Dear Lifehacker,
I've read about why I really should use a VPN and I've been looking into different providers, but there's one thing I'm worried about. Can't a VPN provider just look at my traffic all they want and see what I'm doing? Don't I just have to trust them not to spy on me? If that's true, how do I pick one I can trust, when they can all see what I'm doing?
Sincerely,
Watching the Watchers
Dear Watching the Watchers,
To a certain extent, you're right. You do have to trust that your VPN service provider has your best interests at heart, because you're relying on them to secure your connection, keep everything encrypted, and to protect your activity from prying eyes. You're connected to their network and their servers, and you have to trust that when they say your exit IP is in Sweden, for example, it really is and they're not just obfuscating something else. It's true—when you sign up for a VPN, you put a lot of trust in the company you sign up with.
Why Trust In Your VPN Provider Is Important
Not all VPN service providers are worth your trust. Some diligently log your connection times, dates, IP addresses, keep track of how long you're connected, and some even keep an eye on the types of traffic that you send through their networks while you're logged in. They'll tell you it's in order to make sure you're not doing anything illegal, or anything that would damage their network, but that level of snooping does kind of go against the whole purpose of a VPN, doesn't it?
The best ones keep as few logs as possible, and aren't interested in what you do while you're connected at all. Some don't even track when you're logged in or out, and even if they do have to keep some logs, they purge them periodically in order to protect your privacy. After all, the reason you pay for a VPN is for privacy and security, and if they keep their own data, they're the weak link in that chain. Here's are some tips on how to research a VPN and decide whether they're a good match for you.
Ask Yourself: What Are You Using a VPN For?
Whether you have a VPN provider already or you're searching for a good one, the first thing you should ask yourself is why you want one in the first place. Now, we've made the case for why most people should have one and what types of people need a VPN, but ultimately most needs boil down to two things: Security and privacy, or some combination of the two.
If security is all you're concerned with, and you have a VPN provided to you by your school or company, you're already set. In fact, almost any VPN will cover you from the security angle, because you're only really concerned about protecting your activity from prying eyes, presumably on the same network that you're on—like a hotel, coffee shop, or airport's free Wi-Fi. Of course, you still need to make sure that your VPN provider isn't just sniffing your traffic themselves and making themselves the security issue, but we'll get to that in a moment.
If privacy is your concern, you have more to consider. Privacy-minded VPN users have to trust that their provider isn't watching what they're doing or willing to roll over and hand off their activity, logs, and personal data to whoever comes calling with a fancy-looking letter written in legalese. They also have to worry about what information the VPN provider themselves are keeping, and whether that information can be turned against them, sold to third parties, used for marketing, or just kept forever just in case someone comes calling. In either case, all it takes to either allay your fears or warn you off of a VPN provider is a little research. Here's how to go about it.
Do Your Homework
This should go without saying, but you shouldn't sign up for a VPN service without at least looking at their privacy policy and terms of service. That should go for anything you sign up for, but with VPNs it's a bit more important. With free VPN providers, you should definitely do as much research as possible. Free providers have to make money somehow, and if it's not on premium plans or usage limits, after which you have to pay, you should assume they're making their money off of your data, logging your activity, and using it for marketing purposes.
Services we've mentioned, like previously mentioned Hotspot Shield, CyberGhost VPN, and HideMan, another service we like, are all great examples of free VPN providers that don't log, go out of their way to say so, and that support their free services by also offering premium and paid plans that offer more features (in the case of HotSpot Shieldf and CyberGhost) or more hours of use (in the case of Hideman).
Paid VPN providers are a different matter. Ideally, because you pay for their service, they should cater to both the privacy and security minded, but that's not true at all. Some providers are security minded, not privacy minded, and market themselves as such: You can use their services to stay safe online, but don't come with an expectation of privacy. If someone comes with a subpoena or a Cease and Desist, they'll cancel your account and turn over your data to whoever's asking for it, and they're not afraid to admit it. Here are some quick tips to help you research paid VPN services:
Google their name and "logging" in the same query. It may sound simple, but it's actually really effective. You'll usually turn up the provider's own privacy policy (which, in the worst cases can be so buried it's difficult to find), which can answer the question right away. Some VPN providers are proud to say they don't keep logs, or that they only keep access logs in order to bill you for usage, or that they do log, but they purge daily or weekly. Some will try to dance around the issue by saying they keep "whatever logs are required by law," which really means whatever law enforcement has asked them for—which could be anything. Others won't address the issue at all—that's where the rest of the results come in. You'll probably find other sites and articles discussing the company's logging policies, which can help you figure out if they care about your privacy as much as they care about your security.
Don't be afraid to ask outright. if you don't get the answer you want from simple searches, contact them and ask what their logging and data retention policies are. Again, this is something you'd want to do with premium providers more than free ones—you don't want to spend your money unless you're sure what you're getting.
Don't fall for the geography trap. Some people swear only by VPN providers outside their country for privacy. They're convinced that their local laws are privacy unfriendly, or that a provider in their country can be manipulated by other companies, legal wrangling, or law enforcement, and they'll just roll over and hand off whatever private data they have on their users. Trust us: geography won't save you. Living under the assumption that because a VPN provider is in another country it's immune to your local laws or will defend you when pressured is a false sense of security.
Both law enforcement and private industry groups can exert authority and pressure anywhere in the world they choose, and in most cases they'll get the results they want if they push hard enough. Otherwise, they'll just pressure the government in that jurisdiction to act on their behalf. Put simply: Don't assume that because you live in the US and you use a VPN provider in The Netherlands that you're immune from the law, or that a VPN provider in your own country wouldn't fight harder for your privacy than one overseas. In some cases this is true, but logging, privacy policies, and the general philosophy of the company are generally more important than physical location. This thread at Wilder Security is essential reading on the topic.Pay attention to technology. When asked back in 2008 by CNET about WiTopia's privacy stance and technology, WiTopia president Bill Bullock explained that a number of single-server, fly-by-night VPN providers were beginning to pop up, making big privacy and security promises without actually having the technology to back them up. Since then, the number has only grown—it doesn't take much to set up a VPN concentrator anymore, and all it really takes is a few friends in a few different cities and countries willing to run their own servers to build a small network.
However, if the company doesn't have the right technology on the back-end, they could be putting both your security and your privacy at risk, or wind up being victims of data theft, hacking, or spying themselves. When you're researching VPN providers, make sure they're above board with the level of encryption they offer, the security features they provide, and are open about who's reviewed them and the press they've gotten. Then double-check those reviews and look for independent opinions of their service, just to be sure.
VPN services are thriving, and new subscriptions are big money. It's not uncommon for a VPN provider to play dirty, whitewash their issues, and put on a good face to attract customers. When we did our last Hive Five on VPN providers, we saw the ugly side of the business so clearly that we decided to do our own independent analysis to clear the air and make our own recommendations.
The best thing you can do is to take everything a provider themselves says with a grain of salt. If they're good, they'll back up their own claims, and welcome you to do as much additional research into them as you'd like. In addition to our guide to the topic, our friends at TorrentFreak recently updated their guide as well, and it's worth reviewing.
Take Matters Into Your Own Hands
VPNs aren't perfect. One thing you should always remember is that in general, traffic between your VPN exit node or exit server and your eventual destination is unencrypted—so while someone snooping on the other end may not get all the way back to your computer or location, if your data is unencrypted or sent in the clear (sites not using HTTPS, encrypted passwords, etc) it can be easily intercepted anyway. Using a VPN is no excuse for lax personal security.
Remember, whatever VPN provider you choose, you can always use additional privacy tools in conjunction with it. We've discussed some of those tools in detail, but it makes sense to keep them running. You could always combine services, like Tor and a VPN (although you really shouldn't use Tor for file-sharing traffic, if that's your goal) for extra anonymity, even if it doesn't offer any additional security. If you want to go that route, this thread at Wilder Security discusses the issue in detail. Similarly, TorrentFreak has an excellent guide to making your VPN even more secure.
Finally, you can always roll your own VPN if you have an always-on device at home, or a router that supports OpenVPN. You could even turn a $35 Raspberry Pi into a personal VPN you can connect to while you're on the go. Of course, this option is for the security-minded, not the privacy minded (as your traffic is only encrypted between a user and your home VPN server or personal router, and then unencrypted as it goes out to your ISP) but it's always an option, and add-ons like Privoxy (which we've shown you how to set up) can offer some anonymity for your home VPN.
We know it's a tricky topic, but you are right, Watching the Waters: Ultimately you have to trust your VPN provider has your best interests in mind, but the only way to get that level of trust is to do your homework, verify their promises and services are legit, and then take additional steps to protect yourself even if they're not, or they fail you somehow. There are good providers out there committed to your security and your privacy (we've mentioned some of them) that are worth your trust.
Sincerely,
Lifehacker
Have a question or suggestion for Ask Lifehacker? Send it to [email protected].
Photos by Maksim Kabakou (Shutterstock), Maksim Kabakou (Shutterstock), Maksim Kabakou (Shutterstock), Maksim Kabakou (Shutterstock), and Maksim Kabakou (Shutterstock).