Are you sure you can trust your VPN?

Today, virtual private networks - a mandatory attribute of privacy. But try to determine which ones really make your life safer.

Such advice is given by everyone: from Consumer Reports magazine to the New York Times newspaper and the Federal Trade Committee : if you want your actions on the web to remain private and secure, consider using a virtual private network or VPN.

VPN encrypts Internet traffic and redirects it through remote services, protecting your data (browsing history, downloads, chat messages) and masking your location. VPN services have long been popular with hackers and pirates, and inevitably should have become a mass phenomenon — like ad blockers before them — because the average Internet user is taking privacy more seriously. It is difficult to find reliable data on their use, however, two VPN services recently hit the 30 most popular applications in the Apple App Store, beating such serious players as Lyft, PayPal and Yelp. One analysis of this industry estimated that the use of VPNs from 2016 to 2018 was four times more frequent , and the Global Market Insights forecast suggests that the VPN market in the USA will grow to $ 54 billion by 2024.

So maybe I get a VPN? After all, I am writing articles on technical topics, and I know very well the groundlessness of our assumptions about privacy online. I occasionally connect to unsafe WiFi networks at airports or coffee shops, and although I have never downloaded pirated movies, it happens that I bypass geographical restrictions on web content. I definitely don’t like the idea of ​​trusting my Verizon ISP to full page view details. And yet, for many years, I resisted the desire to subscribe, or even thoroughly understand the technology that many privacy and security experts consider necessary for safe browsing.
')
However, when I went in search of a suitable VPN, I ran into an uncomfortable problem: how to determine which of the many VPN providers to trust.

The search for a trustworthy VPN pushed me onto a winding path leading through accusations and counter accusations, past companies with unintelligible guidance and conflict of interests, sites with VPN ratings that themselves look even more suspicious than companies whose reviews they do. Many VPNs seem to be a clear scam . Others make internet access slow. Free versions flood you with ads. This is such a tangled world that even leading companies and experts cannot even agree on what constitutes a good reputation for service, not to mention which companies fit this description.

The director of one of the largest VPN companies, AnchorFree, based in Silicon Valley, told me in a telephone interview that he suspects that one of his main rivals is secretly located in China - and this would immediately raise objections from supporters of privacy due to aggressive surveillance, implemented by the regime of China. One of the directors of this competitor, ExpressVPN, insisted that this was not the case, although he refused to disclose the location of the company's owners and their identities. The company is registered in the Virgin Islands. He argues that such secrecy is even good, because governments cannot pressure ExpressVPN administrators and demand that they give out user data if they do not know who they are and where they are. And many users in the US really prefer foreign VPN providers to the US.

AnchorFree itself is accused of being a free VPN, existing through advertising, which is why some experts have expressed concerns about the conflict of interest arising on this basis (the company also provides paid services). Both companies point to rival reviews regarding trust in these firms, each of which, due to different methodologies, are leaning in favor of the company that advertises it.

“The number of competing advertisements for these companies is simply overwhelming,” said Joseph Jerome, who studied VPN in detail due to his role as a policy consultant for the Privacy and Data project, organized by the Center for Democracy and Technology (CDT). "They instantly switch to knives."

It is possible that AnchorFree, declaring the Chinese origin of ExpressVPN, simply trolls the company, but such a risk cannot be called fictional. On February 7, when I was working on this story, senators Ron Weiden and Marco Rubio called on the US Department of Homeland Security to begin investigating the risks that foreign governments are spying on Americans through a VPN.

I just wanted privacy on the Internet, and did not sign up for a knife fight.

* * *

VPNs work by redirecting your Internet connection through remote servers, hiding your location and making it difficult for websites to identify you. They also hide your Internet activity from your own Internet provider, which otherwise has access to almost everything that you do on the network - like that of, say, a police agency that received an order to study your actions. (or, to be completely paranoid, at the intelligence bureau).

Although VPN services do not advertise this directly, you can use them to circumvent the laws of your own country or the restrictions of the rightholders by connecting through servers located in another country. Access to entertainment content is the most popular reason for using VPNs worldwide, according to a 2018 GlobalWebIndex report . Other popular reasons include access to social networks and news in countries where they are blocked (VPNs are especially popular in China, despite their official ban) and maintaining privacy while browsing websites.

If you need a stronger reason for using VPN, in 2017, the US Congress rejected a bill that was supposed to prohibit Internet providers to track and sell information about your online activity without your consent. In fact, your Internet provider can now completely mine your internet habits for profit.

At the same time, the end of network neutrality in the United States opens up the possibility for providers to prohibit or restrict access to certain content or charge you more money for access to it. VPN can offer a way to circumvent the restrictions - although if they become too popular, providers can try to ban VPNs themselves.

VPN is not a new phenomenon. Their appearance dates back to 1995, when Microsoft programmers developed a way for business customers to make an Internet connection safer. In the 2000s, they began to gain popularity among technology-savvy individuals, open source software helped reduce their cost, and sensational hacks drew public attention to Internet security issues. AnchorFree was founded in 2005, ExpressVPN - in 2009.

But only recently, VPN providers have become very popular in the technology world. They are unwound due to the development of insecure public WiFi networks and online content available in some countries and inaccessible in others. For example, the British could watch the 2012 Olympic Games free of charge on the BBC, and in the US it could only be watched on pay cable television. The popular VPN provider TunnelBear, founded in 2011, was bought in March 2018 by the computer security giant McAfee, the amount of the transaction was not disclosed. In September 2018, AnchorFree received an investment of $ 295 million, which was an unprecedented amount for a VPN startup. She has every chance of becoming the first VPN unicorn - a startup valued at $ 1 billion - if this has not already happened. AnchorFree director David Gorodyansky told me that as of February his company's VPN, Hotspot Shield, was downloading 400,000 times a day.

Now is the best time for a VPN boom. Which brings us back to this unpleasant problem of trust. If it is so difficult to assess the reliability of the loudest names in the industry, such as AnchorFree and ExpressVPN, then imagine how difficult it would be to evaluate a carriage of lesser-known alternatives. A top10VPN site survey in January reported that more than half of the top 20 most popular VPN applications in iOS and Android stores are either owned by the Chinese or are located in China. This is all the more suspicious, considering that VPNs were officially banned in China last year. If China allows them to continue to work, perhaps this is due to their cooperation with the Chinese government.

Using VPN, you trust this service at the same deep level that is usually available to your ISP. That is, the service now knows what you do when you use the Internet. These services may focus more on privacy than larger Internet service providers, but they are also smaller, less transparent and less publicly responsible.



And although any VPN provider will swear to you that it is most concerned about your personal privacy, some of them tend to point their competitors with a finger and say that it is impossible to trust those.

* * *

So how to choose? One could start with the largest provider - but it’s almost impossible to know who he is. Most of the largest firms are private and do not disclose the size of the user base. The easiest way to become a large VPN provider is to offer free services — usually with advertising support — and this makes things even worse. Free VPNs also usually limit traffic and geography. Many experts will say that it is worth staying away from such services, since in this case the interest in maintaining privacy will be thrown into the public by the users with targeted advertising.

AnchorFree, which offers the free version of Hotspot Shield for Android users, says that as measures to resolve this conflict, only Google’s general advertising, which does not use AnchorFree user data, is shown to users. Advertising appears periodically when using the application, and it needs to be viewed in order to continue browsing websites. In the free version of Hotspot Shield for iOS, there is no advertising, but traffic is limited there and the connection is allowed to be established only through servers in the USA.

What about VPN with the best reviews? There are dozens of sites with reviews, their reviews often contradict each other, and the criteria are not always transparent. Two of the most respected sites where VPN reviews are published, namely PCMag and CNET, gave the PANAMA service NordVPN the best ratings, positively assessing its speed, ease of use and privacy related functions. And the other two, Wirecutter and Tom's Guide, found NordVPN slow and full of errors. And, like ExpressVPN, NordVPN is trying very hard to hide the true owners of the service. As noted in Tom's Guide, the company is a subsidiary of the Panamanian holding Tefincom SA, which, apparently, is a shell company . And, as in the case of ExpressVPN, this anonymity can come up with excuses .

ExpressVPN ranks at least first on the tops of the two charts that appear on the first pages of Google search, TechRadar and TheBestVPN.com . Both sites emphasize good service speed and usability; neither mentions the fact of hiding the owners of the service.

Gorodiansky, director of AnchorFree, has an idea about why his service does not soar in the ratings. Many sites with VPN reviews earn affiliate links by getting small deductions from each registered user who has come to the provider through these links. “These sites have no motivation to tell the truth,” he says. He claims that they either lower the estimate for the Hotspot Shield service, or simply ignore it, since they cannot earn money by recommending a free service.

Harold Lee, vice president and sole public person of ExpressVPN, protects the privacy of his company, putting it at the level of the best in this area, not despite the company's opacity, but because of it. He says that this is a matter of both job security and personal privacy. Is it any wonder that people who created one of the best virtual private networks back in 2009 will carefully guard the secret of their own personalities?

Lee himself works in Hong Kong, outside of the mainland Chinese "Great Firewall", and does not have to obey the burdensome Internet censorship. The ExpressVPN team is scattered around the world, says Li, and all claims that they are based in mainland China or are associated with the Chinese government are incorrect. “If people rush to unsubstantiated accusations, then what's the point of describing them,” he said. It is also worth noting that a VPN provider with unfair intentions would offer a free service to attract more users. ExpressVPN, which varies from $ 8 to $ 13 per month, is one of the most expensive on the market and does not offer free versions, which adds to their credibility.

After the release of the original article, Lee sent a more detailed statement to the editor, denying any connection with the Chinese government. “ExpressVPN is inherently opposed to government censorship and surveillance, and our service every day helps many people in China and around the world bypass censorship,” it says. - For this reason, the Chinese government periodically tries to block our service and remove the application from the Chinese App Store. Any hints of our connection with the Chinese government are 100% false. ”

To establish confidence in ExpressVPN, Lee suggested looking at the history of her work. He pointed to an international incident, when the practice of working with data in the company was subjected to verification. In 2017, the Turkish government confiscated ExpressVPN servers as part of an investigation into the tragic murder of Russian Ambassador Andrei Karlov . The authorities hoped that the data would shed light on the communication of the Turkish public figure Fethullah Gulen , who was hiding in the United States, who was suspected of the murder. However, there were no logs on the servers, which proves ExpressVPN claims that the company does not keep records of user activities.

It is possible that the protection of persons suspected of an international conspiracy should not be recorded in the VPN provider plus. Some members of the VPN industry believe that such facts underline the dubious side of the product, which should deal with online security, and not help people bypass the laws.

When a VPN hides the identity of the owners and registers offshore, “this usually happens because the company violates the law,” says Francis Digny, co-founder and director of OpenVPN, an open source service aimed at business customers. Dina considered the ExpressVPN charges for relations with the Chinese government to be dragged behind their ears, and said that the owners of the service are hiding, most likely because their service is primarily intended for piracy or other illegal activities. From his point of view, VPN should first be used for cybersecurity, not anonymity. He notes that VPN will not prevent platforms such as Facebook and Google from identifying and tracking you in other ways than by determining the IP address.

However, in the security world, an episode with Karlov can be considered a serious proof: if ExpressVPN is suitable for political assassins, his services should be enough for other people. Many VPN providers say they do not keep logs of user actions, but this statement is difficult to confirm in the absence of international incidents that suit them.

Jerome from the Center for Democracy and Technology (CDT) is familiar with ExpressVPN. Last year, ExpressVPN, along with four other VPN providers, has partnered with CDT to launch a VPN-driven initiative to validate their good intentions. He compiled a list of “ bona fide VPN ” signs , asking other providers to answer eight questions related to topics such as company ownership, business model and privacy practices. The question of ownership asks the company to disclose the full legal name, all parent companies and the location of their headquarters. He does not ask only the names of company directors.

Jerome on my question about managing ExpressVPN apologized and said that he could not comment on anything. “We worked with these companies on trust,” he said. “Our final product reflects some of the difficulties we faced.” Jerome says that he initially hoped to conduct a more detailed audit, but this would require more resources and closer cooperation from providers. “It was very difficult to get them to agree on how we would evaluate them, and who exactly would rate them,” he said. - I think they all consider themselves honest players. But I think that there is a fear that if people look under their hoods, they will see something bad there. ”

* * *

AnchorFree did not participate in the CDT project. She ordered her own audit version from the German company AV-TEST, which evaluates antiviruses and computer security software.Not surprisingly, in her report, the disclosure of information about the owners and managers of the company became the main criterion , and the providers ExpressVPN and NordVPN were criticized for lack of transparency. AV-TEST also noted those firms that produce an annual report on transparency - and this recently started to deal with AnchorFree. And, and also AnchorFree got on the first place among providers on connection speed.

Given the popularity of the company's free service, the aggressive collection of investments and the partnership with companies such as Samsung - whose phones now come with the built-in free version of Hotspot Shield VPN - AnchorFree may be the best among companies trying to monetize the VPN popularity boom. However, it does not appear in many ratings, partly because of the experts' bias towards a free VPN, partly because of poor performance in third-party speed tests.

It turns out that the most serious blow to the AnchorFree reputation was received by the CDT in 2017, when the latter sent a complaintto the Federal Trade Commission, arguing that Hotspot Shield misleads free VPN users by recording more data about them than necessary, and in some cases redirecting them to the websites of advertising partners. AndersFree mayor of these calls these statements a “regrettable misunderstanding,” but AnchorFree changed its service rules shortly thereafter. In 2018, the Commission published a blog entry regarding the benefits and risks of a VPN, but no other action was taken on its part.

ExpressVPN almost won the long-awaited recommendation from Wirecutter, which published a very detailed and extensive VPN overview.. In the text of the review there are hints that ExpressVPN could take the first place, if not for one “but”: the refusal to disclose information about the owners. Wirecutter editor Mark Smirniotis said that ExpressVPN has offered to organize a confidential conversation with the owners, but he decided that this would not be enough to change his assessment.

Instead, Wirecutter recommended a smaller IVPN service, which, according to the author of the article, “does an excellent job with questions of trust and transparency.” Officially, IVPN is located in Gibraltar, which, like the Virgin Islands, belongs to the British Overseas Territories. VPNs are often chosen as bases for offshore territories, since they lie outside the direct jurisdiction of the governments of the major world powers, and rarely have major national security agencies.

With the growing demand for VPNs, the industry has a strong motivation to grow out of the Wild West phase. Partnership with non-profit companies and audits conducted by third parties are a step in this direction. NordVPN recently followed this route following AnchorFree and ExpressVPN, ordering an auditPricewaterhouseCoopers, to confirm their statements on the protection of user privacy. However, such audits would be much more meaningful if they were not requested by individual VPN providers. People like Jerome are trying to promote industry standards, but for now VPN providers are shying away from audits whose methodology they cannot control.

More serious changes may follow when some of the market leaders decide to become public companies or sell out to such companies. Of course, public companies are not insured from dubious actions, but they must obey the laws on the publication of information and be audited. Other providers will remain private companies, risking skepticism towards being able to stay in the shadows - or beyond the reach of the governments of major powers.

Starting this article, I thought I would choose a VPN that I could trust for personal use. A few weeks have passed, dozens of calls have been made, thousands of words have been written - and I cannot say that I have come close to a clear choice.

One of the definitive conclusions, apart from “staying away from free VPNs”, is that the choice of VPN should depend on what you are going to use it for. If you just want to use the Internet safely, it makes sense to choose a large American company that clearly tells about its owners and how it relates to user data. If you want to download pirated files from torrents, watch blocked content, the ambassador is killed, or somehow escape from the long arm of your government (and other governments with which it cooperates ), it is better to choose an offshore VPN - if you are sure that the provider does not have secret connections with the government you are trying to hide from.