Attacks on personal privacy are on the rise. Surveillance by government organizations, corporations, and more, have prompted many internet users to start using VPNs. A virtual private network is an easy way to drastically increase online privacy, allowing a user to browse the internet as if they were situated on the opposite side of the globe.
VPNs sell their services using their range of server locations. A VPN with multiple locations throughout multiple nations is usually seen as a solid choice. The variety of locations and servers means you’ll always find an active connection to protect your data.
But what if VPNs didn’t really have all those servers? What if, instead, some of those servers were actually elsewhere? Suddenly, that super private server located in privacy-focused Switzerland is actually in the United Kingdom. Or a server allegedly located in Pakistan is actually in Singapore.
The latter is a real example from the world of VPN spoofing that we’re about to take a look at.
Where in the World?
Navigating the now tens-of-thousands of VPN providers is tricky at the best of times. The standard advice is usually to avoid free services, pay yearly, check logging policies, and the range of server locations. The more unscrupulous services may do the opposite: log your data, track your searches, de-anonymize customers, and perhaps sell the lot to a third-party advertiser (or government).
…how's that supposed to work, I will be sending all my data to some dodgy VPN provider who will be happy to sell it to the highest bidder?
— Meadow Ellis (@notameadow) July 17, 2017
It is difficult, but the majority navigate these issues with careful research and user reviews.
But a recent report by RestorePrivacy editor Sven Taylor indicates that for many major VPN providers, this is often far from the truth. Taylor makes it clear in his report that it is not an attack on any one VPN provider. Rather, he seeks to expose false VPN marketing claims, fake server locations, and to clarify confusion surrounding VPN virtual server locations.
RestorePrivacy use several well-researched examples. Take the extremely popular Hidemyass service, and their extensive range of server locations.
Hidemyass claims to have “760+ VPN servers in 280+ locations in 210+ countries around the world.” This includes two servers, with six IP addresses, in Manpo, North Korea. This alone seems jolly unlikely.
Further reading reveals that a number of these locations are “virtual locations,” rather than physical servers. In the case of North Korea, it is understandable — how would they secure a VPN server in one of the hardest countries in the world to enter, let alone configure an external-facing server?
But Hidemyass is not alone.
ExpressVPN is one of the top rated VPN services in the entire world, used by tens of millions of people. RestorePrivacy found 11 fake server locations. When the original article went to print, ExpressVPN was still adamant that their servers were all real. Six days after the article release, ExpressVPN updated its virtual server location information, detailing exactly which servers were virtualized.
RestorePrivacy found five fake PureVPN server locations, but suspected there was a significant amount more to be uncovered.
How Did They Find Out?
Prior to the RestorePrivacy article, Hidemyass was forthcoming with its use of virtual locations — but not that some of these virtual locations are fake. A Hidemyass chat representative confirmed that some virtual locations are indeed “fake,” but couldn’t elaborate on which ones. I was advised that they “simply want to offer more locations, and [a] much [more] stable connection.”
One common defense of VPN servers returning “wrong” IP addresses is poorly maintained geo-IP databases. A geo-IP database may well return an incorrect location if its database isn’t updated. Taylor took that into account by using three different networking-testing tools, which you can also try:
- CA App Synthetic Monitor ping test (ping test from 90 different worldwide locations)
- CA App Synthetic Monitor traceroute (tests from various worldwide locations)
- Ping.pe (ping test from 24 different worldwide locations)
The goal was “to verify the true location beyond any reasonable doubt.” And if “there was any doubt, [Taylor] did not label the server as “fake.” The original article has extensive analysis of each VPN service covered.
But Why Use Fake Virtual Servers?
The answer lies with — can you guess? — money.
“The incentives are mainly financial. First, it saves lots of money. Using one server to fake numerous server locations will significantly reduce costs. (Dedicated premium servers are quite expensive.) Second, advertising numerous server locations in a variety of countries may appeal to more people, which will sell more VPN subscriptions.”
The VPN market is increasingly competitive. Gaining an advantage in anyway is becoming the norm. With a number of new, uneducated VPN users seeking services for the first time, the inclination is to trust services with extensive networks spread throughout the globe. And some VPN providers are only to happy play up to that emphasis on server size, rather than quality.
And Why Is It So Bad?
A fake virtual VPN server might not bother you. It is easy to reason that so long as your identity remains private and anonymized, nothing is the matter. There are, however, serious concerns:
- A fake server may reside in a country you are trying to avoid, and you’ll be unaware if you connect.
- A fake server is fake — not where the company says it is. A company you’re trusting with your anonymity shouldn’t be lying as a course of business.
- If you’re attempting to access a restricted service, it may fail.
- If you’re attempting to optimize your VPN performance, you’ll be configuring the wrong settings.
Furthermore, VPN service providers use of fake virtual servers only adds to a growing sentiment that VPNs are untrustworthy. With VPNs and encryption under attack in a number of countries, and outright banned in others, negative press isn’t ideal.
So… What Do I Do Now?
Well, in an increasingly competitive market, there are some excellent small VPN services that place emphasis on server and network quality, rather than a sprawling size. RestorePrivacy recommend switching to a service such as Perfect Privacy or VPN.ac. I would add that Mullvad and CryptoStorm are also excellent choices for logless internet use.
In addition, steer clear of free VPNs. A free VPN is an extremely useful tool in a pinch. But remember: if you’re not paying, you are the product. And for the vast majority of free VPN services, that rings true.
Unsure where to start? Here are some of the best VPN services on offer today.
Will you reconsider using a VPN in light of this news? Or will you switch to a smaller provider? Should there be a crackdown on false VPN advertising? What are your VPN service suggestions? Get the conversation started below!
Image Credit: Photoraidz via Shutterstock.com