Trustworthiness of VPNs

Introduction

In my previous article “Can You Trust VPN Review Sites?” I stated that, after some investigation, I came to the conclusion that, in general, VPN review websites should not be considered credible and trustworthy.

So, if you can’t trust the VPN review sites, can you at least trust the VPN service company itself? After all, that’s what really matters: trusting the VPN to keep your internet usage (metadata) and transmitted/received information (data) private.

Let’s again start with a few quotes from sources that I have come to respect (to at least some degree):

There are hundreds of VPN providers out there, and with growing concerns about online privacy—including ISPs potentially selling your browsing data to advertisers… — competition is fierce and often quite nasty… Because I’ve seen so many dubious and downright misleading claims out there, I caution you to be extremely circumspect when choosing a provider.

(from Kissell, Joe. Take Control of Your Online Privacy, Fourth Edition. TidBITS Publishing Inc., 2019)

Unfortunately, I’ve found that many VPNs are misleading people with false marketing claims, sales gimmicks, and various scams. And because VPNs are often located in overseas jurisdictions, they will probably never be held accountable for dishonest marketing and/or outright fraud.

(from https://restoreprivacy.com/vpn-scams/

This final quote is lengthy, but it should be read carefully.

Regardless of why you need a VPN, you want to know that the service you choose is trustworthy and will not compromise your data.
…
Just like a lawyer represents your legal interests, a VPN service represents your privacy interests. If a lawyer does something to violate your trust or is not honest about an aspect of their representation that could affect you, you would – rightly – fire them. VPN services are the same. Many are less-than-honest or trustworthy, are not worth your time or money. However, unlike a lawyer, a VPN can be put together and promoted by anyone with access to a computer. You never see who’s behind the brand, and have to find other ways to work out if you can trust them.

If you need a VPN for privacy purposes, you already believe you cannot trust certain parties. Those parties might be companies whose websites you visit, or maybe even an oppressive government whose mass surveillance is encroaching on your rights. If you are in a position where you must rely on someone else for protection, the last thing you need is one more party you can’t trust.

Choosing who to trust is an important decision, and not all VPN services deserve that trust. You’re trusting them to be able to operate a competent service that will protect your privacy. You’re trusting them to be responsive to new technical and geopolitical threats to their operation. You’re trusting them to be honest with you in the way they do business so that when you are shopping and comparing, you are getting accurate information.

(from “Choosing a VPN”) (archived)
(bold emphasis added by me)

Thus, just as some sources warned that VPN review sites should not be implicitly trusted, we now see warnings about trusting VPN companies.

Evaluating the trustworthiness of a VPN company

So, how can one evaluate the trustworthiness of a VPN provider company?

To do this definitively can be rather difficult. A potential user of a VPN service can’t prove that a VPN is truly completely trustworthy. However, we can discover bits and pieces of evidence that prove or at least imply that a VPN might be untrustworthy, and if a VPN is untrustworthy, then it obviously can’t be trustworthy.

Thus, a potential user of VPN services can at least narrow down the list of VPN companies that are under consideration by eliminating those companies that show signs of untrustworthiness.

Let’s focus for a moment on a limited aspect of VPN companies: their marketing behavior and ethics. Recall the final sentence of the third above-quoted source: “You’re trusting them to be honest with you in the way they do business so that when you are shopping and comparing, you are getting accurate information.”

Lack of honesty by VPNs with their affiliates

As an addendum of sorts to my earlier article, let’s start with the relationship that a VPN company has with its affiliates. Recall from the previous article that a VPN affiliate is a VPN review website that receives a “commission” from a VPN company when a customer ends up subscribing to the VPN upon having been referred by the “affiliate.”

A VPN company markets itself to you, the potential subscriber of the VPN service, but a VPN company also markets itself to potential affiliates. Here are a few snippets of such marketing by VPNs to affiliates, as copied from the VPN’s web pages for affiliates:

• Ivacy VPN
  “Get the best commission rates in the market by promoting the most advanced VPN service.”
  
  
• ExpressVPN
  “We pay the best commissions in the industry. Our commission structure is flexible: The more sales you drive, the more we pay.”
  
  
• Cyberghost
  “The most competitive earnings in the industry – up to 100% in commissions”
  
  
• IPVanish
  “… the exclusive platform used to bring IPVanish affiliates the best VPN commission rates in the industry.”

(bold emphasis added by me)

Hmm, I thought there could only be one “best!” Yet here we supposedly have four “bests.” So, at least three (and perhaps all four) of the above VPNs would seem to be lying to their potential affiliates.

If a VPN lies to its potential affiliates, they may also be dishonest with their potential customers, i.e. you and me.

Untrustworthy VPNs don’t bother to “police” their affiliates

Let’s look further into the relationship between VPNs and their affiliates. The US Federal Trade Commission (FTC), in its Endorsement Guidelines, states that an affiliate should disclose their relationship with the retailer clearly and conspicuously on their website.

In my opinion, if a VPN does not require its affiliates to make this disclosure, the VPN is implicitly condoning dishonesty by their affiliates.

How many VPN companies that have affiliate programs require that affiliates follow this guideline and provide full disclosure?

The mind-numbing task of compiling that information has been performed and provided by an anonymous individual known as “That One Privacy Guy.” In his “Detailed VPN Comparison Chart,” the dataset of January 2019 compiled information about nearly 200 VPNs. Of those VPNs, 112 were listed as having affiliate/reseller programs. Only seven VPN services out of 112 required that their affiliate/reseller provide full disclosure of the VPN to affiliate relationship as per the FTC Endorsement Guidelines!

The seven “good guy” VPNs that had affiliate programs and “passed” this test (i.e., they required full closure by their affiliates) were:

👍 👍
• BolehVPN
• Private Internet Access
• SaferVPN
• Trust.Zone
• TunnelBear
• Windscribe
• ZoogVPN

Following are a few well-known VPNs of the 105 VPNs that, according to the list, did not require full disclosure by their affiliates:

👎 👎
• CyberGhost
• ExpressVPN
• HideMyAss!
• IPVanish
• NordVPN
• PerfectPrivacy
• PrivateVPN

In my opinion, VPNs that do not require full disclosure by their affiliates should be considered to be untrustworthy.

Security breaches

Although we have thus far concentrated on the issue of dishonest business practices between VPN services and their affiliates, a more blatant sign of an untrustworthy VPN comes to our attention when a VPN service has a security breach and deals with the breach inappropriately.

One would reasonably expect that a VPN service would consider a security breach to be a potential disaster of the highest order and the mitigation of such a breach would be attended to “immediately, if not sooner,” commanding the foremost attention of the company’s technical staff with unparalleled urgency. Anything less than a fully committed response by a VPN service when dealing with a security breach must surely be a sign of untrustworthiness of that VPN.

In October 2019, NordVPN finally admitted to a security breach that began more than a year and a half prior to that admission. NordVPN claimed to have known about the breach for “a few months.” (Two other VPN services, TorGuard and VikingVPN, may have also been breached at about the same time, but we’ll just focus on the NordVPN situation.)

As you may recall, as noted in my first article of this series, NordVPN is a service that pays its affiliates quite handsomely for customer referrals, is (perhaps consequently) highly rated by biased VPN review sites, and controls a significant portion of the VPN market for individuals.

The NordVPN security breach was initially reported on October 21, 2019:

NordVPN, a virtual private network provider that promises to “protect your privacy online,” has confirmed it was hacked.
…
NordVPN said it found out about the breach a “few months ago,” but the spokesperson said the breach was not disclosed until today because the company wanted to be “100% sure that each component within our infrastructure is secure.”

A senior security researcher we spoke to who reviewed the statement and other evidence of the breach, but asked not to be named as they work for a company that requires authorization to speak to the press, called these findings “troubling.”

“While this is unconfirmed and we await further forensic evidence, this is an indication of a full remote compromise of this provider’s systems,” the security researcher said. “That should be deeply concerning to anyone who uses or promotes these particular services.”
…
“They spent millions on ads, but apparently nothing on effective defensive security,” the researcher said.

(from https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-hacked/)
(bold emphasis added by me)

Breach happened 19 months ago. Popular VPN service is only disclosing it now.

Hackers breached a server used by popular virtual network provider NordVPN and stole encryption keys that could be used to mount decryption attacks on segments of its customer base.

(from https://arstechnica.com/information-technology/2019/10/hackers-steal-secret-crypto-keys-for-nordvpn-heres-what-we-know-so-far/)

VPN security experts commented on the situation:

… this incident and NordVPN’s handling of it raises some serious questions about information security policies and standards at NordVPN.

(from Tweet on Oct. 21, 2019 by Will Stafach, founder/CEO of a company that produces a firewall app for iOS)
(bold emphasis added by me)

… based on the dumped pastebins, the Nord VPN not-a-hacker had full remote admin on their Finland node LXC containers. That's God Mode folks. And they didn't log and didn't detect it. I'd treat all their claims with great skepticism.

(from Tweet on Oct. 21, 2019 by Kenn White, a co-director of the Open Crypto Audit Project)(archived)
(bold emphasis added by me)

The breach happened nineteen months ago, but the company is only just disclosing it to the public. We don’t know exactly what was stolen and how it affects VPN security. More details are needed.

VPNs are a shadowy world. We use them to protect our Internet traffic when we're on a network we don't trust, but we're forced to trust the VPN instead. Recommendations are hard. NordVPN's website says that the company is based in Panama. Do we have any reason to trust it (NordVPN) at all?

(from NordVPN Breached in a blog by Bruce Schneier, an internationally renowned security technologist)
(bold emphasis and parentheses added by me)

After reviewing these reports, I have come to the conclusion that NordVPN is a VPN service provider that is not trustworthy.

Trackers and Cookies on VPN websites

Many VPN services claim to provide internet privacy to their customers.

The VPNs use phrases such as:

• “keeps your online identity and activities safe”
• “online protection and anonymity”
• “keep your personal info safe”
• “grants you online anonymity”
• “surf the web truly incognito”
• “your online activity cannot be linked to you”

(all of the above claims are from the Bitdefender Premium VPN home page)
(Bitdefender VPN’s abysmal tracker/cookie testing results are noted below.)

Given these supposed concerns for the privacy of their customers, one would think that VPN websites would strive to avoid the use of web browser “trackers” and “cookies” on their own web pages.

To test for trackers and cookies on VPN websites, I visited the main web page of the 50 VPN services listed in the “VPN Comparison Table.” This table is a recently compiled and seemingly unbiased attempt to assess VPNs for desirable characteristics, resulting in a ranking of the VPNs. (See the post about this table on the reddit.com r/VPN community.)

I compiled the number of trackers and cookies that were used by each VPN website that I visited. To see my methodology and complete results of my testing of VPN web pages, please see the “Trackers and cookies on VPN websites” section of the “VPN Series Appendices” page.

Results of cookie and tracker testing

Of the 50 VPN websites that I tested, only three websites used no trackers and no cookies:

• Cryptostorm
• Mullvad
• VPN.ac

An additional nine websites showed no trackers but did save cookies on the computer:

• Adguard VPN
• AirVPN
• AzireVPN
• Hideme VPN
• IVPN
• ProtonVPN
• Torguard
• Trust.Zone
• Windscribe

Many other VPNs had extremely disturbing results when tested, raising grave concerns about their trustworthiness:

Examples of VPNs with severely problematic tracker and cookie usage

Note: “Red” trackers are considered to have the highest threat level and to have no functionality other than tracking your web browsing.

• Bitdefender VPN had the most “red” trackers with 17 high-risk trackers reported by Privacy Badger
  
  
• Surfshark VPN was the next worst for tracking with 10 privacy-invading “red” trackers
  
  
• Norton Secure VPN had 32 trackers that invoked blocking by Safari
  
  
• Cyberghost VPN was found to create 18 persistent browser cookies in Firefox
  
  
• Private Internet Access generated 15 persistent cookies
  
  
• NordVPN testing revealed 5 “red” trackers in addition to 15 persistent cookies
  
  
• ExpressVPN had 7 “red” trackers and 7 persistent cookies

Conclusion of tracker and cookie testing

My testing of the websites of 50 VPN services resulted in a disturbing determination: Most home pages of VPN websites actually use anti-privacy surveillance technology! Only three of the 50 VPN websites did not use any privacy-compromising trackers or cookies.

I have produced a color-coded table of the full results of my tracker and cookie testing of the 50 VPN services. Please see the “Trackers and cookies on VPN websites” section of the “VPN Series Appendices” page to view that table.

Summary

We’ve found that the honesty and ethics of the relationship between a VPN and its affiliates can provide information about the trustworthiness of a VPN company.

Also, we’ve presented a disturbing example of how the trustworthiness of a well-known VPN service has been called into question as a result of the manner in which the VPN service handled a recent security breach.

Finally, we’ve demonstrated that most VPN websites utilize privacy-invading trackers and cookies. This surveillance employed by these VPNs raises severe concerns about their trustworthiness.

In the next article in this series, titled “Signals of Trustworthy VPNs,” we’ll examine more indicators of trustworthy VPNs.