How to Critically Choose a VPN

From TCU Wiki
How to Critically Choose a VPN Service Tile.png
  • Date: Wednesday, December 7
  • Time: 10am to 11am EST / 3pm - 4pm UTC (What time is it in my city?)
  • Who: Viktor Vecsei, COO at IVPN
  • Location: Zoom


How to Critically Choose a VPN Service (Talk and Q&A)

In a market so saturated with commercial VPN providers, it is a challenge not only to determine if you need a VPN or not, but also to navigate search results and the network of VPN review sites as you try to find a trustworthy VPN.

What are the key things you should look for when determining if a VPN service is trustworthy? How can you determine if a VPN recommendation site is legitimate? What red flags signal that you should steer clear of a VPN provider?

In this session, you will learn how to recognize signals of trustworthiness in VPN providers and more effectively analyze VPN recommendation resources in your search for a VPN service that respects your privacy, safety and security as a user.

Note: This session is not geared toward high-risk users or those for whom anonymity and/or circumventing severe censorship is a necessity.

Bio: Viktor Vecsei is a privacy activist, researcher and writer. He is the COO at IVPN, a privacy-focused VPN provider, where he works on increasing transparency, honest communication and improving ethical standards in the commercial VPN space.

Notes & Resources

How to Critically Choose a VPN Service Slides
Critically Choosing a VPN Resource List

What will this session do?

  • Provide tools to critically analyze and chose a VPN service

What will this session not do?

  • Give specific recommendations
  • Say anything negative about certain providers

Before you start to choose a VPN service, you need to ask “Do I need a VPN?”

  • A VPN is not going to protect you 100%
  • VPNs are not a one-button solution to all of your privacy problems.

Threat modeling is key to determining if you need a VPN or not.

  • Use Cases:
    • Circumvention
    • ISP surveillance
    • Untrusted Wi-fi networks
    • Geo-blocked content

What makes a good VPN?
Can you trust the VPN? How do you find the right service?

  • Misaligned incentives, ads, misleading information, review sites etc. make it challenging to filter the good content and trustworthy information from the noise.
    • Search Results
      • Highest ranked sites are all tech magazines and VPN review sites.
      • There is a lot of money to be made in ad revenues
    • VPN Sponsorship
      • They usually don’t have any technical expertise or background.
      • They are often incentivized by monetary gain.

Route 1: Trust the Experts (The easier route)

Route 2: Do it Yourself

  • Do not default to trust. Make the VPN provider work for your trust.
  • Start with a long list and narrow it down.
  • Review the website of the provider and implement a check-list.
  • Be vigilant.
  • Do a safety check (searches, forums etc.).

The VPN Provider Checklist:

  • Jurisdiction
    • Transparency / accountability
      • Depending on the location of the company, they will be subject to the local laws which will determine business practices and consumer protections.

Red Flags (Avoid)

  • Overpromising
    • Promises perfect privacy or anonymity.
    • Best / fastest service (yellow flag, not so red).
    • Promises “military-grade” encryption.
      • This is just meaningless marketing jargon
  • Privacy Policy
    • There needs to be a policy.
    • It should be clear and concise.
  • No transparent ownership
    • You want to see clear ownership so that there is full accountability.
  • No details on security practices
    • This is hard to do if you don’t have a security background.
  • No audits
    • There needs to be an independent auditor.
    • It should be an auditor who specializes in VPN or technical audits.

Yellow Flags (Proceed with Caution)

  • Trackers on the website or in the VPN app
    • This means they don’t fully respect your privacy.
      • It’s for marketing and website optimization in most cases.
    • In the AppStore, Apple will tell you what the VPN actually tracks in the app.
  • No legal guidelines
    • How do they handle law enforcement requests?
    • You want to see transparency reports
  • Too good to be true deals
    • Multiple years for under 50 USD etc.
    • Lifetime accounts
    • Not sustainable, or need other ways to make money
      • Selling browser data etc.
  • Fear / Uncertainty / Doubt
    • Service stoking user fears to get them to use VPNs
  • Dark patterns
    • Fake countdown timers
    • Exit consoles
  • Social Proof tricks
    • Made up user numbers
    • Trustpilot problem
      • It’s really easy to purchase reviews

Green Flags (Big Pluses)

  • Open source
  • Minimal information for sign up
    • Some providers don’t even need an email address for sign up
    • Your provider should only know minimal information about you.
  • Uses the latest protocols available
    • WireGuard is the gold standard and default for best providers.

Once you've narrowed down a trusted shortlist, choose a service based on other preferences:

  • Price point, platform support, server locations, streaming support.
  • Killswitch
  • Multi-hop (allows you to jump through multiple servers in different jurisdictions)
  • Ad blocking
  • Cryptocurrency payments


What does killswitch option mean?

  • It means that you don't will have Internet connection until the VPN connects to their servers, even if you are on 3g/4g data or WiFi

Do you think that the VPN industry will move towards better ethics in the future, since people have become more critical of VPN services, and they expect more transparency from them?

  • Viktor has written a couple of blog posts calling out VPN providers’ bad practices.
  • Ownership and transparency is one of the biggest issues.
    • NordVPN
    • ExpressVPN
    • Several years ago, there was no transparency around their ownership and they finally were pressured to be open about ownership.
  • Best ways to change things are education and regulation.
    • Education is hard, because people won’t take the time to learn and invest.
    • On the regulation side, it’s not likely that there will be any

Does Proton VPN make the good list?

  • It will pass the list, no red flags, one or two yellow
  • Proton is in Switzerland and they are having some issues with the jurisdiction.
    • Switzerland wants to reclassify VPNs as telecommunications providers which would mean that they would need to keep logs.

I'm curious if you can share some names of independent researchers or people that write about this. I have IVPN blog, as a resource to check out, but what about others?

  • High profile names (experts), EFF, Bruce, Snowden, they won't give VPN provider recommendation because they can get burned very easily.
  • They know that there’s always something shady.
  • Privacy experts are the ones to trust because they don’t have political/money pressure.
  • Consumer Report VPN Roundup with VPN Analyzer is a good resource to check

Going beyond the presentation, I've chosen a vpn provider, what other things can I still be on the lookout?

  • They have to improve their products (the vpn providers), the teams have to be on top of that.
  • You can monitor their activity and updates. If they don’t update anything, Viktor doesn’t advice to stay with them
  • It’s important to hit them with their customer support and communication services. Usually, they are bad and it’s important to find a provider that can help you quickly and efficiently when you have a problem with the product.

Do you know something about a good choice of VPNs for iOS? There's the rumor about iOS leaking data even if a VPN is active.