Trustworthiness of VPNs
First published: January 2019. Latest revision: November 2019.
In my earlier article “Can You Trust VPN Review Sites?” I stated that, after some investigation, I came to the conclusion that, in general, VPN review sites should not be considered to be credible and trustworthy.
So, if you can’t trust the VPN review sites, can you at least trust the VPN service company itself? After all, that’s what really matters: trusting the VPN to keep your internet usage (metadata) and transmitted/received information (data) private.
Let’s again start with a few quotes from sources that I have come to respect:
There are hundreds of VPN providers out there, and with growing concerns about online privacy—including ISPs potentially selling your browsing data to advertisers… — competition is fierce and often quite nasty… Because I’ve seen so many dubious and downright misleading claims out there, I caution you to be extremely circumspect when choosing a provider.
(from Kissell, Joe. Take Control of Your Online Privacy, Third Edition. TidBITS Publishing Inc., 2017)
Unfortunately, I’ve found that many VPNs are misleading people with false marketing claims, sales gimmicks, and various scams. And because VPNs are often located in overseas jurisdictions, they will probably never be held accountable for dishonest marketing and/or outright fraud.
This final quote is lengthy, but it should be read carefully.
No matter what reason you want a VPN, you want to know that the service you choose is trustworthy and is not compromising your data.
As a lawyer represents your legal interests, a VPN service (among others) represents your privacy interests. If a lawyer does something to violate your trust or is not honest about some aspect of their representation that could affect you, you would discard them and you’d be right to do so. Likewise with a VPN service. There are many out there that are not worth your time or money. Unlike a lawyer, a VPN can be put together and promoted by anyone with access to a computer, the key difference being that you would never even see their face.
If you are looking for a VPN for privacy purposes, you already believe you cannot trust certain parties. Those parties might be companies whose websites you visit or maybe even an oppressive government whose mass surveillance is encroaching on your rights. You are being put in a position where you must rely on someone other than yourself for protection and the last thing you need is one more party that you can’t trust.
This decision is an important one, and not just any VPN service is worthy of that trust. You’re trusting them to know what they’re doing – to be able to operate a competent service that will protect your privacy. You are trusting them to be responsive to new technical and geopolitical threats to their operation. You’re trusting them to be honest with you in the way they do business so that when you are shopping and comparing, you are getting accurate information.
Thus, just as some sources warned that VPN review sites should not be implicitly trusted, we now see warnings about trusting VPN companies.
Evaluating the trustworthiness of a VPN company
So, how can one evaluate the trustworthiness of a VPN provider company? To do this definitively can be rather difficult. The potential user of a VPN service can’t prove that a VPN is truly completely trustworthy. However, we can discover bits and pieces of evidence that prove or at least imply that a VPN might be untrustworthy, and if a VPN is untrustworthy, then it obviously can’t be trustworthy. Thus, a potential user of VPN services can at least narrow down the list of VPN companies that are under consideration by eliminating those companies that show signs of untrustworthiness.
Let’s focus for a moment on a limited aspect of VPN companies: their marketing behavior and ethics. Recall the final sentence of the third above-quoted source: “You’re trusting them to be honest with you in the way they do business so that when you are shopping and comparing, you are getting accurate information.”
Lack of honesty of VPNs with their affiliates
As an addendum of sorts to my earlier article, let’s start with the relationship that a VPN company has with its affiliates. Recall from my previous article that a VPN affiliate is typically a VPN review site that receives a “commission” from a VPN company when a customer ends up subscribing to the VPN upon having been referred by the “affiliate.”
A VPN company markets itself to you, the potential subscriber of the VPN service, but a VPN company also markets itself to potential affiliates. Here are a few snippets of such marketing by VPNs to affiliates, as copied from the VPN’s web pages for affiliates:
- Ivacy VPN
“Get the best commission rates in the market by promoting the most advanced VPN service.”
“We pay the best commissions in the industry. Our commission structure is flexible: The more sales you drive, the more we pay.”
“The most competitive earnings in the industry – up to 100% in commissions”
“… the exclusive platform used to bring IPVanish affiliates the best VPN commission rates in the industry.”
Hmm, I thought there could only be one “best!” Yet here we supposedly have four “best.” So at least three (and perhaps all four) of the above VPNs would seem to be lying to their potential affiliates.
If a VPN lies to their potential affiliates, they may also be dishonest to their potential customers, i.e. you and me.
Untrustworthy VPNs don’t bother to “police” their affiliates
Let’s look further into the relationship of VPNs to their affiliates. The US Federal Trade Commission (FTC), in its Endorsement Guidelines, states that an affiliate should disclose their relationship to the retailer clearly and conspicuously on their website.
In my opinion, if a VPN does not require their affiliates to make this disclosure, the VPN is implicitly condoning dishonesty by their affiliates.
How many VPN companies that have affiliate programs require that affiliates follow this guideline and provide full disclosure?
The mind-numbing task of compiling that information has been performed and provided by https://thatoneprivacysite.net, which provides information about nearly 200 VPNs. Of those VPNs, 112 are listed as having affiliate/reseller programs. Only seven VPN services of those 112 require that their affiliate/reseller provide full disclosure of the VPN to affiliate relationship as per the FTC Endorsement Guidelines! (I compiled this data in January 2019.)
The seven “good guy” VPNs that have affiliate programs and “pass” this test (i.e., they do require full closure by their affiliates) are:
- Private Internet Access
Notable VPNs of the 105 that, according to the list, do not require full disclosure by their affiliates include:
In my opinion, VPNs that do not require full disclosure by their affiliates should be considered to be untrustworthy.
Although we have thus far concentrated on the issue of the dishonest business practices between VPN services and their affiliates, a more blatant sign of an untrustworthy VPN rises to our attention when a VPN service has a security breach and deals with the breach inappropriately.
One would reasonably expect that a VPN service would consider a security breach to be a potential disaster of the highest order and the mitigation of such a breach would be attended to “immediately, if not sooner,” commanding the foremost attention of the company’s technical staff with unparalleled urgency. Anything less than a fully committed response by a VPN service when dealing with a security breach must surely be a sign of untrustworthiness of that VPN.
NordVPN only just recently admitted to a security breach which initially began more than a year and a half ago. NordVPN claims to have known about the breach for “a few months.” (Two other VPN services, TorGuard and VikingVPN, may have also been breached at about the same time, but we’ll just focus on the NordVPN situation.)
As you may recall, as noted in the first article of this series, NordVPN is a service that pays its affiliates quite handsomely for customer referrals, is consequently highly rated by biased VPN review sites and controls a significant portion of the VPN market for individuals.
The NordVPN security breach was initially reported on October 21, 2019:
NordVPN, a virtual private network provider that promises to “protect your privacy online,” has confirmed it was hacked.
NordVPN said it found out about the breach a “few months ago,” but the spokesperson said the breach was not disclosed until today because the company wanted to be “100% sure that each component within our infrastructure is secure.”
A senior security researcher we spoke to who reviewed the statement and other evidence of the breach, but asked not to be named as they work for a company that requires authorization to speak to the press, called these findings “troubling.”
“While this is unconfirmed and we await further forensic evidence, this is an indication of a full remote compromise of this provider’s systems,” the security researcher said. “That should be deeply concerning to anyone who uses or promotes these particular services.”
“They spent millions on ads, but apparently nothing on effective defensive security,” the researcher said.
(bold emphasis added by me)
Breach happened 19 months ago. Popular VPN service is only disclosing it now.
Hackers breached a server used by popular virtual network provider NordVPN and stole encryption keys that could be used to mount decryption attacks on segments of its customer base.
VPN security experts commented on the situation:
… this incident and NordVPN’s handling of it raises some serious questions about information security policies and standards at NordVPN.
(from Tweet on Oct. 21, 2019 by Will Stafach, founder/CEO of a company that produces a firewall app for iOS.)
(bold emphasis added by me)
… based on the dumped pastebins, the Nord VPN not-a-hacker had full remote admin on their Finland node LXC containers. That's God Mode folks. And they didn't log and didn't detect it. I'd treat all their claims with great skepticism.
(from Tweet on Oct. 21, 2019 by Kenn White, a co-director of the Open Crypto Audit Project.)
(bold emphasis added by me)
VPNs are a shadowy world. We use them to protect our Internet traffic when we're on a network we don't trust, but we're forced to trust the VPN instead. Recommendations are hard. NordVPN's website says that the company is based in Panama. Do we have any reason to trust it (NordVPN) at all?
(from NordVPN Breached in a blog by Bruce Schneier, an internationally renowned security technologist.)
(bold emphasis and parentheses added by me)
After reviewing these reports, I have come to hold the opinion that NordVPN is a VPN service provider that is not trustworthy.
We’ve found that the honesty and ethics of the relationship of a VPN with its affiliates can provide information about the trustworthiness of a VPN company.
Also, we’ve presented a disturbing example of how the the trustworthiness of a well known VPN service has been impeached as a result of the manner in which the VPN service handled a recent security breach.
We’ll examine more indications of trustworthy VPNs in the next article in this series, titled “Signals of Trustworthy VPNs.”