A Macintosh Resource Site
for the Milwaukee Metro Area

Other Factors to Consider in Choosing a VPN

First published: April 2019. Latest revision: March 2023.

Introduction

This is a continuation of my series of articles about evaluating and choosing a trustworthy VPN service for one’s own use.

In the past two articles, we’ve looked at various technical factors and issues with respect to choosing a trustworthy VPN service. Here we’ll examine several non-technical issues.

Find a well-established VPN service

VPNs have been much in the news lately, with just about every article that has anything at all to do with Internet privacy or security noting the benefits of using a VPN. As with most things that stir the public’s interest, there will always be someone who will want to satisfy that interest. Hence, there has been a proliferation of new VPN services over the past few years, arising from entrepreneurs seeking profit. Unfortunately, some are in it only to make some quick money.

It would take a fair amount of research to compile a list of VPNs that are well-established and not “fly-by-night” operations, but the effort would be worthwhile. Once your privacy is given up by a shoddy operator, that privacy is gone forever! So, do some investigating and try to find some VPNs with good “track records” over the course of several years.

Third party auditing

There has been much talk of the need for independent security audits among VPNs, but audits are neither cheap nor easy to do. Many VPNs either want assessments done on the cheap or the results are so problematic that nothing is ever revealed publicly.

When CDT (The Center for Democracy & Technology) first began speaking with VPNs, only TunnelBear had undergone security audits where its auditor, Cure53, also released information about the problems it uncovered. Subsequently, we also saw Mullvad undergo an audit with Cure53 in addition to VyprVPN undergoing a logging audit by Leviathan Security Group.

(from https://cdt.org/issue/privacy-data/vpns/) (archive)
(I added bold emphasis and paragraph breaks.)

Given the trust issues that affect VPNs, one would think that an unbiased audit by a reputable third-party firm is an affirmative action that a VPN would want to perform. Yet, audits in the VPN industry have been few and far between. Initially, in late 2019, I could find only six VPNs that had audits conducted: Tunnelbear, Mullvad, NordVPN, VyprVPN, Hotspot Shield VPN, and Confirmed VPN. (The latter seems to be a relatively new VPN service that I found when searching for audited VPNs. Confirmed VPN appears to be based in the US. My investigation into it raised some red flags, so in my opinion, Confirmed VPN is a “no go” and I will not discuss it any further.)

A VPN service that has been audited by a competent third-party is distinctly more preferable than an unaudited VPN service.

Examples of VPNs with audits

TunnelBear announced they had completed a “5th Annual Independent Security Audit.” (They announced the “Industry-First Consumer VPN Public Security Audit” on 08/07/2017.)

Hotspot Shield VPN announced that an “Independent study calls Hotspot Shield the fastest, most secure VPN technology.” Note: This "comparative test” was not a full-fledged audit.

Mullvad states that they “perform external security audits of our VPN apps every two years.”

Additionally, Mullvad has had audits of their VPN (server) infrastructure performed. Furthermore, there has been a security audit of Mullvad’s authoritative DNS servers performed. Several other independent audits for Mullvad are also available.

VyprVPN announced they were “the world’s first publicly audited no log VPN service” and linked to a “Privacy Audit.”

NordVPN proclaimed “an industry-first audit of its no-logs policy” and “an industry-first step towards transparency.” (dated 11/22/2018) A second “expanded” audit was performed in early 2020.

  • Surprisingly, the public cannot read either of the audit reports! NordVPN states, “We cannot publish it or quote it.”

Note: Look again at those last two announcements. VyprVPN claims “world’s first” and NordVPN claims “industry-first.” These claims are contradictory and are also false. The first VPN audit was done more than a year before the audits of VyprVPN and NordVPN, and it was done by TunnelBear.

Also, NordVPN has the audacity to proclaim their audit is “an industry-first step towards transparency,” yet the report is completely hidden from the public! (Supposedly, NordVPN subscribers can read the report online but are bound by a non-disclosure agreement to not release information about the audit.) Well, despite NordVPN's claim of transparency, it seems to me that NordVPN is about as non-transparent as you can get! (Recall that, as noted in one of my previous articles, NordVPN does not disclose the identities of its top management officers, unlike scores of other VPN services that do release this information.)

ExpressVPN announced in a blog post that an independant audit of their VPN service had been performed. (dated 07/09/2019)

  • Unfortunately, like NordVPN, ExpressVPN has not publicly released the audit report. Hence, as with NordVPN, I decry ExpressVPN’s lack of transparency.

IVPN announced in a post that an audit was done of their non-logging of data. (dated 03/21/2019) IVPN has had security audits performed on a yearly basis since then.

There have been a few other VPNs that have released audit reports since my search for audited VPNs in late 2019. (Mozilla VPN, ProtonVPN and Surfshark.)

When evaluating a VPN for your own use, be sure to peruse their website for third-party audit information. Be wary of unaudited VPN services!

Customer support

Most of us are not experts with respect to VPN services and their underlying technology. Although many VPNs are fairly easy to implement on your Internet-connected devices, problems or questions regarding their use may arise. Hence, the customer support that a VPN service offers can be critical in helping you to protect your Internet security and privacy.

The website of a VPN should provide support services. A comprehensive “FAQ” about the VPN, articles about basic set-up for various devices and situations, tutorials about getting the most out of the VPN in different scenarios, etc. should be a part of every VPN’s website. You should browse around the site of a VPN that you are considering using to confirm that these sorts of “do-it-yourself” support resources are present.

Does the VPN service offer live chat support for support issues that can’t be solved by browsing the website? Is it an encrypted chat session? How about email? Again, is there an option to send encrypted email? (Don’t scoff at encrypted support communications: remember, a VPN should make your security and privacy paramount.)

VPN speed

The speed of downloads and uploads when connected via a VPN will be at least somewhat slower than when you are accessing the Internet without an intervening VPN. Several factors influence data throughput via a VPN:

VPN Server Location - Instead of being connected to the Internet via what is likely a local server at your ISP’s (Internet Service Provider’s) local or regional data center, your VPN connection is through the local ISP and then through a remote server of the VPN. That server may be located as close as the nearest major city, or it could be on the other side of the world. The further the VPN server is from your current location, the slower the connection speed will be.

VPN Server Load - VPNs do not have an unlimited number of servers to which you can connect. Many other users of your VPN service will be connecting to a particular server of the VPN simultaneously with you. If the server becomes overloaded with too many simultaneous connections, your connection speed will decrease.

VPN Protocol Overhead - There are a few different encryption protocols that a VPN can use, and also there may be different levels of encryption security within a protocol. The higher the strength of the encryption, the more time it will take to encrypt the data. This encryption overhead affects the speed of the overall VPN connection.

However, encryption overhead is no longer a major factor affecting VPN speed because computers are sufficiently fast enough that strong encryption only results in a slight loss in data throughput speed. Furthermore, for VPNs that offer WireGuard, the WireGuard protocol was designed for faster speeds and reduced connection times, so protocol overhead is less of a concern when using WireGuard.

VPN Bandwidth Restrictions - Some VPN services will actually cap their users’ connection speeds at a certain level. A VPN with no bandwidth capping is obviously to be preferred.

VPN review sites will usually include an assessment of the speed of a VPN within the review. When reading these reviews, be certain to remember that most review sites receive kickbacks from VPNs in the form of commissions for customer referrals. Speed test results may be skewed just as other components of the review may be biased when the reviewer is compensated through the affiliate program of a VPN company.

Despite this potential for bias, the ongoing VPN speed test results listed at https://www.top10vpn.com/best-vpn/fastest-vpn/ and https://www.top10vpn.com/vpn-speed-test/ may be useful. The results might be used as a starting point in assessing the potential speeds that you may experience when using some VPN services.

Privacy with respect to the VPN itself

You use a VPN service to protect the security and privacy of your data communication on the Internet, but the status of your privacy with the VPN matters too. VPN services differ greatly in regard to what identifying information about you they request for registration, payment, and use of the service.

The registration process

For registration, most VPNs require an email address, but some may additionally require a physical location address, a phone number, etc. A very few VPNs do not request any personal information for registration. For example, Mullvad, a VPN service well-known for its privacy, merely assigns each new user a random 16-digit number during the registration process. Thereafter, that number serves as the user-id for the payment process and use of the VPN service. No identifying information is requested from the user whatsoever.

The payment process

Payment anonymity/privacy also varies between VPN services. According to the “Detailed VPN Comparison Chart” by “That One Privacy Guy,” in 2019 there were just five VPNs (of the 185 VPNs on the chart) that optionally accepted cash payments. (Cash is perhaps the “ultimate” anonymous payment method.) There were another five VPNs (different from the five “cash” VPNs) that optionally accepted relatively anonymous gift cards for payment. Many VPNs accept cryptocurrency payments, which, with a bit of effort, can be anonymized.

Using the VPN service

Relative to your privacy when using the VPN service once you have registered and paid for it, refer to the earlier article in this series about the logging practices of VPNs.

As you search for a trustworthy VPN service to use, be absolutely certain to read the “privacy policy” and “terms of service” notifications that are posted on the website of the VPN. Doing so can make for rather boring reading, but not paying attention to these documents can put your privacy at risk!

Contradictions relative to a VPN’s stated logging policies and information-sharing can sometimes be found in these documents. (I find it rather dismaying that most VPN services have the need to use the standard heavy-duty legalese in these documents. Although extremely rare, I have found a VPN or two that refreshingly avoids all the legal word-play. Nice!)

Abuse of trackers and cookies

Finally, make note of how many “cookies” and “trackers” a VPN employs on its website. Refer again to the “Detailed VPN Comparison Chart” by “That One Privacy Guy.” When that data was compiled, one of the VPN services was noted to use 43 cookies and 17 trackers when the VPN’s website was viewed! Is this a signal of a trustworthy VPN? In my opinion, the fewer website cookies and trackers, the better.

Concerns about this practice of using privacy-invading trackers and cookies by VPNs and my more recent testing of cookies and trackers employed by VPN websites were presented in the earlier article of this series, titled “Trustworthiness of VPNs.” The relevant section of that article is “Cookies and trackers on VPN websites.”

I have produced a color-coded table of the full results of my tracker and cookie testing of 50 VPN services. Please see the “Trackers and cookies on VPN websites” section of the “VPN Series Appendices” page to view that table.

Cost and marketing

It costs a company a fair amount of money to provide a quality security/privacy-oriented VPN service. You should expect to have to pay for that quality.

All “free” VPN services are, in some (possibly nefarious) way, making money from your use of that service. They will likely monetize your use by compromising your privacy, so avoid them!

Take note of how a VPN service markets itself on its own website. My trust in a certain popular VPN is significantly adversely affected when, each and every time I visit their website, an animated count-down graphic appears that implies that I have “00 days : 09 hours : 38 minutes : 20 seconds” to take advantage of their $2.99 a month pricing! Yet, later that same day, the exact same timer appears, and likewise the next day, ad infinitum! This marketing trickery does not signal trustworthiness.

Trust is also not instilled in me when I see a VPN quote a relatively high one-month subscription price of $12 per month that drops to just $7 per month for a one-year plan and $3 per month for a 3-year plan, implying a “savings” of 75%! Artificially inflating the base one-month price is not a marketing tactic that signals trustworthiness and honesty. Yet this is a common practice of many VPN services.

Some VPNs will offer a time-limited free trial, though they require you to register fully with the VPN (including providing payment information) to qualify for the free trial. A few VPNs do not require full registration to take advantage of their free trial offer. Other VPNs may offer a “money-back guarantee” instead of a free trial.

Prices vary, and we all want a “good deal,” but I would recommend that you don’t become preoccupied over a savings of $25 over the course of a full year. After all, that’s only $2 a month. Consider the cost of a VPN, but do not let the fee be an overriding factor when you entrust a VPN with your Internet security and privacy.

Access to services

How easily and quickly a VPN user can access and use the encrypted tunnel to the Internet that the VPN provides is important. There are several factors affecting access:

Number of Servers
• The actual number of servers a VPN provides is less important than the customer to server ratio. E.g., a VPN with 500 servers and 500,000 customers (with a ratio of 1 server per 1000 customers) may well provide slower speeds due to congested servers as compared to a VPN with 200 servers but only 100,000 customers (with a ratio of 1 server per 500 customers).

Global Coverage
• A VPN must have server locations in a variety of countries in order to provide adequate secrecy and privacy. (In many circumstances, a VPN user needs to “appear” as if Internet access is from a different geolocation than the location in which they are actually using an Internet connected device.) Having server locations in every single country on earth is not necessary, but certainly a VPN should have servers in multiple countries. Furthermore, there should be at least some servers located in countries other than “5, 9 and 14 Eyes countries.”

Simultaneous concurrent connections
• A VPN customer will often only be actively accessing the Internet from one device at a time. However, it would not be uncommon for one to want to have multiple devices readily available that are configured to use the VPN, i.e. without having to turn the VPN back “on” for that device. Thus, it is advantageous to have a VPN service that allows multiple VPN connections at the same time.

There are many VPNs that only allow one connection to their service at a time. Based on how I use my Internet-connected devices, this restriction would be utterly inadequate for me. I regularly use a desktop computer, a portable computer, an iPad, and an iPhone. At least three of these are used every day with the VPN enabled on each device. Hence, for my personal use, the VPN service would require at least three or four simultaneous connections. Under such a policy, I would not have to worry about my other devices using the VPN in the background while I am actively connected to the Internet via the VPN on the device currently at hand.

So, as a rule of thumb, calculate how many devices you have that will use a VPN, add 1 to that number (to provide a buffer), and find a VPN service that allows at least that many total simultaneous connections. (You should be able to find the policy regarding simultaneous connections on the VPN’s website.)

Does the VPN limit bandwidth, throttle connections, or restrict services?

Avoid VPNs that impose bandwidth restrictions unless the bandwidth restrictions are clearly very high and intended only to allow the provider to police people abusing the service.

Finally, read the fine print to see if there are any restrictions on the protocols or services you wish to use the service for. If you want to use the service for file sharing, read the fine print to ensure your file sharing service isn’t blocked.

(from https://www.howtogeek.com/221929/how-to-choose-the-best-vpn-service-for-your-needs/)

Some VPNs will purposely slow your connection speed, limit the total amount of data that you send and receive in a given period of time, or disallow access to certain Internet services, such as peer-to-peer file sharing or connection to email servers. Be sure to “read the fine print” on the website of the VPN service under consideration to be certain that the VPN will meet your needs and expectations.

Summary

Some of these “other” factors in choosing a VPN can easily be evaluated, like its fee structure. Other factors are more difficult to ascertain and will require some time and effort on your part to obtain adequate information. As noted previously, a useful reference of unbiased information about VPNs is the “Detailed VPN Comparison Chart” by “That One Privacy Guy.” I strongly recommend you download a copy of that detailed chart and peruse it.

In the next article of this “Choosing a Trustworthy VPN” series, titled “Defining Your Threat Model”, we’ll examine what level of security and privacy you require from your VPN as you use the Internet.