VPN: which one can you trust?
VPN providers make great promises to protect and secure your connection. But can they be trusted? We investigate just how trustworthy and reliable VPN providers are and then review eight different services that meet specific needs
VPN providers may promise to protect your connection, but can they actually be trusted? We investigate, before reviewing eight services that meet different needs.
There’s a multitude of reasons why you might want to use a VPN – and not just to cop a sneaky look at Netflix’s US catalogue. You might want to throw ad trackers off the scent or reduce the risk of snooping when using a public Wi-Fi hotspot. You might have reasons for wanting to mask your identity (not necessarily criminal, of course) or to dodge traffic management by your ISP. You might just resent the idea that every site you visit, every download you make, every photo you look at is logged on an ISP’s servers, accessible by heaven knows who.
But how do you know the VPN provider is any better? Can you be sure that your VPN is keeping your identity safe? Does it keep logs or records of its own? And is it subject to the same law enforcement requests as your ISP? In short, can you trust a VPN? HOW DOES A VPN WORK?
To be clear, we’re going to be talking about public VPN services – the kind that you can buy and install on your PC, phone or tablet – rather than a VPN your business might operate to tunnel into the company’s servers, although many of the principles will be the same.
Typically, when you connect to the internet without a VPN, all your traffic passes through your broadband provider’s servers, allowing it to log and potentially see everything you do online. Remember that under the UK’s Investigatory Powers Bill, ISPs and phone companies are now obliged to store records of websites visited by every customer for a year, which can be accessed by the police or security services on production of a warrant. Companies such as BT even handed over customers’ data to police without a warrant.
The VPN effectively makes the data collected by your ISP useless. It redirects your internet traffic to a remote server – potentially outside of the country or even the continent you’re in. Your device will be assigned an IP address on the remote server, so when you make a request to a service such as Netflix or BBC iPlayer, it looks like you’re in the country the server is hosted from, not the location of your computer.
All the data sent and received is encrypted, using a variety of protocols. All your ISP (or anyone inspecting the data) can see is that you accessed the VPN, not the sites you visited. Eavesdropping is futile. At least, that’s the theory. WHAT THE VPN PROVIDER SEES
In some ways, you’re just transferring the problem from one organisation to another. Instead of routing traffic through your ISP’s servers, you’re routing it through the VPN company’s – and those servers might be in the US, Russia, Panama or practically anywhere. Most of the VPNs we’ve reviewed in this feature have dozens or hundreds of servers dotted around the globe. What makes them any more secure or inscrutable than, say, BT’s or Virgin’s?
“You’re right to assume that it’s next to impossible to test whether your VPN is being shady or not, or to confirm that they are not recording your activity,” said independent security expert Graham Cluley.
Many of the VPN providers will, therefore, publicly declare whether they do or don’t retain logs on their users. Our choice of best overall VPN, NordVPN, states on its website that “we do not keep logs. If someone asks us about you, we have nothing to share.”
Hotspot Shield, which offers both free and paid-for versions of its service, declares that it does monitor which websites are visited by its users, but that it will “collect only anonymous, aggregate data”. The firm insists it does “not attribute any specific website visits or app usage to any specific user”.
Is there any independent or technical means to test such claims? Not really. You have to take their word for it. THE LONG ARM OF THE LAW
It’s fair to assume that it’s not in the interest of the VPN provider to go poking around your data. If it were caught logging customers’ web activity, for example, the reputational damage would likely be catastrophic. The same can’t be said of law enforcement, who would very much like to see the data being passed across these servers. And, in this regard, it’s important to check under which jurisdiction your VPN provider resides.
“Generally, I recommend that users purchase their VPN rather than use a free one (as they then have a vested interest in keeping you happy) and that the VPN is based in a country with tight privacy laws that is unlikely to bend over backwards if, say, the US authorities come knocking,” said Graham Cluley.
How far do the US’s tentacles reach? Or the UK’s, for that matter? Well, now we need to start counting the eyes.
The so-called Five Eyes countries are part of the “UKUSA” agreement on intelligence sharing. You’ll get no sticky bun for guessing who two of the members are, and they’re joined by Australia, Canada and New Zealand. These countries share data via the highly secretive “STONEGHOST” network; Edward Snowden alleged that the five circumvent laws preventing spying on their own citizens by asking another member country to spy on them on their behalf. It’s probably safe to assume that if a server resides in one of those five countries, it could be potentially accessed by the others.
The Nine Eyes network adds Denmark, France, the Netherlands and Norway. This is a looser collaboration, but involves intelligence co-operation and data sharing.
Then there’s the Fourteen Eyes Network, which includes the previous nine and Germany, Belgium, Italy, Sweden and Spain. This group – known as SIGINT Seniors Europe (SSEUR) – is concerned with military intelligence, so less likely to be swapping citizens’ surfing habits.
That said, groups such as privacytools.io warn against using a VPN based in the Fourteen Eyes and especially the US, because of the way the security services operate. “Services based in the United States are not recommended because of the country’s surveillance programs, use of National Security Letters (NSLs) and accompanying gag orders, which forbid the recipient from talking about the request,” the privacy group’s website states. “This combination allows the government to secretly force companies to grant complete access to customer data and transform the service into a tool of mass surveillance.”
This is why you’ll find many of the VPN providers based outside of the Fourteen Eyes nations. NordVPN is based in Panama, My Private Network is in Hong Kong, others are in the Seychelles, Hungary, the Czech Republic and other safe havens. Cluley recommends the table at pcpro.
link/290chart to discover where a VPN provider is based, whether it’s part of the Fourteen Eyes and whether it’s logging DNS requests, web traffic and more.
That said, all the major VPN providers will have servers in the US, the UK and other nations on the Fourteen Eyes list. If your traffic is going through a server hosted in the US, it doesn’t matter where the host has its headquarters. “Where that [server] is physically located could have an impact from a legal point of view,” said David Emm, principal security researcher at Kaspersky Lab.
However, you can mitigate the risk. You could choose specific servers that are hosted outside of the Fourteen Eyes nations, for example, or choose a provider that isn’t storing the type of data that would be of use to security services in the first place. “It’s really important to find out what kind of logging they do,” said Emm. “If all they are logging is stuff they need in terms of managing bandwidth usage, then what they’re holding anyway isn’t something you’re going to be worried about them handing over. If on the other hand they’re logging traffic and IP addresses, if they were required to hand that over to a legal authority, that is something you might be worried about.” LOOKING FOR LEAKS
No VPN will guarantee absolute anonymity, though. As the terms and conditions often state: if you’re looking to mask illegal activity and think you’re untraceable, think again.
But VPNs are partly designed to throw snoopers off the trail, to at least make it much more difficult for websites, advertisers, employers, governments or whoever to keep tabs on you. But they’re not always infallible.
The doileak.com website is an excellent resource that shows the data that’s capable of being harvested on your connection. It uncovers your IP address, the source of your DNS requests, whether there are any HTTP request leaks that might inadvertently give you away. If you’re using a VPN, the service normally detects as much, giving you a thumbs up that you’re unlikely to be easily traceable.
The Opera browser’s VPN ( see p31) is more worrying. Doileak.com reported that DNS requests could be leaking when we had the browser’s VPN mode switched on. And despite setting the VPN to use servers in the Americas, the site reported that “the time zone of your browser settings and the time zone of your request IP location match” – which may explain why it failed to hoodwink Netflix.
Ensuring that your PC doesn’t fall back on your regular connection if the VPN fails is another key requirement of anyone who’s going to great lengths to secure their connection. The more advanced VPN providers offer a “kill switch”. If your VPN connection drops, it kills the internet connection, ensuring you’re not inadvertently leaving a trail. “If you have VPN loaded and for some reason it fails, what you don’t want is a situation where it falls over to standard access,” said Emm. “If my VPN fails, I want the connection to drop, because I don’t want anything I’m doing to be visible to a third-party connection.”
Even if your VPN provider advertises a kill switch, don’t assume it’s switched on automatically. Some need to have the feature switched on in settings, so fiddle around in the settings menu before you first use the software. As with all things VPN, it pays to be paranoid.