Summary of How to Choose a VPN
First published: May 2019. Latest revision: April 2021.
We are nearing the end of the series of articles elucidating my quest to find a trustworthy VPN service to help protect my Internet privacy and security. It’s time to summarize the issues that I have raised. I am going to present these considerations starting with the most important factors influencing my personal choice of a VPN and continuing on through those factors that are less important to me.
I would emphasize that this is my personal ordered list. Based on what I have written about thus far, I would hope that you will at least understand the logic of how I rank these factors, Nevertheless, you may well disagree with my ranking, and that’s fine, though I hope that you disagree for logical and objective reasons. I urge you to evaluate your own position with due diligence, else you may come to regret your ill-considered VPN choice should your privacy and security become compromised.
First consider your threat model
Almost everybody has at least some desire for privacy. We need to realize that as long as we use the Internet in any manner, shape or form, we and our data are threatened.
(However, if you have no concerns whatsoever about your Internet privacy and security you can stop reading here. Just keep using the Internet as before.)
There are nine “Example Threat Models” listed in the excellent article “Will a VPN Protect Me? Defining Your Threat Model”. The example threat models, ranging from minimal to grandiose are:
- Protecting Against Hackers on Public WiFi Hotspots.
- Protecting Against Monitoring and Logging by ISPs.
- Hiding Location and Identity from Websites.
- Hiding True Name from a Correspondent.
- Being Anonymous Online and Hiding Online Activity from Ones National Government.
- Evading Censorship by Ones National Government.
- Being Anonymous Online, Evading Censorship, and Hiding Online Activity from Ones National Government.
- Being Anonymous Online Against All Adversaries (But Not Targeted).
- Being Anonymous Online Against All Adversaries While Targeted for Specific Observation.
Reading through the descriptions of these threat models, I feel that my requirements for my Internet privacy and security include the first four levels and part of level five. At this level of threat, my privacy and security can mostly be protected by my use of a trustworthy VPN that provides services that are normally expected of a VPN (and some common sense).
Ranking of criteria for a VPN
Based on the threat model that has been ascertained, one should next list the criteria that a VPN must meet to assure the Internet security and privacy the threat model requires, and then add in criteria that, though not requisite, would be a bonus to have.
The criteria on my personal list, ranked in decreasing order of importance, are:
- Encryption and Other Technical Concerns
- Access to Services
- Customer Support
- Proactive Planning for the Future
Given my threat model, the most important criterion for a VPN is that it be trustworthy. If I can trust that a VPN truly has the protection of my Internet privacy and security as a primary goal, then I can be somewhat forgiving relative to other criteria that the VPN does not quite completely fulfill.
It can be difficult to ascertain whether a VPN is trustworthy or not. However, in my opinion, there are several signs that can provide hints as to the trustworthiness or untrustworthiness of a VPN service.
Are there any signs of deception on the VPN’s website?
The website of a VPN is its public face. Careful perusal can reveal if that “face” is deceptive or not:
- Do you see claims of 100% anonymity (No VPN can legitimately guarantee absolute privacy.)
- Are there other overzealous claims on the website? (SaferVPN, NordVPN, IPVanish, PureVPN all claim they are the “fastest.”)
- Is there a “hard-sell” mentality on the website with pop-ups and misleading “discount” pricing? (“This discount is only good for the next 9 hr 39 min” (or whatever) as the pop-ups repeatedly exclaim on NordVPN, HideMyAss, Surfshark and some other VPN websites.)
- Is there a status listing (usually at the top of the web page) showing your IP address and warning you that you are “unprotected” just because you aren’t running their VPN? (This “scare” tactic that can be seen on NordVPN, PIA, CyberGhost, GooseVPN and many others.)
- Does the website fail to identify the principal officers and owners of the company or try to hide that information? (NordVPN)
Does the VPN set standards of honesty for its affiliates and does it enforce those standards?
Most VPN services have an “affiliate” program. On the VPN’s website one can read about how a VPN deals with its affiliates. View some VPN “review” websites to see if they follow the VPN’s affiliate guidelines.
- Are there any signs of deception or dishonesty by the affiliates of the VPN? (Does the VPN review website post a notice that they are compensated for referrals to particular VPNs?)
- Is the VPN exerting control over affiliates or does the VPN simply ignore the malfeasance of affiliates?
- Consider avoiding this issue by only considering VPNs that do not have affiliate programs (e.g. IVPN, Mullvad)
A final contributing factor to trustworthiness is the length of time a VPN has been providing services. Even if a VPN seems to otherwise qualify as trustworthy, if it has not been in the business for at least a couple of years I would have difficulty trusting it, given its “newbie” status.
A chart of trustworthiness
To avoid the time-consuming work of perusing a multitude of VPN websites for hints of untrustworthiness, I’ve found the “Detailed VPN Comparison Chart” at VPN Comparison by That One Privacy Guy to be extremely valuable. If you look at the far right side of the chart, there are three sections that reveal information about the trustworthiness of a VPN: “Ethics,” “Policies” and “Affiliates.” The eight categories within these sections, if red-flagged, indicate an untrustworthy VPN.
If a VPN is to provide me privacy, the less it knows about me the better.
Privacy starts with the first time one visits a VPN’s website:
- Does the website set multiple persistent “cookies” in your web browser or employ “trackers” when you visit the VPN’s web pages? If so, the VPN is already compromising your privacy!
- How much information from you is needed for registration, payment and use of the VPN service? (There are VPNs that require no identifying information whatsoever to register with them. Others require only an email address, and even that can be just a “temporary” address.)
Privacy protection continues via the functionality of the VPN itself:
- Does the VPN maintain records of your use of its services? Is it keeping logs of your traffic, DNS requests, timestamps, bandwidth and IP address? The most privacy-oriented VPNs have a strict no-logs policy. (I consider a no-logging policy to be requisite.)
- Can the VPN pass privacy tests such as the prevention of DNS leaks and IPv6 leaks?
- Does the VPN run its own DNS servers or do they potentially expose your Internet use to a third party DNS server?
3. Encryption and other technical concerns
Encryption enables privacy.
- Does the VPN offer OpenVPN and/or WireGuard highly secure tunneling and encryption protocols? (Beware that PPTP (Point-to-Point Tunneling Protocol) is not secure.)
- Does the encryption employ perfect forward secrecy (PFS)?
- Is there a “kill switch” available? Is it automatically on?
- Are other options like SOCKS5 proxy, multi-hopping and split tunneling available in case you want to take advantage of them?
Where is the VPN located? A location outside of the 5-9-14 eyes surveillance countries may offer further protection but may not be a necessary criterion. For my situation, location in a 5-eyes country (Australia, Canada, New Zealand, the United Kingdom, and the United States) is unacceptable but jurisdiction under other countries could be tolerable, depending on the VPN’s logging policy.
- Best: No-eyes based jurisdiction, strict no logging policy.
- Acceptable: Non 5-eyes jurisdiction, strict no logging policy.
- Barely tolerable: Non 5-eyes jurisdiction, some very minimal logging.
- Unacceptable: Any 5-eyes jurisdiction, irrespective of logging policy.
- Worse than unacceptable: US-based or UK-based, irrespective of logging policy.
5. Access to services
Acceptable speeds and the number and location of VPN servers are moderately important to me. Also, since I use multiple devices to access the Internet, I want to have a VPN service that allows several simultaneous connections.
Using a VPN will slow down the speed of your Internet connection (as compared to not using a VPN), so one has to accept some degree of speed loss. One can’t really judge speed without actually using a VPN yourself, so to use speed as a criterion we will likely need to use third party tests. In doing so, remember to be wary of the reported results of speed tests on VPN review sites that may be influenced by the confounding factor of bias due to commissions that affiliates receive from VPNs. With that in mind, the list of the ongoing speed test results of several VPNs at https://www.top10vpn.com/best-vpn/fastest-vpn/ may be useful.
6. Customer support
Although I am by no means a VPN or networking specialist, I do have some computer-related technical background, so I don’t rank support near the top of this list. Yet, when I do need support, I expect to be able to obtain it, though I don’t require that support be available on an immediate basis. Hence, I feel that I don’t need access to real-time on-line chat support as long as the VPN website has a thorough FAQ and tutorial section and provides clear instructions for VPN set-up. For more personalized service, the availability of encrypted email support is important to retain privacy.
7. Proactive planning for the future
A VPN that is adding servers over time is probably one that is growing and will be available over the long term. Yet a VPN should be looking even further into the future. Is the VPN testing (or already implementing) technologies that may well become standards in the future? E.g, the WireGuard protocol is expected by many to become the prominent VPN security protocol in coming years. VPNs should be involved with it now, at least to some extent.
Likewise, quantum computing is at the forefront of future computing technology. When quantum computing eventually comes to fruition, the encryption protocols currently in use may well be “broken” by it. There is currently active research into “post-quantum cryptography” and VPNs should also be starting to investigate this field.
In 2019 the average cost of VPN service of the nearly 200 VPNs listed on the “Detailed VPN Comparison Chart” at VPN Comparison by That One Privacy Guy was about $6.00 per month. I would recommend that your criteria include a consideration of the cost of a VPN. However, do not let the fee be an overriding factor when you entrust a VPN with your Internet security and privacy. The spending of a few extra dollars may prove to be a wise investment.
Search for a VPN that meets your criteria
Once you have an ordered list of the criteria that are important to you in choosing a VPN, it’s time to create a list of VPNs that merit your consideration. Start with a basic list and then more fully investigate the VPNs on the list and methodically winnow out those that do not satisfy your criteria as well as others do.
The creation of an initial list of VPNs to consider for your own use can be daunting. However, one can find on the web some lists that others have compiled by others. After choosing to use such a list (or lists), by sifting through some data resources about the VPNs on the web, you should be able to produce a personalized list of a reasonable number of VPNs that may satisfy your criteria. We’ll work on that next…
In this article I’ve presented, in order of decreasing importance, the criteria that I consider to be of particular relevance when I am evaluating VPN services for their trustworthiness and their reliability to uphold my Internet privacy and security.
In the next article of this “Choosing a Trustworthy VPN” series, titled “Lists of VPNs for Your Consideration”, we’ll present some lists from external sources of VPNs to consider, and then compare, contrast and combine some of those lists. Also, we’ll review a list of VPNs to consider that I have produced, based mainly on information from a seemingly unbiased source.