How to Choose a VPN Provider
If you’re reading this post, then likely you’ve decided using a virtual private network (VPN) is “for you.”
However, for any reason you have not arrived at this conclusion, reference the links in "Decide if a VPN is right for you."
Decide if a VPN is right for you
Before beginning research on choosing a VPN provider, avoidthehack highly recommends becoming familiar with VPNs by:
VPNs are not a silver bullet and should not be considered a "one-stop shop" (despite what aggressive VPN marketing claims) for security or privacy. A VPN is not a drop-in replacement for basic security hygiene and privacy-friendly best practices.
Should you self-host your own VPN?
The short answer is: it depends.
Very generally, self-hosting a VPN is not recommended because of the lack of other users' traffic for your traffic to blend in to. This lack of network traffic "camouflage" makes you unique, which potentially makes it easier for websites, web services, and web apps to track you/your device by cross-referencing various data points.
Many people may be connected to and using any given centralized VPN provider's server at any given time. At minimum, we can assume all users have the same IP address (due to being connected to the same server) and therefore have the same "exit node." This makes it harder for the various websites, web services, or web apps to pick out who is who, even if multiple users visit the same website at different times.
With a self-hosted VPN, more than likely your traffic will be coming from the same “node” the entire time - over time, it may become easy for whoever is interested to track and profile you.
Typically, a self-hosted VPN is recommended in cases where users want to connect to their home network while in a different physical location. While this can be useful, as it fits the original use for VPNs, it can also be dangerous for inexperienced users because some portion - usually a device - of the home network needs to be exposed to the public internet.
Users concerned with exposing a home device to the public internet can also use a hosting provider - typically a VPS - to self-host VPNs. However, depending on the host provider and their internet service provider (ISP), your network traffic may be logged regardless. If this is the case, it can easily defeat whatever privacy advantage gained from using a self-hosted VPN - you would only "hide" your traffic from your primary ISP.
What about decentralized VPNs?
Decentralized VPNs borrow from the relay hop model seen on the Tor network (but don’t use the Tor network). Decentralized VPNs have grown in popularity in recent years and frequently incorporate blockchain technology to render services.
However, as of writing, it looks like most decentralized VPNs only route traffic at most 1 hop away. This differs from the typical Tor model which sends internet traffic through at least 3 different hops, with the “exit node” changing periodically. A decentralized VPN's 1 hop provides little defense in the event of a compromised node.
This isn’t to discredit or to dissuade users from using a decentralized VPN; in some cases, using one may prove adequate. However, it can be argued that the best decentralized VPNs are no more privacy-friendly than trusted, “no-logs” centralized VPN providers.
Avoid most “free” VPNs
Free VPNs are the epitome of the old internet rule, “if it’s free, then you’re the product.”
Free VPN apps on the Google Play Store have also been found to be nothing more than disguised malware. The malware can range from annoying “adware” designed to display numerous ads on your device, using it’s available resources and generating revenue for the malware developers.
In more severe cases, free VPNs can be cover ups ("bait") for malware designed to steal (harvest) information on your device. Information harvested typically extends beyond unwarranted data collection from commonly installed apps - malware frequently harvests sensitive data like passwords, cryptocurrency wallet keys, browsing histories, and network traffic.
Even if the “free” VPN isn’t malware in disguise, it’s important to remember VPN providers have a high level of access to your network traffic routed through them; VPN providers essentially “replace” the ISP in the network chain.
Like many traditional ISPs in the US, free VPNs have a history of collecting, logging, storing, and sharing/selling user information they have access to - like browsing data and DNS queries. Many free VPN providers collect information not at all necessary for rendering VPN services and their clients/apps can aggressively collect information about your device without explicit knowledge.
In some cases, free VPN providers have shared data with cloud providers, governments, and anyone willing to supply some cash in exchange for the data; they have also been accused of using device resources, such as CPU power, to mine crypto for themselves (cryptojacking)!
One of the most important things to look for in a VPN provider is the contents of their data privacy - specifically data collection and any possible retention of collected data - policies.
The presence of an independently audited no-logs policy is the best case scenario here.
Many VPN service providers boast no-logs policies, only for it to come out after some event - usually involving law enforcement - logs were collected all along.
Naturally, this spells disaster for the users regardless of what was logged. If the VPN provider collected PII, then these logs could be used and tied back to a user's true identity.
However, it is impossible for us as users to 100 percent verify any VPN service provider’s “no-logs” claims. Therefore, efforts of transparency can prove important to note. It's often worth digging deeper than what the marketing claims (or conveniently leaves out) on the VPN provider's website, considering questions such as:
- Does the VPN provider offer a publicly accessible audit of their no-logs claims?
- Are there transparency reports that disclose requests received by government entities?
- What was the date of the last audit?
- Is an audit on a VPN provider's no-logs policy conducted regularly?
- Does the VPN provider voluntarily share information - such as logs - with third parties (which can include server infrastructure providers and government entities.)
Information required at signup
Reputable VPN providers should collect as little information as possible during sign up. Requests for personal identifiable information (PII) may be spun to appear innocuous - a courtesy of the VPN's marketing department. Common PII requests at sign-up include, but are not limited to:
- Legal name (first and/or last)
- Mobile phone numbers (especially the requirement for SIM-connected phone numbers)
- Address information
- Any demographic information
- Requests for proof of identification
PII is not required to render VPN services and a requirement to supply PII should be regarded as a red flag. Ideally, the VPN provider a user chooses would permit anonymous account registration.
Payment methods can undo a large portion of privacy gained from using even the most reputable VPN providers. However, depending on the sensitivity of a user's threat model, this may not be a large/reasonable concern.
Specifically, debit and credit cards are typically issued by banks, which in the US, are heavily regulated. Broadly speaking, banks collect and store a lot of PII - so by extension, a debit or a credit card is directly linked to a person’s real identity.
To alleviate this, trusted VPN providers often offer alternative forms of payment - or even anonymous payments. Alternative forms of payments, such as accepting Bitcoin or Litecoin, aren’t always anonymous; typically anonymous payments include accepting Monero cryptocurrency and cash.
Depending on the user, this may not be an area of great concern.
Killswitches prevent network traffic from leaking from the VPN in the event the device connection to the VPN servers becomes unstable. Unstable connections can and frequently do include loss or degradation of internet connection for any reason.
Reliable killswitches are especially important as they cut off the device’s internet connection if the connection is indeed unstable, preventing potentially identifying data from leaking behind the VPN.
Users may not be aware when the connection to the VPN network is shaky enough to reveal network traffic - reliable killswitches alleviate the user being keyed into this while connected.
If the VPN provider features clients (apps for connecting with the VPN provider's network), then in an ideal circumstance these clients would be open-source.
Open-source clients promote transparency and leverage the global security and software engineering community to search for security flaws, bugs, and conduct audits of the source code. With open-source clients, anyone can inspect the source code for any reason.
Open-source clients generally also show a commitment to contributing to the open-source community as well. Tweaks/adjustments can be more easily done or suggested by users willing to do so.
If the VPN provider’s clients are not open-source, then it’s encouraged to re-evaluate the organization’s data privacy policies. For example, does the VPN client app collect any device data? Does the client have embedded trackers?
It’s also encouraged to review any permissions closed-source clients might request. Permissions such as bluetooth and location services access should be regarded with suspicion as they are not required to render VPN services.
Be aware closed-source clients or applications may incorporate tracking technologies difficult to catch.
Protocols are the engine behind VPN connections. Traditionally, centralized VPN providers offer multiple protocols; the user often decides which protocol to use.
A few different VPN protocols exist and there is no "perfect" solution; VPN providers should offer at least one of these protocols:
User needs and requirements typically dictate which protocol to choose over the others. VPN providers shouldn't offer fundamentally insecure protocols. Any reputable VPN provider should offer OpenVPN at a minimum as it is versatile, open-source, and secure protocol suitable for most user's needs. While OpenVPN configuration isn't easy - the VPN service provider's client should make it easy enough for any user to implement OpenVPN.
Ideally, the VPN provider would also support the newer WireGuard protocol, which strives to be faster and more secure than the widely used and respected OpenVPN protocol.
Multihop sort of borrows from the Tor Relay model (but not the .onion network itself), sending user network traffic through multiple VPN servers (“hops”), which helps obsfucate user network traffic.
Multihop primarily helps defend against timing attacks; routing traffic through multiple servers makes it much harder for third-parties to piece data (primarily browsing data) to identify, and then tie browsing data back to a user’s identity via monitoring a single node.
Multihop does not create anonymity.
A VPN lives and dies by its encryption.
For a VPN provider, encryption plays two major roles:
- Ensuring the VPN servers, implementations, and connections are secure.
- Protecting any data stored or retained by the VPN provider.
For the VPN service itself, due to a VPN’s reliance on encryption, it’s highly important a VPN uses a secure encryption protocol and strong encryption for accompanying handshakes for tunnels and connections.
As mentioned earlier in this post, a weak VPN protocol defeats the purpose of using a VPN, as the user’s browsing data is still at high risk of exposure to third parties. VPN protocols with known unaddressed vulnerabilities or comparatively weak encryption puts data at risk.
Any data collected and/or retained by the VPN provider should be encrypted. In a best case scenario, account credentials should be salted and their encrypted hash values stored. It is unacceptable for data-at-rest to be stored in plaintext.
Security audits generally promote transparency and, in some cases, strengthens the VPN provider’s security posture by disclosing weaknesses or security flaws in various parts of their service, such as clients, apps, or implementation.
Ideally, a VPN provider would undergo security audits on a regular, fixed schedule. Regularly performed security audits could prove beneficial to the provider's overall security posture due to the ever evolving nature of the cybersecurity and online privacy landscapes.
Be aware - even reputable, independent audits do not “tell the full story.” Users should be aware these audits cannot 100% guarantee the authenticity of any VPN provider’s no-logs policy.
Perfect Forward Secrecy (PFS)
PFS removes reliance on a single server’s private key that typically rarely changes. With PFS, a new session key is generated for each transaction with the server.
Should an attacker compromise a server key, PFS alleviates (but does not completely eradicate) the risk of a total server compromise from a single compromised server key.
An important question to answer in researching VPN providers is: Has the VPN provider experienced any kind of data breach?
The focus here is not necessarily on whether a data breach has, in fact, occurred, but rather the VPN provider’s handling of that data breach.
Data breaches happen Some breaches are worst than others. However, an organization’s response to a data breach can be far more indicative of their security posture and culture inside the company. Key things to look for include (but are not limited to):
- Transparency - did the VPN provider disclose the data breach themselves or did a third party? Did they keep the public updated? Were there attempts to “hide” or “downplay” the data breach?
- Notification - how did the organization notify customers of the data breach? How soon were customers notified? This frequently ties into transparency.
- Response - how did the VPN provider respond? Was it a quick response? Did they seek outside help? Did they notify any relevant organizations?
- Lessons learned - what steps has the VPN provider taken to ensure similar data breaches don’t occur in the future? This also frequently ties into transparency.
The number one limitation of any VPN service provider is the trustworthiness of the VPN provider itself. Any amounts of security and privacy gained from using a VPN provider ultimately rests with the provider's trustworthiness.
The VPN industry’s marketing is just as aggressive as it is deceptive as a whole. Many VPN providers make bold, and frankly untrue, claims. Common emboldened and rather deceptive claims include:
Advertising “military-grade” encryption. This is a nonsensical phrase. Encryption strength has nothing to do with military-anything.
Claiming to offer anonymity. While use of a VPN - assuming other basic cybersecurity and online privacy principles are followed - can improve security and privacy posture, its use will not automatically make any given user anonymous.
Creating a false sense of urgency. Similar to many social engineering attacks, deceptive VPN marketing often goes over the top to create a false sense of urgency for the user to act. Displaying countdown timers, claiming you are “unprotected” (due to not being connected to their VPN servers in particular),
Making bold, unsubstantiated claims. In the privacy and cybersecurity landscapes, nothing is 100 percent guaranteed; there are merely "best practices," which are ever-changing. Users should be wary of any “guaranteed” claims by a VPN provider, no matter how trustworthy they may seem.
Does Jurisdiction matter for VPN providers?
On one hand, if the VPN provider sticks to a minimal data collection policy (and honors its "no-logs" claim) and encrypts any data collected, then it can definitely be argued jurisdiction doesn't matter as much. There is some definite truth to this, even outside the VPN space.
However, given the now high-profile status of VPNs and VPN services across the globe, some nation governments have taken interest in attempting to regulate VPN service providers or mandate data collection minimums. This can - and often does - conflict with privacy-friendly VPN services business practices.
For example, in September 2022, an Indian government law mandating collection of PII like full legal name, address information, and documented "reason for using a VPN" of VPN customers went into effect. VPN providers with servers in India were faced with a decision: either cooperate or leave.
Depending on the VPN provider's operating jurisdiction, even provider's with "no-logs" policies can be forced to log user data pursuant to a criminal investigation.
Features or other offerings
Different VPN providers may include features not necessarily available at other VPN Providers; however, very generally speaking, many VPN providers are functionally the same in their core offerings - often, it is the implementation of the service itself that counts the most.
Other offerings commonly varying widely across VPN providers usually include connection speeds, number of simultaneous connections, server locations, and amount of servers a provider offers. Some VPN providers have servers available in countries others do not.
Users should be careful with features, ensuring the presence of a feature isn’t overshadowing something arguably more important, such as the presence of PFS or the claims (and any possible validations) of no-logs policies.
Remember: if the VPN service provider isn’t trustworthy, then perhaps they also aren’t worthy of having potential access to your network traffic data. Additional “features” are absolutely not a replacement for good data privacy practices
Choosing a VPN provider is important - digging deeper, at least below the first layer (impression), is essential to choosing a trustworthy provider.
Users should take their own needs (and wants) into consideration; it may be beneficial to decide whether a VPN truly accomplishes their goals for personal cybersecurity and online privacy; users should also understand the limitations of VPNs as they have common weaknesses, regardless of the provider.
Alternatives to traditional, centralized VPN providers exist - primarily decentralized VPN providers (dVPNs). While these decentralized VPNs have their own strengths and weaknesses when compared against centralized providers, depending on your threat model, they could prove a useful tool for some.