Signals of Trustworthy VPNs
First published: April 2019. Latest revision: November 2019.
This is a continuation of my previous article, “Can You Trust VPN Provider Companies?” In this article, we’ll examine the findings of an independant organization that will help us evaluate the trustworthiness of VPNs.
About the Center for Democracy & Technology (CDT)
The Center for Democracy & Technology (CDT) is a non-profit organization that is working “to preserve the user-controlled nature of the internet and champion freedom of expression.” They seem to me to be a legitimate independant online resource that is indeed, as they state, in “support (of) laws, corporate policies, and technology tools that protect the privacy of internet users.”
I have every confidence that CDT is a bona fide “friend” of Internet users like you and me who are concerned with privacy. It appears to me that they are not interested in promoting any VPN company over another and I believe them when they state that “CDT is interested in advancing better privacy and security practices by providers of virtual private networks, or VPNs.”
Based on that last sentence, CDT should be a valuable ally in our quest to find trustworthy VPN services. In fact, a recent initiative by the non-profit and independent CDT may well eventually prove to be crucial to the pursuit of trustworthy VPNs. Let’s examine what CDT has been doing…
The CDT VPN Questionnaire Project
During the 2018 RightsCon conference, CDT convened a discussion with four VPN providers: IVPN, Mullvad, TunnelBear, and VyprVPN. (RightsCon is an annual conference about human rights in the digital age.) A conclusion of this discussion was that the VPN industry faces a “trust deficit.” (This sentiment exactly matches what I’ve been trying to imply in my last couple of articles.)
After the conference, CDT and the four VPNs (and also ExpressVPN) developed a “Signals of Trustworthy VPNs” questionnaire for VPNs that was designed to “signal basic commitments” relative to the VPN’s trustworthiness and positive reputation.
Let’s examine the first portion of the questionnaire: “Corporate accountability.” That section includes three questions for the VPNs.
Question 1: “What is the public facing and full legal name of the VPN service and any parent or holding companies?”
If we are to trust a VPN, knowing “who’s running the show” is important information. Consider these VPN services: “Sprint Secure Wifi,” “Verizon Safe VPN” and “AT&T Secure Wifi VPN.” In this case it’s obvious that these VPNs are run by three big Telecoms. Would you trust them with your private data? Not me!
At least these three services aren’t trying to hide the true nature of their VPNs. Here’s one that’s not so obvious: “Onavo Protect.” This VPN was apparently originally developed by an Israeli security company that was subsequently bought out by Facebook. That fact is well-hidden, however, along with the fact that the VPN shares data with its parent company. Yes, you read that right: the VPN shares data with Facebook! Is this a trustworthy VPN? It most certainly is not for me.
There are also VPNs that flat-out will not provide leadership and/or ownership information. A blatant example is NordVPN, which receives a lot of VPN review attention and is apparently fairly popular. However, you won’t be able to find out who is really running NordVPN…
Why is NordVPN hiding the identities of it’s owners and operators? They claim that, “Being a security firm, for privacy reasons we do not disclose identities of our staff nor management.” Well, I would ask of NordVPN, “How come scores of other VPN services are willing and able to release this sort of information?” I’d also ask, “What are you trying to hide?"
We really should be able to determine who is behind the scenes at NordVPN, yet that information remains hidden. Does this policy of NordVPN instill a sense of trustworthiness? Once again, not for me!
Question 2: “Does the company, or other companies involved in the operation or ownership of the service, have any ownership in VPN review websites?”
Although I can’t prove it, I suspect many of the VPN “review” websites are owned and operated by a few of the large VPN providers. They have the money to pay for good reviews, comments, testimonials, and all sorts of other shill activity.
If the above-stated “suspicion” is actually true, this is a deplorable situation. For a VPN provider to operate a VPN review website and control the VPN reviews on that website is more than just a conflict-of-interest; it is abhorrent and absolutely untrustworthy behaviour.
I have not found definitive reports of VPNs that own VPN review websites. Perhaps this may occur via related “shell companies” like NordVPN seems to be involved with. (See the quoted material under Question 1 above.)
Question 3: “What is the service’s business model (i.e., how does the VPN make money)?”
Following are some examples of how some untrustworthy VPNs make money… Yikes!
free/cheap VPNs that collect user data and sell it to third parties and advertisers (e.g Hotspot Shield VPN and the “free” VPN built into the Opera browser))
- VPNs that injects ads into browser pages or redirect your browser to third party websites that pay commissions to the VPN (e.g. Hotspot Shield VPN )
- VPNs that offer a “lifetime” warranty that is cancelled under the terms of the “fine print” that you didn’t read
- VPN “Ponzi-like” schemes, which economically depend on ever-increasing rates of new subscribers and is unsustainable
- VPN apps that carry malware (found to be quite prominent in Android phone VPN apps)
- VPNs that usurp the network bandwidth of their users and resell that bandwidth to others (e.g. Hola VPN and VPNSecure)
These are all examples of untrustworthy activities of a VPN that the third question of the CDT questionnaire, if answered truthfully, is designed to reveal.
The beauty and utility of these three questions is that the answers will indeed reveal much about a VPNs trustworthiness. VPNs that are truly trustworthy will show little hesitation in participating in the CDT-sponsored questionnaire. Having nothing to hide, a trustworthy VPN should have everything to gain and nothing to lose by answering these questions honestly and with full disclosure.
However, an untrustworthy VPN will likely avoid participation in the questionnaire as they will not want to admit to untrustworthy practices. Certainly a dishonest VPN could provide false answers, but that would be of great risk to them once the falsehoods were revealed. (The questionnaire answers are publicly available, and there are many internet privacy and security advocates out there who would love to detect and report on falsified answers by untrustworthy VPNs.)
So, only the most foolhardy of the “derelict” VPNs would be brash enough to try and get away with posting misleading or falsified information when answering these questions. Instead, it’s more likely that untrustworthy VPNs will simply avoid participating in the CDT questionnaire and hope nobody notices their non-participation.
Well, we’ve noticed…
CDT states that “We have encouraged VPN providers to make their answers, and other resources, easily available on their websites under the heading of ‘Signals of Trustworthy VPNs’ to facilitate easier comparison” and that “any VPN that does not put this information front and center is problematic.” Furthermore, CDT has published the unedited answers to the questionnaire provided by VPNs (as of October 17, 2018). Those answers can be found here: https://cdt.org/insight/unedited-answers-signals-of-trustworthy-vpns/.
As of April 2019, the VPNs that have already responded to the “Signals of Trustworthy VPNs” questionnaire and have had their answers posted are:
- Invincibull VPN
The above VPNs, by participating in the CDT questionnaire, are indeed providing us “Signals of Trustworthy VPNs,” as the name of the questionnaire embodies. They are willing to put their reputation “on the line.” (This is not to say that these VPNs are necessarily completely faultless, trustworthy and honest, but rather that they are more likely to provide trustworthy service to the average VPN user than other non-participating VPNs.)
One would hope that many other VPNs will choose to participate in the CDT questionnaire. The first answers to the questionnaire were provided by five VPNs in October 2018. Now that the questionnaire has been out for over a year, lack of participation can no longer be excused. The lack of participation of numerous VPNs in the CDT questionnaire should raise concerns about the trustworthiness of those VPNs.
We’ve presented and discussed the first portion of the “Signals of Trustworthy VPNs” project of The Center for Democracy & Technology (CDT). A VPN’s answers to these questions (or avoidance of the questions) can shed light upon the trustworthiness of that VPN.
In the next article of this series, “Logging by VPNs,” we’ll examine the problematic practice by some VPNs of saving their customer’s Internet connection information and we’ll review the “Data ‘Logging’ Practices” section of CDT’s “Signal of Trustworthy VPNs” questionnaire.