How to find a trustworthy VPN service

vpn trust

Determining whether a VPN service is trustworthy can be complicated. Fortunately, there are a few easy steps you can follow to know if a VPN service can be trusted.

The importance of trust when it comes to VPN services cannot be underestimated. Given the recent surge in interest in VPN services among the general public, we feel it is in the public interest to discuss the VPN trust issue, especially given the general ignorance on this topic. There are many technical factors that need to be considered when looking for the best VPN service, but without trust, all the technical security is irrelevant. This means trust is actually the biggest security risk with most VPN services.

Crucially, VPNs are not zero-knowledge. By design, when you use a VPN, all of your online traffic passes through the VPN, so the VPN provider sees everything. This means that while using a VPN might hide all of your browsing activity from your Internet Service Provider (ISP), this data is completely accessible to the VPN provider (regardless of whether or not they save logs). In other words, when you use a VPN service, what you are doing is shifting trust from your ISP to your VPN provider.

Why VPN trust matters

For many people, moving your trust from a highly regulated telecommunications company, to a VPN company run by shadowy figures, could be an example of misplaced trust. A malicious VPN provider could be operated by an intelligence agency or actively colluding with repressive governments, putting unwitting users at even greater risk.

Recently, the repeal of Internet privacy rules in the US caused a public outcry because now ISPs are allowed to sell browsing history without customer permission. While this is appalling, such behavior is already commonplace in the VPN industry. For example, free VPNs such as Hola have been found to be selling user browsing data, and even access to user devices.

Now that US ISPs can sell your browsing history, using a VPN makes more sense than ever before, but it is important to first check carefully to find the most trusted VPN service.

How to find the most trusted VPN service

Evaluating whether a software or service is trustworthy can be complicated. However, it is rather simple for VPN services, there are just two main things to look for:

1. Jurisdiction

Jurisdiction refers to which country a VPN service is incorporated in and where it is operated from. This is important because many countries have aggressive legislation which could force VPN providers to conduct active surveillance on VPN users on behalf of government agencies. These laws include the Investigatory Powers Act in the UK, and FISA in the US.

In fact, there are over a dozen countries that collaborate on surveillance. These are collectively known as the Five Eyes and Fourteen Eyes countries (US, UK, Canada, Australia, New Zealand, Denmark, France, Netherlands, Norway, Germany, Belgium, Italy, Spain, and Sweden). In addition to these, you probably also don’t want to use a Chinese, Russian, or Turkish VPN provider for similar reasons.

fourteen eyes surveillance
Countries that are part of the Fourteen Eyes surveillance network.

VPN providers from Fourteen Eyes countries should be avoided at all cost because they can be legally compelled to spy on users. A lot of care must be done when performing this check, as many VPN providers go to great lengths to disguise their true jurisdiction. For example, VyprVPN uses a Swiss shell corporation, but is actually based in Austin, Texas, USA. Private Internet Access is operated by a company known as London Trust Media, which sounds like it is based in Europe, but it is actually based in the US (one of the Five Eye countries) and could be legally compelled to spy on users. This type of jurisdiction obfuscation is very common in the VPN industry.

private internet access usa
Private Internet Access appears to be based in Europe due to the name London Trust Media, but a little bit of digging reveals it is based in the US.

2. Who is operating the VPN service?

Because a VPN provider technically has access to your entire browsing history, a no logging policy is more of a promise than a technical guarantee. Therefore, who exactly is running a VPN service, and their intentions are key components of VPN security. Some VPN services are simply scams, but in the worst case, a VPN service may be actively malicious. Indeed, it was found that 38% of Android VPN apps contained malware.

A good indicator of trustworthiness is the level of transparency around the ownership of a VPN service. Important criteria include:

  • Are the individuals operating the VPN service clearly disclosed on the VPN service’s website?
  • Are the people behind the VPN service well respected within the security/privacy space and have the necessary technical expertise to operate a service with sensitive security requirements?
  • Are you certain the VPN company is not a shell company (e.g. registered to a mailbox in Panama or the Cayman Islands with no actual presence there)?

If the answer is not YES to all of the above questions, then the VPN in question should be avoided because it could be a scam, or worse, working on behalf of state surveillance agencies, spreading malware, or simply insecure.

Can VPNs be fully trusted?

Unfortunately, due to the nature of the technology, there is no way to know with 100% certainty that a VPN service is not spying on you. While this may seem like an extraordinary statement coming from us given that ProtonMail also operates ProtonVPN, we really feel that it is in the public interest to shed light on the VPN trust issue. ProtonMail can achieve zero knowledge through end-to-end encryption, but it is technically impossible to build a zero knowledge VPN service. In other words, a VPN service may provide security and privacy, but never anonymity.

However, using a VPN is still essential, because while you cannot be 100% certain that a VPN is trustworthy, you can be 100% sure that your ISP is spying on you and recording your browsing history. By following the two steps outlined above, and also the criteria listed on our guide for how to find the best VPN service, you can have much more certainty about the security of your VPN service.

How about ProtonVPN?

ProtonMail is also developing ProtonVPN, a free VPN service that uses innovative technology to provide a higher level of security and trust compared to existing VPN services. You can learn more about what makes ProtonVPN different here: https://protonvpn.com

Best Regards,
The ProtonMail Team

You can get a free encrypted email account from ProtonMail here.

About the Author

Admin

We are scientists, engineers, and developers drawn together by a shared vision of protecting civil liberties online. Ensuring online privacy and security are core values for the ProtonMail team, and we strive daily to protect your rights online.

 

Leave a Reply to tripan Cancel reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

37 comments on “How to find a trustworthy VPN service

  • Regarding “leaky” VPNs – the CIA will get in the most trouble for spying on ordinary Americans.

    The Vault 7 release states there were 22,000 American IP addresses spied on. Some of those will be American citizens. Some Americans will have been spied on for political purposes only. THAT is the pressure point the CIA will be most afraid of.

    Wikileaks lawyers need to select a class action law firm to examine the American IP addresses, and get the matter into a court of law with American plaintiffs who have been spied on by the CIA.

    If the matter can be drawn out in court, the CIA’s budget could be cut very dramatically.

    Ask Wikileaks to help discover which Americans have been spied on by their own government. It’s important.

    Reply
    • hello k,
      From my experience and my studies of this sensible subject , i can write that the deviant behavior never decreases a budget or bring trouble to the authors/actors. Spying killing hurting cheating infiltrating stealing menacing are often used by some groups of the organized crime – which famous one could be a government/few person hidden behind a legal force – providing a sovereign_political immunity. Skunks/perverts are not punished but denounced because it is more a show than a court.
      I suppose that the right way to manage/balance this attack is to be payed for the data stolen, for the hostility you felt, but not as a victim of ‘mac-carthyism’, violence, ostracism so it will be a moral compensation (class action) but certainly not a revolution .
      Comparing a debian maintainer retained (yesterday) in russia and one killed in usa (murdock)-2 real great countries & democracies- i wonder why the product sold is more a virtue than a trash in this strange deal where to be sane is targeted as a danger : they were spied during a long time before to be dropped.
      bye k.

      Reply
  • Hello,
    > a VPN service may provide security and security, but never anonymity.
    – does it mean that even with a fake ip ; my real location is in your hands as admin of this blog ?
    – does it mean that a vpn provider protects only against the isp spying ?
    – how much am i protect using a vpn ; yours or another , does a test exist for that purpose ?
    # what about the mac ? afaik, a vpn does not hide it !
    # has proton-vpn implemented a counter-measure randomizing it ?
    Regards.

    Reply
    • It means that the VPN provider ALWAYS knows your real IP address, and can choose to access/reveal that information at any time.

      Reply
  • As user of protonmail, i know of course that my isp is spying me (always) and my vpn provider was chosen by trust and not from a special audit reported by experts but even if security & privacy are important, i use a vpn for anonymity : there is always someone who knows who i am (by correlation & logs vpn/isp) and there are always readers who will never know:care … it is a new age for the digital life where the sophisticated tools can obfuscate with trust and security a large part of our real life.

    Reply
    • There are a lot of vpn provider that you must avoid (free & paid) of course and a lot are also for a particular threat model like ‘protecting children from the danger of internet’ or ‘firewall + support + cloud’ or ‘torrent & post anonymously’.
      Reading the comments above i learn :
      * that it should be more dangerous to subscribe at a vpn in my own country rather than from a safe place out of the 14 eyes ;
      * that a vpn is not enough (no anonymity by design so + tor or ip2/freenet) ;
      * that a user lambda will not be alerted if a request has been made against him/her (before it becomes official , they ask & research – no transparency) ;
      * that a norm about security & privacy in mind does not exist (a vpn can use an exotic private/proprietary encryption protocol -weak/unstable- and colluding) and “14” can shut down internet/tor/vpn or infiltrate your computer.
      * I think that the proton_team will provide a free plan for protonvpn & a version for most of o.s/device : it is a matter of reputation and professionalism so i know i will use it soon and be safe.
      * No, i have not in mind the black list but i tried some of them and read before the brexit and on their support_tweet that some famous one are not a all secure & safe.
      ** do i need choose one involved in a criminal activity to be safe or do i need a platform where i should be like a product in the hands of a baby-sitter ?
      ** will proton vpn provide tor + vpn / vpn + tor ?
      ** in the case of a 3 conflict the neutral Switzerland will become quickly a no-man-land but not a rogue state like france so even in the worst scenarii , proton vpn will be still protected by the ch laws.

      Hoping that something new be created , innovated , imagined with anonymity in mind & privacy & security for this century before it was too late.

      Reply
    • Companies in any country are always obligated to turn over what data exists in a criminal investigation, including payment information. All VPN providers have access to your actual IP address, which is why, as we mentioned above, VPNs are about privacy and security, NOT anonymity.

      Switzerland does in fact provide a lot of extra security, because ProtonVPN AG is exempted from the law (turnover under 100 million CHF), and because Switzerland is not a Fourteen Eye country, requests can only come from Swiss authorities (e.g. the law doesn’t let the NSA in). So unless you are residing in Switzerland, there is unlikely to be a request for your data, and a request can only be made if criminal charges are brought against you by a Swiss court. Details here: https://protonmail.com/blog/swiss-surveillance-law/

      Reply
        • No logging cannot be technically enforced. In a 14 eyes country, is just a matter of obtaining a court order to force logging for a particular user. This is why it’s important to be outside of 14 eyes so reduce the risk of that.

          Reply
  • you recommend 1194 , i use 443 : can i change the port on the opvn ?
    you recommend securecore : i do not know what it is, do i need download/install/set dependencies ?
    you recommend a zip but i do not find your pgp key (albeit it is almost useless in this case).
    your recommend send an e-mail to support-team or to bug-team but i do not find your pgp key (albeit it is almost useless in this case).

    Reply
  • Using ProtonVPN beta now. Really like it so far. Would love to transition fully from current vpn, AirVPN, when service comes out of beta.
    When will more servers become available?
    When will the service come out of Beta?
    Will the Linux client be available in source so Gentoo users can build a version or a build be made available in Portage?

    Been a user since first crowdfunding campaign. Keep up the great work.

    Reply
    • Yes we will be adding many more servers as ProtonVPN grows 🙂 It should be out of beta later this year. Building a Linux client is on our to do list, so we will eventually make that available too. Thanks for your support!

      Reply
  • I want to know if I can send documents and attachments if I sign up for your email service? Like Word, PDF and jpeg pictures. I am in the process of writing a book and want my readers to have access that is secure and send me messages. I will be upgrading my computer shortly and doing away with Microsoft XP and want another operating system and wondered if you have any suggestions? My email is: garybur5@msn.com and have had that same email for over 15 years and get lots of junk email. Would love to have any comments and suggestions. I live in a small town in Arizona and do not have any that are really knowledgeable of such questions. Have lots of old programs that I use and many research documents that over many years. I read about your email on the newest edition of The New American and that is how I got the information about your company. Thanks for any help at all, Regards Gary Burnett

    Reply
  • Dear ProtonMail team ! While the Helvetic Confederation is not part of those dreader “14 eyes”, and as you have been stressing so far, Swiss laws provides access to your national authorities *only* (in cases of criminal investigation), can it be completely excluded that secret inter-government agreements exist that would facilitate access to that same type of consumer data by certain designated foreign services ( say, the CIA of the USA ) ?

    Reply
  • Appreciate that you guys are creating a VPN however we also need you to focus on your core product – the email side of things.

    Please look into the calendar feature. Without it, we can’t use the service as our main email provider.

    Reply
  • You spelled VyprVPN wrong; there is not an ‘e’ – trivial but might help people find this information when searching for VyprVPN.

    Reply
  • Good article and the addition of a VPN is a great value add. Will it remain free for paid (Plus) Proton Mail users once it’s out of beta?

    On another note, I’m not sure it’s entirely fair to highlight PIA as being deceptive, true the operating company name is odd but it literally says on their homepage that they are a “US based corporation” (under the header Why Choose Us, which isn’t a reason I’d choose them, but whatever).

    Reply
  • VPNs do have disadvantages, many are not aware of: e.g.

    Centralisation:
    When you use your device in different locations (work/home/airport/..), different IPSs [can/will] log.
    When you always use your (same) VPN, the log becomes quite coherent! Even over device boundaries!!

    Security:
    You ISP or your company might have a great firewall configured to protect you!
    Using a VPN puts your naked machine into the VPN-admin’s hands (or even other VPN-users’s hands!)

    Trust:
    You will NEVER know which VPN provider you can trust.
    You should AVOID certain countries, but bad guys can hide behind ANY VPN.

    Reply
  • I tried proton vpn and most of the sites behind cloud-flare blocked most of your servers since it is part of their blocked ASNs. Hence lost my excitement switch to you.

    Reply
  • In North America, all VPN services are nailed down administrations in 14-eyes. Excepting Iceland and Switzerland, where every related news story coming out of same jurisdiction demonstrates ample, better than ’14’ cooperation between all parties involved. Ergo, if you want to hide something online, you need a private VPN. As your engineer builds same for you, you will be asked, “What **local** server hub do you want to use?”… All national entities excepting North Korea and very few others, seriously engage being International partners (for countless good reasons). You could always setup some sort of magical telescope, train it on Thera (our moon) and run your VPN off moon-rays. Otherwise, shared VPN services are great extra security for customary documents, apps and processes. If you don’t like certain Internet restrictions, vote and become a well-liked social activist (like Dostoyevsy, one of Putin’s favorite authors). Otherwise, get real and shut up, I guess (sorry).

    Reply
  • I have been testing ProtonVPN on a pc but do not want to move to an active paid account till I can get instructions on how to install the protonVPN on my router. Once I can do that it will be usable and worthwhile for me to have my small home network running on ProtonVPN. I’m not an expert but if I could get fairly detailed instructions on implementing this I would be most grateful for your gracious assistance! Respectfully, Thank you all.

    Reply