We highly recommend that all people use VPNs — there’s no doubt about that. Just look at all of these common activities where VPNs prove useful. Indeed, there are many reasons to always use a VPN online, including but not limited to improved personal privacy.
But not all VPNs are worth using. In fact, some VPNs are so bad that you’d actually be better off not using anything, than routing your traffic through their services. Here are some warning signs to look out for, plus specific VPN services to avoid if you value privacy.
What Makes a VPN Bad for Privacy?
Country of Origin
Never connect to a VPN server that’s located in one of the “Five Eyes” countries (U.S., U.K., Australia, New Zealand, Canada), one of the “Nine Eyes” countries (France, Norway, Denmark, The Netherlands), or one of the “Fourteen Eyes” countries (Belgium, Italy, Germany, Spain, Sweden).
The governments of these countries either spy on their own citizens, spy on each other’s citizens, swap such spying intelligence with each other, or otherwise enable and encourage spying in some way. These countries are likely to pressure and acquire intelligence from VPN servers operating in their territories.
When connected to a VPN, all of your internet traffic is routed through the VPN’s server. Some keep minimal logs, such as the IP from which you connected and the time of your connection, while others keep full track of browsing habits, websites visited, apps used, etc. Logs are bad because they allow activity to eventually be traced back to you.
Even VPN services that promise “no logging” can’t be trusted at face value. They might not participate in “activity logging” but may actually be logging other things. How do you know whether a VPN’s no-logging claim is trustworthy? You have to read their…
Terms of Service
A VPN service’s Terms of Service outlines (or should outline) exactly what you can expect as a user: what kind of activity is forbidden, what’s tracked, what’s not, etc. When in doubt, you should contact the service and ask questions to determine what their logging policy is really like.
Some things to keep in mind:
- Should they log anything related to your connection, including IP or connection time, then it can eventually be traced back to you.
- If they won’t block accounts, even ones that are highly abusive of the system, then there’s a good chance the service truly is log-free.
- If they claim they can block accounts without logging information that can identify you as a user, then you should pry into how it works. Most of the time, they won’t be able to give you a clear answer, in which case you should assume logs are somehow involved.
Lack of OpenVPN
VPNs can operate using many different “types” of connections, which we’ve explored in our comparison of major VPN protocols. L2TP and PPTP are some of the more popular, but they have glaring flaws that make them poor options for privacy. OpenVPN is the best protocol because it’s open source and offers the strongest encryption of traffic.
Leak Test Failure
Sometimes your actual connection to the VPN server can be compromised. For example, your PC goes to sleep and doesn’t reestablish the VPN connection upon waking, or you switch from Wi-Fi to Ethernet, or your router gets unplugged and you have to plug it back in.
Even when you’re “successfully” connected to the VPN, some of your traffic may not be routed through that connection. This is called a leak, and it undermines the entire point of using a VPN for privacy.
Certain VPN clients are better than others in this regard. You should periodically check up on this using so-called leak tests: WebRTC Leak Test, IPLeak, DNS Leak Test, and TorGuard’s DNS Leak Test, just to name a few. Visit each test twice: once without VPN, once with VPN. Your IP addresses should be different both times.
One of the most common VPN myths is that free VPN services are “good enough.”
It turns out that free VPNs come with a lot of risks, the main one being that such services need to pay for servers and bandwidth somehow. If users aren’t paying anything, then they need to generate revenue some other way — most often by selling user data and information.
Free trials for paid services are fine. Unlimited free services are not. As with most things, you get what you pay for, and privacy is not cheap. We always recommend paid VPNs over free.
Lack of Anonymous Payment
One more thing to keep in mind: if you want to add an additional layer of obfuscation, you might prefer a VPN service that takes anonymous payments. Whereas a credit card or PayPal account can be traced back to you, cryptocurrencies like Bitcoin don’t leave such a breadcrumb trail to follow.
Which VPNs Should You Avoid?
It’s one thing to speculate whether a particular VPN service is safe or unsafe based on what they say and what they promise. It’s something else altogether when a VPN service is caught red-handed as far as tracking activity, keeping logs, selling user data, etc.
If you value your privacy, here are the VPN services you want to avoid — ones that have been shown and proven to violate user privacy in one way or another.
Back in 2015, Hola was found to do something that no other VPN service does: turn the PCs of its users into “exit nodes,” allowing other Hola users to route their traffic through said nodes. Hola sold this bandwidth to a third-party service. A violation this egregious puts Hola squarely in the category of services to NEVER use ever again.
2. HotSpot Shield
In 2011, the Federal Bureau of Investigation tracked a hacker’s activities back to an IP address belonging to the HideMyAss VPN service. The FBI acquired activity logs from HideMyAss and used them to catch and prosecute the hacker. Despite the illegality of the hacker’s actions, this incident made one thing clear: HideMyAss does keep traceable logs.
4. Facebook Onavo VPN
In early 2018, it came to light that Facebook’s built-in “Protect” feature for mobile apps was really just the Onavo VPN it acquired back in 2013. Regardless of how effective it is at protecting users, there’s one thing that ought to deter you: Onavo will collect your mobile traffic data to “improve Facebook products and services, gain insights into the products and service people value, and build better experiences.”
5. Opera Free VPN
In 2016, the Opera browser introduced a new “free unlimited VPN” feature available to all users. But despite the naming, Opera Free VPN is not a VPN in the truest sense. It’s more like a web proxy (differences between a VPN and web proxy), and Opera does collect usage data which may or may not be shared with third parties.
Not only is VPNSecure headquartered in Australia (a “Five Eyes” country), but a 2016 research paper [PDF] found IP leaks and DNS leaks with the service, plus “egress points” for residential users, which is similar to the “exit nodes” concept that sunk Hola above. The paper suspects but does not confirm that the bandwidth of users may be being used without their knowledge. However, if you want to be safe, you should probably stay away.
In 2018, a test by vpnMentor found that ZenMate (along with HotSpot Shield and PureVPN) suffered from IP leaks, which could give away your identify even when using the internet with an established VPN connection through ZenMate. This, coupled with the fact that ZenMate was slow to respond to these findings, makes us wary of their respect for user privacy.
Privacy-Conscious VPNs You Can Trust
As of now, there are only a handful of VPNs with no-logging policies that privacy-minded folks trust. You can read about them in our article on logless VPNs that take privacy seriously. We recommend ExpressVPN, CyberGhost, and Private Internet Access.