Dear Lifehacker, I've read about why I really should use a VPN, and I've been looking into different providers, but there's one thing I'm worried about. Can't a VPN provider just look at my traffic all they want and see what I'm doing? Don't I just have to trust them not to spy on me? If that's true, how do I pick one I can trust, when they can all see what I'm doing? Sincerely, Watching the Watchers
Dear Watching the Watchers, To a certain extent, you're right. You do have to trust that your VPN service provider has your best interests at heart, because you're relying on it to secure your connection, keep everything encrypted and to protect your activity from prying eyes. You're connected to its network and its servers, and you have to trust that when it says your exit IP is in Sweden, for example, it really is and it's not just obfuscating something else. It's true -- when you sign up for a VPN, you put a lot of trust in the company you sign up with.
Why Trust In Your VPN Provider Is Important
Not all VPN service providers are worth your trust. Some diligently log your connection times, dates, IP addresses, keep track of how long you're connected, and some even keep an eye on the types of traffic that you send through its networks while you're logged in. it will tell you it's in order to make sure you're not doing anything illegal or anything that would damage their network, but that level of snooping does kind of go against the whole purpose of a VPN, doesn't it?
The best ones keep as few logs as possible and aren't interested in what you do while you're connected. Some don't even track when you're logged in or out. Even if it does have to keep some logs, it purges them periodically in order to protect your privacy. After all, the reason you pay for a VPN is for privacy and security, and if it keeps its own data, it's the weak link in that chain. Here are some tips on how to research a VPN and decide whether it's a good match for you.
Ask Yourself: What Are You Using a VPN For?
Whether you have a VPN provider already or you're searching for a good one, the first thing you should ask yourself is why you want one in the first place. Now, we've made the case for why most people should have one and what types of people need a VPN, but most needs boil down to two things: security and privacy, or some combination of the two.
If security is all you're concerned with, and you have a VPN provided to you by your school or company, you're already set. In fact, almost any VPN will cover you from the security angle, because you're only really concerned about protecting your activity from prying eyes, presumably on the same network that you're on -- like a hotel, cafe or airport's free Wi-Fi. Of course, you still need to make sure that your VPN provider isn't sniffing your traffic and creating the security issue itself, but we'll get to that in a moment.
If privacy is your concern, you have more to consider. Privacy-minded VPN users have to trust that their provider isn't watching what they're doing or willing to roll over and hand off their activity, logs and personal data to whoever comes calling with a fancy-looking letter written in legalese. They also have to worry about what information the VPN provider itself is keeping, and whether that information can be turned against them, sold to third parties, used for marketing or just kept forever in case someone comes calling. In either case, all it takes to either allay your fears or warn you off a VPN provider is a little research. Here's how to go about it.
Do Your Homework
Services we've mentioned, including previously mentioned HotSpot Shield, CyberGhost VPN and HideMan, another service we like, are all great examples of free VPN providers that don't log, go out of their way to say so and support their free services by also offering premium and paid plans that offer more features (in the case of HotSpot Shieldf and CyberGhost) or more hours of use (in the case of Hideman).
Paid VPN providers are a different matter. Ideally, because you pay for their service, they should cater to both the privacy and security minded, but that's not true at all. Some providers are security minded, not privacy minded, and market themselves as such: You can use their services to stay safe online, but don't come with an expectation of privacy. If someone comes with a subpoena or a Cease and Desist, they will cancel your account and turn over your data to whoever's asking for it, and they're not afraid to admit it. Here are some quick tips to help you research paid VPN services:
- Don't be afraid to ask outright. If you don't get the answer you want from simple searches, contact them and ask what their logging and data retention policies are. Again, this is something you'd want to do with premium providers more than free ones -- you don't want to spend your money unless you're sure of what you're getting.
- Don't fall for the geography trap. Some people swear only by VPN providers outside their country for privacy. They're convinced that their local laws are privacy unfriendly or that a provider in their country can be manipulated by other companies, legal wrangling or law enforcement. Trust us: geography won't save you. Living under the assumption that because a VPN provider is in another country it's immune to your local laws or will defend you when pressured is a false sense of security. Both law enforcement and private industry groups can exert authority and pressure anywhere in the world they choose, and they'll get the results they want if they push hard enough. Otherwise, they'll just pressure the government in that jurisdiction to act on their behalf. Put simply: Don't assume that because you live in Australia and you use a VPN provider in The Netherlands that you're immune from the law, or that a VPN provider in your own country wouldn't fight harder for your privacy than one overseas. This is true in some cases, but logging, privacy policies and the general philosophy of the company are generally more important than physical location. This thread at Wilder Security is essential reading on the topic.
- Pay attention to technology. When asked back in 2008 by CNET about WiTopia's privacy stance and technology, WiTopia president Bill Bullock explained that a number of single-server, fly-by-night VPN providers were beginning to pop up, making big privacy and security promises without actually having the technology to back them up. Since then, the number has only grown -- it doesn't take much to set up a VPN concentrator anymore, and all it really takes is a few friends in a few different cities and countries willing to run their own servers to build a small network. However, if the company doesn't have the right technology on the back-end, it could be putting both your security and your privacy at risk, or wind up being victims of data theft, hacking or spying itself. When you're researching VPN providers, make sure they're above board with the level of encryption they offer, the security features they provide, and are open about who's reviewed them and the press they've gotten. Then double-check those reviews and look for independent opinions of their service, just to be sure.
VPN services are thriving, and new subscriptions are big money. It's not uncommon for a VPN provider to play dirty, whitewash their issues and put on a good face to attract customers. When we did our last Hive Five on VPN providers, we saw the ugly side of the business so clearly that we decided to do our own independent analysis to clear the air and make our own recommendations.
The best thing you can do is to take everything a provider itself says with a grain of salt. If it's good, it will back up its own claims, and welcome you to do as much additional research into it as you'd like. In addition to our guide to the topic, our friends at TorrentFreak recently updated their guide as well, and it's worth reviewing.
Take Matters Into Your Own Hands
VPNs aren't perfect. One thing you should always remember is that traffic between your VPN exit node or exit server and your eventual destination is generally unencrypted -- so while someone snooping on the other end may not get all the way back to your computer or location, if your data is unencrypted or sent in the clear (sites not using HTTPS or encrypted passwords) it can be easily intercepted anyway. Using a VPN is no excuse for lax personal security.
Remember, whatever VPN provider you choose, you can always use additional privacy tools in conjunction with it. We've discussed some of those tools in detail, but it makes sense to keep them running. You could always combine services, like Tor and a VPN (although you really shouldn't use Tor for file-sharing traffic, if that's your goal) for extra anonymity, even if it doesn't offer any additional security. If you want to go that route, this thread at Wilder Security discusses the issue in detail. Similarly, TorrentFreak has an excellent guide to making your VPN even more secure.
Finally, you can always roll your own VPN if you have an always-on device at home, or a router that supports OpenVPN. You could even turn a Raspberry Pi into a personal VPN you can connect to while you're on the go. Of course, this option is for the security-minded, not the privacy-minded (as your traffic is only encrypted between a user and your home VPN server or personal router, and then unencrypted as it goes out to your ISP), but it's always an option, and add-ons like Privoxy (which we've shown you how to set up) can offer some anonymity for your home VPN.
We know it's a tricky topic, but you are right. Ultimately you have to trust your VPN provider has your best interests in mind, but the only way to get that level of trust is to do your homework, verify its promises and services are legit, and then take additional steps to protect yourself. There are good providers out there committed to your security and your privacy (we've mentioned some of them) that are worth your trust.
Got your own question you want to put to Lifehacker? Send it using our contact tab on the right.