Beware. That VPN may not have your best interests in mind.
Shoddy virtual private network companies often scatter hints of their dubiousness everywhere they go. Learning to identify a few of these red flags can save you hours of research and a hefty annual subscription cost for supposedly getting connected to the internet more securely. Is the price too good to be true? Has the company been caught keeping logs? How are your connection speeds?
To save you time, here are a few of the biggest red flags to watch out for when taking your new VPN out for a test drive.
There’s no such thing as a free lunch. Maintaining the hardware and expertise needed for large VPN networks isn’t cheap. As a VPN customer, you either pay for a premium service with your dollars, or you pay for free services with your usage data when it’s collected by the free VPN and bargained away to advertisers or malicious actors.
As recently as August 2019, 90% of apps flagged as potentially unsafe in Top10VPN’s investigation into free VPN ownership still posed a privacy risk to users. Free VPNs can also leave you open to quiet malware installation, pop-up ad barrages and brutally slow internet speeds.
If a VPN is caught keeping or sharing user activity logs, I won’t recommend it. While most VPN services claim they don’t track or keep logs of user activity, that claim can sometimes be impossible to verify. In other instances, the claim falls apart publicly when a VPN company hands over internet records to law enforcement.
The latter has happened in a few cases. EarthVPN, Hide My Ass VPN and PureVPN have all been clocked by privacy advocates for handing over logs to authorities, as has IPVanish.
To be clear, it is entirely possible to be grateful for the arrest of reprehensible scumbags while ardently advocating for consumer privacy interests. My beef isn’t with any VPN company helping cops catch a child abuser via usage logs; it’s with any VPN company that lies to its customers about doing so. The lie that helps law enforcement in the US catch a legitimate criminal is the same lie that helps law enforcement in China arrest a person watching footage of the 1989 Tiananmen Square protests.
Ideally, the VPN you choose should have undergone — and published the results of — an independent third-party audit of its operations, including its use of activity logs.
Another red flag to watch for when choosing a VPN is shoddy encryption standards. Users should expect AES-256 encryption or better from VPN services. Nearly every web browser and app already uses AES, often touted as “military-grade” encryption, after it was adopted by the US government in 2002. If your VPN only offers PPTP and L2TP encryption, look elsewhere.
While you’re snooping around for encryption details, keep an eye out for one of our favorite phrases, “Perfect Forward Secrecy.” Those three little words can have a hefty impact on your privacy: If one of your VPN’s servers is ever breached, Perfect Forward Secrecy ensures that any keys used to decrypt private internet traffic quickly become useless — giving you more security.
Extremely slow speeds
With just a little bit of elbow grease, any moderately skilled internet jerk can throw together a service that looks like a VPN but is actually little more than a proxy service reselling your internet bandwidth. Not only can that slow your internet speed, it could potentially leave you on the legal hook for whatever they do with that resold bandwidth.
Hola’s case was the most famous. The company was caught in 2015 quietly stealing users’ bandwidth and reselling it to whatever group wanted to deploy its user base as a botnet. Hola CEO Ofer Vilenski admitted it’d been had, but contended this harvesting of bandwidth was typical for this type of technology.
“We assumed that by stating that Hola is a (peer-to-peer) network, it was clear that people were sharing their bandwidth with the community network in return for their free service,” he wrote.
Nearly all VPNs slow your browsing speed, some by as much as half. But a brutal crawl can be a sign of something worse than a simple lack of servers. So if being pressed into service as part of a botnet isn’t your cup of tea, double-check those suspiciously slow speeds and the reputation of the VPN you’re paying for.