phone interview that he suspects one of his top rivals is secretly based in China ...

Uh-huh.

"Look, it's totally not that they're one of my *top rivals*, but ..."

VPN where you don't control ...

[janoc]

VPN where you don't control both endpoints is not a VPN, by definition.

What these companies are offering are only glorified traffic tunneling services and proxies, not a true private network. Good for bypassing region restrictions on stuff like Netflix but not for anything where privacy is actually required.

Re:

[thegarbz]

I completely disagree with you lumping everything into an english word "VPN".

The point you're trying to achieve if privacy and encryption. There are many facets to this. Some of them are absolutely beneficial if you control them e.g. knowing if log files are kept on the server, knowing what is running on the server etc. Some of them are absolutely beneficial if they are completely communal e.g. obfuscating your data in a massive mess of other customers, knowing that the IP address at the endpoint is associa

None

[Ol Olsoc]

The internet is not private. VPN's are pretend security.

Pure FUD...

[VeryFluffyBunny]

VPNs may be more privacy-focused than big, corporate ISPs, but they're also smaller, more opaque, and less publicly accountable.

"All governments lie." -- I. F. Stone

VPNs are more accountable than the NSA, CIA, DEA, DHS, & FBI with their "National Security Letters." And those guys are just as untrustworthy as the Chinese security agencies. The main advantage is that the Chinese agencies have far less power over US citizens than the US ones.

How you hide your IP address depends on why you're doing it. If you don't want US corporations to monitor your web traffic, then a VPN in any country that is non-compliant with US corporations

Re:

[VeryFluffyBunny]

BTW, a VPN won't hide you from Google, Facebook, etc.. They're pretty good at digitally fingerprinting whichever device you're using & tracking your web activities pretty well that way.

Re:

[AHuxley]

Going to the same sites in the same timezone with the same comments, searches will be an easy match for powerful ad brands.
The changing of an ip is something that ad brands have had years to understand, detect and not worry about.
The way the internet is used again and again detects the same person.

The Internet itself is untrustworthy

[Rick Schumann]

..and it's been untrustworthy since it's been accessible by the public-at-large -- and perhaps even before that.
Your only hope is to encrypt and safeguard everything you do as much as humanly possible, and if you don't, assume whatever it is you're doing is being spied on and collected by parties unknown. Keep your own data on your own devices instead of falling for the meme known as 'The Cloud'. Don't entrust the security of your home to 'Internet of Things' devices. Sensitive communications? Either keep

None of them.

[themusicgod1]

Use tor, instead.

What is the VPN's response to MPAA takedown?

[cpm99352]

IMO the only useful metric is how the VPN provider responds to a request from MPAA about a clien't's torrent activity.

My use case doesn't consider Chinese govt' monitoring important. I would be curious to hear why non-Chinese slashdot readers would consider this a threat.

IMO the major threat is MPAA.

Re:

[Socguy]

Microtargeting. Not just from the Chinese, from any foreign government. AI is used to build a profile of you and then you are served content through facebook/twitter etc. designed to influence you to support or oppose certain policies. Sometimes it's very crude but done well, you will never notice it at all.

Re:

[AHuxley]

So some NGO, charity, ad company, think tank, city, state, federal gov, law enforcement in their own nation can't keep years of ip logs from everyday IPS use.
A VPN offers a way around the way many nations keep data on their own nations ISP account use.
The ability to comment, talk, publish without having a gov, NGO, ad company, brand, faith, mil, think tank saying a person is to be stopped from such internet use.