Finding a great VPN service can be a challenging task—and that’s putting it mildly. It’s not hard to find any VPN service. There are plenty of apps that promise to encrypt your connection by shuffling it through a third-party server, causing your requests to appear as if they’re coming from said server (even if its halfway around the world) rather than your more easily identifiable device.
To keep your public wifi browsing and BitTorrenting private, should you search the App Store or Google Play for “VPN,” download any ol’ app with a high rating, and call it a day? No, no, no.
A free VPN — whether it’s an app you download or a service you pay for and set up on your devices manually — is bad, because if a company isn’t charging you a penny for server investments or upkeep, it’s probably making its money by tracking everything you do and selling that information. Even well-known companies are guilty of this. Trust nobody that uses the f-word to try and entice you to use a VPN.
I’ve scoured through advice from a number of legitimate security and privacy-minded watchdogs, and here’s a roundup of the basic tips you’ll want to keep in mind when shopping for a VPN service. There are a lot of them, but they’re important because your data security is important.
Research the VPN app before you use it. You are trusting a VPN with potentially all of your traffic. Before you download a VPN app, learn as much about the app as you can. Look up outside reviews from sources you respect. You can also look at screenshots, the app’s description, its content rating, and user reviews, and can do some online research on the developer. The fact that an app promises security or privacy does not necessarily make it trustworthy.
Carefully review the permissions the app requests. Apps will present the permissions they request on their app store page, during installation, or at the time they use the permission. It’s useful information that tells you what types of information the app will access on your device in addition to your internet traffic. If an app requests particularly sensitive permissions (reading text messages, for example), consider whether the permission makes sense given the app’s purpose and whether you trust the app developer with that access.
How long has your VPN provider been around? If it is relatively new and without a reliable history, you’d have to trust the provider a great deal in order to use such a service.
Does the VPN provider log your traffic? If yes, what kind of information is logged? You should look for one that explicitly promises to not log your Internet traffic and how active the VPN provider is in advocating for user privacy.
Does the VPN provider use encryption in providing the service? It’s generally recommended to use services that support a well-vetted open source protocol like OpenVPN or IPSec. Utilising these protocols ensures best security available.
If your VPN provider uses encryption, but has a single shared password for all of the users, it’s not sufficient encryption. [[David: Like this, for example]]
My bar for choosing a VPN provider has more to do with selecting one that makes an effort to ensure its customers understand how to use the service securely and safely, and to manage their customers’ expectations about the limitations of using the service. Those include VPN companies that take the time to explain seemingly esoteric but important concepts, such as DNS and IPv6 leaks, and whether they keep any logs of customer activity. I also tend to put more stock in VPN providers that offer payment mechanisms which go beyond easily-traceable methods such as credit cards or PayPal, to offering more privacy-friendly payment options like Bitcoin (or even cash).
“You may have started your search for a VPN by looking for ‘VPN Reviews’ in your search engine of choice. if you had, you would have gotten page upon page of what seem to be harmless review sites, top 10 or blog style reviews of different VPN services. You may even be coming here for confirmation of what you were told on those sites. The sites making these recommendations are, in almost every case, paid by the services they review and recommend. They are beginning their business relationship with you, with what essentially amounts to a lie. The technical term for this kind of marketing is ‘native advertising’ and its abuse is a huge problem in the VPN industry.”
1. Located in a good privacy jurisdiction (outside of 5/9/14 Eyes countries) to keep user data safe
2. Passed all tests with no leaks found whatsoever (no IP address leaks or DNS leaks)
3. Good performance throughout the server network (speed and reliability)
4. High-quality VPN apps with all features working correctly
5. Supports the OpenVPN protocol and strong encryption standards
6. Offers a money-back guarantee (between 7 and 30 days)
7. Trustworthy and well-established VPN provider with a good track record
“A ‘kill switch’ goes by many names, but the term describes VPN software that shuts off all network traffic in and out of your computer if the encrypted connection fails. A hiccup in your Wi-Fi or even with your ISP can cause a VPN to disconnect, and if you then maintain an unsecure connection—especially if the VPN software doesn’t alert you that it’s no longer protecting your traffic—that wipes out all the benefits of your VPN. We considered kill switches to be mandatory. And although we looked for apps that made it easy to add rules about when to activate kill switches, we considered special config files or manual firewall tweaks to be too complex.”
Finding the right VPN for you
Even though you now have an idea of what to look for in your next VPN, the research phase isn’t over—close, but not quite. While I have a handful of reviewers I trust for solid gadget and software recommendations, VPNs are a different story entirely. I’ve seen plenty of reviews that are just speed tests masquerading as helpful advice. How long it takes to download files, while useful, shouldn’t be the top priority when you’re picking your next VPN. Security and privacy are much more important, and not everyone tests these aspects as well as others (if at all).
“Just pick a good VPN” is like telling thirsty people to “go to a store and drink clear liquid.”
They drank bleach, but at least you helped.
— SwiftOnSecurity (@SwiftOnSecurity) March 31, 2017
You’ll be the most secure if you set up and run your own VPN, but that’s likely beyond most people’s skills. It’s a little easier to use a VPN server that’s built into your router or network-attached storage, but that’s only useful if you’re looking to encrypt your traffic on a public wifi connection. Your ISP is still going to see everything you do, which makes this solution less practical if you’re trying to hide something you’re doing from a company that might get mad if it caught you doing it.
Were I shopping for a new VPN, I’d fire up Excel or Google Sheets and create a giant analysis that looks at how various services address the various talking points I just highlighted. To populate that list, I’d look for services that are highly recommended from privacy-minded websites like TorrentFreak, That One Privacy Site, privacytools.io, or Restore Privacy, as well as thoughtful aggregators like vpnMentor or Wirecutter. I’d also read through users’ experiences with various VPNs over at /r/VPN, just to make sure I didn’t miss any problems a service’s users have reported.
There isn’t one great resource for finding your next VPN—at least, none that I trust completely. Doing the legwork is important, and it’s a lot of work, I know. Succeed in your task, and you’ll come away from the process with a lot more confidence in the VPN service you ultimately pick (if you even go for one at all).
More importantly, you will graduate from a self-taught crash course in network security, which will help you be a smarter and more privacy-minded web user for years to come. If you’re giving another company free access to your data, you owe it to yourself to know as much about the process as possible—and then a little bit more.