A Macintosh Resource Site
for the Milwaukee Metro Area


Signals of Trustworthy VPNs

First published: April 2019. Latest revision: March 2023.

Introduction

This is a continuation of my previous article, “Trustworthiness of VPNs.” In this article, we’ll examine the findings of an independent organization that will help us evaluate the trustworthiness of companies providing VPN services.

About the Center for Democracy & Technology (CDT)

The Center for Democracy & Technology (CDT) is a non-profit organization that is working “to preserve the user-controlled nature of the internet and champion freedom of expression.” They seem to me to be a legitimate independent online resource that is indeed, as they state, in “support (of) laws, corporate policies, and technology tools that protect the privacy of internet users.”

I have every confidence that CDT is a bona fide “friend” of Internet users like you and me who are concerned with privacy. It appears to me that they are not interested in promoting any VPN company over another, and I believe them when they state that “CDT is interested in advancing better privacy and security practices by providers of virtual private networks, or VPNs.”

Based on that last sentence, CDT should be a valuable ally in our quest to find trustworthy VPN services. In fact, a recent initiative by the non-profit and independent CDT may well prove to be crucial to the pursuit of trustworthy VPNs. Let’s examine what CDT has been doing…

The CDT VPN Questionnaire Project

During the 2018 RightsCon conference, CDT convened a discussion with four VPN providers: IVPN, Mullvad, TunnelBear, and VyprVPN. (RightsCon is an annual conference about human rights in the digital age.) A conclusion of this discussion was that the VPN industry faces a “trust deficit.” (This sentiment exactly matches what I’ve been trying to imply in my last couple of articles.)

After the conference, CDT and the four VPNs (and also ExpressVPN) developed a “Signals of Trustworthy VPNs” questionnaire for VPNs that was designed to “signal basic commitments” relative to the VPN’s trustworthiness and positive reputation.

Let’s examine the first portion of the questionnaire: “Corporate accountability.” That section includes three questions for the VPNs.

Question 1: “What is the public facing and full legal name of the VPN service and any parent or holding companies?”

If we are to trust a VPN, knowing “who is running the show” is important information. Consider these VPN services: “Sprint Secure Wifi,” “Verizon Safe VPN,” and “AT&T Secure Wifi VPN.” In this case, it’s obvious that these VPNs are run by three big telecoms whose privacy credibility is questionable. Would you trust them with your private data? Not me!

At least these three services aren’t trying to hide the true nature of their VPNs. Here’s one that’s not so obvious: “Onavo Protect.” This VPN was apparently originally developed by an Israeli security company that was subsequently bought out by Facebook. That fact is well-hidden, however, along with the fact that the VPN shares data with its parent company. Yes, you read that right—the VPN shares data with Facebook! Is this a trustworthy VPN? It most certainly is not for me.

There are also VPNs that flat-out will not provide leadership and/or ownership information. A blatant example is NordVPN, which receives a lot of VPN review attention and is apparently fairly popular. However, you won’t be able to find out who is really running NordVPN…

Why is NordVPN hiding the identities of its owners and operators? They claim that, “Being a security firm, for privacy reasons we do not disclose identities of our staff nor management.” Well, I would ask of NordVPN, “How come scores of other VPN services are willing and able to release this sort of information?” I’d also ask, “What are you trying to hide?”

We really should be able to determine who is behind the scenes at NordVPN, yet that information remains hidden. Does this policy of NordVPN instill a sense of trustworthiness? Once again, not for me!

Question 2: “Does the company, or other companies involved in the operation or ownership of the service, have any ownership in VPN review websites?”

Every week there are new VPN services being offered and dozens of fake reviews to tell you they are amazing…

All the way back in 2017, I explained how some “VPN review” sites are probably operated by VPN services themselves. Well, this prediction has come true. Below are two examples where the “review” website and the VPN are owned by the same company.

The parent company of PCMag (J2 Global) is buying up VPNs, to include StrongVPN and now IPVanish. They recommend IPVanish in their various “best VPN” guides, a trend I first reported in 2017. PCMag is a large publisher of digital content and owns many different websites discussing VPNs.

I wrote a report on this issue in 2021 after a major player in the VPN industry bought up a collection of review websites, and then promptly changed the recommendations. In this case, the parent company was Kape Technologies, which owns CyberGhost, Private Internet Access, and Zenmate VPN services. Kape made news when it purchased a company called Webselenese, which runs vpnMentor and Wizcase, two prominent VPN review websites.

Shortly after the purchase, I pointed out how the VPN rankings coincidently changed, with Kape Technologies’ own VPNs (PIA and CyberGhost) getting a boost in the rankings…

(from https://restoreprivacy.com/vpn-scams/)

These are deplorable situations. For a VPN provider to be owned by a VPN review website that controls the VPN reviews of the VPN that they own is more than just a conflict of interest; it is abhorrent and absolutely untrustworthy behavior. Likewise, a parent company that owns VPN services and also owns VPN review sites that “review” those services is a detestable situation.

Question 3: “What is the service’s business model (i.e., how does the VPN make money)?”

The following are some examples of how some untrustworthy VPNs make money… Yikes!

(from https://restoreprivacy.com/vpn-scams/ and https://restoreprivacy.com/vpn-warning-list/)

  • free/cheap VPNs that collect user data and sell it to third parties and advertisers (e.g Hotspot Shield VPN and the “free” VPN built into the Opera browser)

  • VPNs that inject ads into browser pages or redirect your browser to third party websites that pay commissions to the VPN (e.g. Hotspot Shield VPN)

  • VPNs that offer a “lifetime” warranty that is cancelled under the terms of the “fine print” that you didn’t read

  • VPN “Ponzi-like” schemes, which economically depend on ever-increasing rates of new subscribers and are unsustainable

  • VPN apps that carry malware (found to be quite prominent in Android phone VPN apps)

  • VPNs that usurp the network bandwidth of their users and resell that bandwidth to others (e.g. Hola VPN and VPNSecure)

These are all examples of untrustworthy activities of a VPN that the third question of the CDT questionnaire, if answered truthfully, is designed to reveal.

Questionnaire answers

The beauty and utility of these three questions is that the answers will indeed reveal much about a VPN’s trustworthiness. VPNs that are truly trustworthy will show little hesitation in participating in the CDT-sponsored questionnaire. Having nothing to hide, a trustworthy VPN should have everything to gain and nothing to lose by answering these questions honestly and with full disclosure.

However, an untrustworthy VPN will likely avoid participation in the questionnaire as they will not want to admit to untrustworthy practices. Certainly, a dishonest VPN could provide false answers, but that would be of great risk to them once the falsehoods were revealed. (The CDT questionnaire answers are publicly available, and there are many internet privacy and security advocates out there who would love to detect and report on falsified answers by untrustworthy VPNs.)

So, only the most foolhardy of the “derelict” VPNs would be brash enough to try and get away with posting misleading or falsified information when answering these questions. Instead, it’s more likely that untrustworthy VPNs will simply avoid participating in the CDT questionnaire and hope nobody notices their non-participation.

Well, we’ve noticed… VPNs are avoiding the CDT questionnaire en masse.

CDT stated that “We have encouraged VPN providers to make their answers, and other resources, easily available on their websites under the heading of ‘Signals of Trustworthy VPNs’ to facilitate easier comparison” and that “any VPN that does not put this information front and center is problematic.” Furthermore, CDT has published the unedited answers to the questionnaire provided by VPNs (as of October 17, 2018). Those answers can be found here: https://cdt.org/insight/unedited-answers-signals-of-trustworthy-vpns/.

As of April 2019, the VPNs that had already responded to the “Signals of Trustworthy VPNs” questionnaire and have had their answers posted are:

    👍 👍
  • ExpressVPN
  • IVPN
  • Mullvad
  • TunnelBear
  • VyprVPN
  • Invincibull VPN

The above VPNs, by participating in the CDT questionnaire, are indeed providing us with “Signals of Trustworthy VPNs,” as the name of the questionnaire embodies. They are willing to put their reputation “on the line.” (This is not to say that these VPNs are necessarily completely faultless, trustworthy, and honest, but rather that they may be more likely to provide trustworthy service to the average VPN user than other non-participating VPNs.)

One would hope that many other VPNs will choose to participate in the CDT questionnaire. The first answers to the questionnaire were provided by five VPNs in October 2018. Now that the questionnaire has been out for well over four years, a lack of participation can no longer be excused.

The lack of participation of numerous VPNs in the CDT questionnaire should raise concerns about the trustworthiness of those VPNs.

Summary

We’ve presented and discussed the first portion of the “Signals of Trustworthy VPNs” project of The Center for Democracy & Technology (CDT). A VPN’s answers to these questions (or avoidance of the questions) can shed light on the trustworthiness of that VPN.

In the next article of this series, “Logging by VPNs,” we’ll examine the problematic practice by some VPNs of saving their customers’ Internet connection information, and we’ll review the “Data ‘Logging’ Practices” section of CDT’s “Signal of Trustworthy VPNs” questionnaire.