Report: Caution needed when choosing VPN provider
November 7, 2023
Internet users increasingly rely upon virtual private networks (VPNs) to ensure their online privacy, but VPN providers have a dubious track record of breaking promises to safeguard their customers’ privacy, engaging in shady efforts to woo potential customers, and associating with entities in the dark underbelly of the Internet that target users for harm, according to an investigation conducted by the Digital Citizens Alliance and White Bullet. The six-month investigation found:
- While relying on online reviews is the most common way people choose VPN service, some review sites aren’t the independent and neutral arbiters they pretend to be. For example, Kape Technologies, the owner of ExpressVPN, acquired VPN review sites in 2021, raising the question whether Internet users can now trust that those reviews are truly independent.
- While VPNs tout privacy, some associate themselves with illegal content theft websites – a nefarious $2.3 billion dollar industry that has been demonstrated to intentionally expose their users to malware designed to violate their privacy. The investigation found that VPN providers spend an estimated $45 million a year advertising on piracy sites.
- Users may not realise that their VPN provider logs their online activities. Free VPNs may make money by selling that data to third parties. VPNs claim to not retain user data. However, in 2020, seven VPNs left user data – which they claimed they were not collecting – for roughly 20 million people unprotected on a cloud server. The Center for Democracy and Technology – a tech think tank – has raised concerns that the claims made by VPNs that they protect user data have proven too often to be false.
“By engaging in questionable activities, VPN providers undermine the trust critical to the future of the Internet and support illicit actors who are notorious for targeting Internet users to spread malware and engage in credit card fraud,” said Tom Galvin, Executive Director of the Digital Citizens Alliance. “What does this mean for Internet users? Choose carefully when deciding on a VPN provider.”
“Piracy sites provide real audiences attracted to rich media content: this means advertisers are hugely exposed when programmatic algorithms and negligent affiliates choose these eyeball-rich environments for ad placement, without using proper filtering solutions,” said Peter Szyszko, CEO of White Bullet Solutions Limited. “Brands that use these advertising and marketing mechanisms are particularly at risk. Programmatic systems are only as good as the ‘exclusion lists’ that control them, and if these are not dynamic or real-time, then lists quickly become out of date. Affiliate partners seek to maximise commission from brands for clicks made on their ads, so unless they are closely monitored and audited by brands, greed may get the better of them.”
In places such as the US, VPNs have access to that data without any direct regulatory oversight – although most Americans don’t realise that. A Digital Citizens research survey conducted in October found that a majority of Americans believe that VPNs are regulated by either the federal or state governments.
Concerns about how VPNs operate are compounded by a general lack of understanding about them. The research survey of 1,318 Internet users found that 54 percent of Americans weren’t sure whether they even used a VPN. Only 1 in 5 reported having a strong understanding of a VPN’s purpose.