Other Factors to Consider in Choosing a VPN
First published: April 2019. Latest revision: April 2021.
This is a continuation of my series of articles about evaluating and choosing a trustworthy VPN service for one’s own use.
In the past two articles we’ve looked at various technical factors and issues with respect to choosing a trustworthy VPN service. Here we’ll examine several non-technical issues.
Find a well-established VPN service
VPNs have been much in the news lately, with just about every article that has anything at all to do with Internet security noting the benefits of using a VPN. As with most things that stir the public’s interest, there arises someone who will want to satisfy that interest. Hence, there has been a proliferation of new VPN services over the past few years arising from entrepreneurs seeking profit. Unfortunately, some are in it only to make some quick money.
It would take a fair amount of research to compile a list of VPN that are well-established and not “fly-by-night” operations, but the effort would be worthwhile. Once your privacy is given up by a shoddy operator, that privacy is gone forever! So, do some investigating and try to find some VPNs with good “track records” over the course of several years.
Third party auditing
There has been much talk of the need for independent security audits among VPNs, but audits are neither cheap nor easy to do. Many VPNs either want assessments done on the cheap or the results are so problematic that nothing is ever revealed publicly. When CDT (The Center for Democracy & Technology) first began speaking with VPNs, only TunnelBear had undergone security audits where its auditor, Cure53, also released information about the problems it uncovered. Subsequently, we also saw Mullvad undergo an audit with Cure53 in addition to VyprVPN undergoing a logging audit by Leviathan Security Group.
(from https://cdt.org/issue/privacy-data/vpns/) (archive)
(bold emphasis added by me)
Given the trust issues that affect VPNs, one would think that an unbiased audit by a reputable third-party firm is an affirmative action that a VPN would want to perform. Yet audits in the VPN industry have been few and far between. In late 2019 I could find only six VPNs that had audits conducted: Tunnelbear, Mullvad, NordVPN, VyprVPN, Hotspot Shield VPN and Confirmed VPN. (The latter seems to be a brand-new VPN service that I found when searching for audited VPNs. Confirmed VPN appears to be based in the US. My investigation of it raised several other red flags, so in my opinion Confirmed VPN is a “no go” and I will not discuss it any further.)
TunnelBear announced they had completed a “2nd Annual Independent Security Audit.” (They had announced the “Industry-First Consumer VPN Public Security Audit” on 08/07/2017.)
• Read the second audit report at https://cure53.de/summary-report_tunnelbear_2018.pdf (dated 10/21/2018).
Hotspot Shield VPN announced that an “Independent study calls Hotspot Shield the fastest, most secure VPN technology”
• Read the audit report at https://www.av-test.org/fileadmin/pdf/reports/AV-TEST_VPN_Comparative_Test_Report_June_2018_EN.pdf (dated 06/15/2018)
Mullvad announced the release of “the final report of the external security audit on our VPN app.”
• Read the audit report at https://cure53.de/pentest-report_mullvad_v2.pdf (dated 09/20/2018)
VyprVPN announced they were “the world’s first publicly audited no log VPN service” and linked a “Privacy Audit.”
• Read the audit report at “https://www.vyprvpn.com/audit.pdf (dated 11/09/2018)
NordVPN announced “an industry-first audit of its no-logs policy” and “an industry-first step towards transparency.” (dated 11/22/2018)
• Surprisingly, the public cannot read the report! NordVPN states “We cannot publish it or quote it.”
Oops! Look at those last two announcements. VyprVPN claims “world’s first” and NordVPN claims “industry-first.” These claims would seem to be contradictory and are also false. The first VPN audit was done more than a year before the audits of VyprVPN and NordVPN, and it was done by TunnelBear.
Also, NordVPN has the audacity to proclaim their audit is “an industry-first step towards transparency” yet the report is completely hidden from the public! (Supposedly NordVPN subscribers can read the report online but are bound from releasing info about it by a non-disclosure agreement.) Well, despite NordVPN's claim of transparency, it seems to me that NordVPN is about as non-transparent as you can get! (Recall that, as noted in one of my previous articles, NordVPN does not disclose the identities of its top management officers, unlike scores of other VPN services that release this information.)
For most of us, a VPN service is an entity which is unfamiliar to us. Although many VPNs are fairly easy to implement on your Internet-connected devices, problems or questions regarding their use may arise. Hence, the customer support that a VPN service offers can be critical in helping you to protect your Internet security and privacy.
The website of a VPN should provide support services. A comprehensive “FAQ” about the VPN, articles about basic set-up for various devices and situations, tutorials about getting the most out of the VPN in different scenarios, etc. should be a part of every VPN’s website. You should browse around the site of a VPN that you are considering using to confirm that these sorts of “do-it-yourself” support resources are present.
For support issues that can’t be solved by browsing the website, does the VPN service offer live chat support? Is it an encrypted chat session? How about email? Again, is there an option to send encrypted email? (Don’t scoff about encrypted support communications. Remember a VPN should make your security and privacy paramount.)
The speed of downloads and uploads when connected via a VPN will be at least somewhat slower than when you are accessing the Internet without an intervening VPN. Several factors influence data throughput via a VPN:
• VPN Server Location - Instead of being connected to the Internet via what is likely a local server at your ISP’s local or regional data center, your VPN connection is through the local ISP and then through a remote server of the VPN. That server may be located as close as the nearest major city or it could be on the other side of the world. The further the VPN server is from your current location the slower the connection speed will be.
• VPN Server Load - VPNs do not have an unlimited number of servers to which you can connect. Many other users of your VPN service will be connecting to a particular server of the VPN simultaneously with you. If the server becomes overloaded with too many simultaneous connections, your connection speed will decrease.
• VPN Protocol Overhead - There are a few different encryption protocols that a VPN can use and also there may be different levels of encryption security within a protocol. The higher the strength of the encryption the more time it will take to encrypt the data. This encryption overhead affects the speed of the overall VPN connection. However, encryption overhead is no longer a large factor affecting VPN speed because computers are sufficiently fast enough that strong encryption only results in a slight loss in data throughput speed.
• VPN Bandwidth Restrictions - Some VPN services will actually cap their user’s connection speed to a certain level. A VPN with no bandwidth capping is obviously to be preferred.
VPN review sites will usually include an assessment of the speed of a VPN within the review. When reading these reviews be certain to remember that most review sites receive kickbacks from VPNs in the form of commissions for customer referrals. Speed test results may be skewed just as other components of the review may be biased when the reviewer is compensated through the affiliate program of a VPN company.
Despite this potential for bias, the ongoing VPN speed test results listed at https://www.top10vpn.com/best-vpn/fastest-vpn/ and https://www.top10vpn.com/vpn-speed-test/ may be useful. The results might be used as a starting point in assessing the potential speeds that you may experience when using some VPN services.
Privacy with respect to the VPN itself
You use a VPN service to protect the security and privacy of your data communication on the Internet, but the status of your privacy with the VPN matters too. VPN services differ greatly in regard to what identifying information about you that they request for registration, payment and use of the service.
For registration, most VPNs require an email address, but some may additionally require a physical location address, a phone number, etc. A very few VPNs do not request any personal information for registration. E.g., one VPN service well-known for its privacy merely assigns a user a random 16-digit number during the registration process. Thereafter, that number serves as the user-id for the payment process and use of the VPN service. No identifying information is requested of the user.
Payment anonymity/privacy also varies between VPN services. According to the “Detailed VPN Comparison Chart” at VPN Comparison by That One Privacy Guy, there are just 5 VPNs (of the 185 VPNs on the chart) that optionally accept cash payments. (Cash is perhaps the “ultimate” anonymous payment method.) There are another 5 VPNs (different from the 5 “cash” VPNs) that optionally accept relatively anonymous gift cards for payment. Many VPNs accept “crypto-currency” payments, which, with a bit of effort, can be anonymized.
Relative to using the VPN service once you have registered and paid for it, refer to the previous article in this series about logging practices of VPNs.
Finally, make note of how many “cookies” and “trackers” a VPN employs on its website. Refer again to the “Detailed VPN Comparison Chart” at VPN Comparison by That One Privacy Guy. There is actually a VPN service that uses 43 cookies and 17 trackers when you access their website! Is this a signal of a trustworthy VPN? In my opinion, the fewer website cookies and trackers the better.
It costs a company a fair amount of money to provide a quality security/privacy oriented VPN service. You will have to pay for that quality. All “free” VPN services are, in some (possibly nefarious) way, making money from your use of that service. They likely monetize your use by compromising your privacy, so avoid them!
Take note of how a VPN service markets itself on its own website. E.g., my trust in a certain popular VPN is significantly adversely affected when, each and every time I visit their website, an animated count-down graphic appears that implies that I have “00 days : 09 hours : 38 minutes : 20 seconds” to take advantage of their $2.99 a month pricing! Yet later that same day the exact same timer appears. This marketing trickery does not signal trustworthiness.
Trust is also not instilled when I see a VPN quote a relatively high one-month subscription price of $12 per month that drops to just $7 per month for a one-year plan and $3 per month for a 3-year plan (a “savings” of 75%)! Artificially inflating the base one-month price is not a marketing tactic that signals trustworthiness and honesty.
Prices vary, and we all want a “good deal,” but I would recommend that you don’t get “hung-up” over a savings of $25 over the course of a full year. After all, that’s only $2 a month. Consider the cost of a VPN but do not let the fee be an overriding factor when you entrust a VPN with your Internet security and privacy.
Most VPNs will offer a time-limited free trial. Some will require that you register fully with them (including providing payment information) to qualify for the free trial but other VPNs do not require full registration to take advantage of the trial offer. This latter situation is to be preferred.
Access to services
How easily and quickly a VPN user can access and use the encrypted tunnel to the Internet that the VPN provides is important. There are several factors affecting access:
Number of Servers
• The actual number of servers a VPN provides is less important than the customer to server ratio. E.g., a VPN with 500 servers and 500,000 customers (with a ratio of 1 server per 1000 customers) may well provide slower speeds due to congested servers as compared to a VPN with 100 servers but only 50,000 customers (with a ratio of 1 server per 500 customers).
• In order to provide adequate secrecy and privacy a VPN must have server locations in a variety of countries. (In many circumstances a VPN user needs to “appear” as if Internet access is from a different geolocation than the location in which the user is actually using an Internet connected device.) Having server locations in every single country on earth is not necessary, but certainly a VPN should have servers in multiple countries. Furthermore, there should be at least some servers located in non “5-9-14 Eyes” countries.
Simultaneous concurrent connections
• A VPN customer will often only be actively accessing the Internet from one device at a time. However, it would not be uncommon for one to want to have multiple devices configured to use the VPN that are readily available immediately, i.e. without having to turn the VPN back “on” for that device. Thus, it is very advantageous to have a VPN service that allows multiple VPN connections at the same time.
There are many VPNs that only allow one connection to their service at a time. For me, this restriction would be utterly inadequate, based on how I use my Internet-connected devices. I regularly use a desktop computer, a portable computer, an iPad and an iPhone. At least three of these are used every day with the VPN enabled on each device. Hence, my personal use would require the VPN service to allow at least three or four simultaneous connections. Under such a policy, I would not have to worry about my other devices using the VPN in the background while I am actively connected to the Internet via the VPN on the device currently at hand.
So, as a rule of thumb, calculate how many devices you have that will use a VPN, add 1 to that number (to provide a buffer) and find a VPN service that allows at least that many total simultaneous connections. (You should be able to find the policy regarding simultaneous connections on the VPN’s website.)
Does the VPN throttle connections, limit bandwidth, or restrict services?
Avoid VPNs that impose bandwidth restrictions unless the bandwidth restrictions are clearly very high and intended only to allow the provider to police people abusing the service.
Finally, read the fine print to see if they restrict any protocols or services you wish to use the service for. If you want to use the service for file sharing, read the fine print to ensure your file sharing service isn’t blocked.
Some VPNs will purposely slow your connection speed, limit the total amount of data that you send and receive in a given period of time, or disallow access to certain Internet services such as peer-to-peer file sharing or connection to email servers. Be sure to “read the fine print” on the website of the VPN service under consideration to be certain that the VPN will meet your needs and expectations.
Some of these “other” factors in choosing a VPN can easily be evaluated, like its fee structure. Other factors are more difficult to ascertain and will require some time and effort on your part to obtain adequate information. As noted previously, a very useful reference of unbiased information about VPNs is the “Detailed VPN Comparison Chart” at VPN Comparison by That One Privacy Guy. I strongly recommend you peruse it.
In the next article of this “Choosing a Trustworthy VPN” series, titled “Defining Your Threat Model”, we’ll examine what level of security and privacy you may need your VPN to provide for your use of the Internet.