Dear Lifehacker, I've read about why I really should use a VPN and I've been looking into different providers, but there's one thing I'm worried about. Can't a VPN provider just look at my traffic all they want and see what I'm doing? Don't I just have to trust them not to spy on me? If that's true, how do I pick one I can trust, when they can all see what I'm doing?
Sincerely, Watching the Watchers
Dear Watching the Watchers, To a certain extent, you're right. You do have to trust that your VPN service provider has your best interests at heart, because you're relying on them to secure your connection, keep everything encrypted, and to protect your activity from prying eyes. You're connected to their network and their servers, and you have to trust that when they say your exit IP is in Sweden, for example, it really is and they're not just obfuscating something else. It's true—when you sign up for a VPN, you put a lot of trust in the company you sign up with.Why Trust In Your VPN Provider Is Important
Not all VPN service providers are worth your trust. Some diligently log your connection times, dates, IP addresses, keep track of how long you're connected, and some even keep an eye on the types of traffic that you send through their networks while you're logged in. They'll tell you it's in order to make sure you're not doing anything illegal, or anything that would damage their network, but that level of snooping does kind of go against the whole purpose of a VPN, doesn't it?
The best ones keep as few logs as possible, and aren't interested in what you do while you're connected at all. Some don't even track when you're logged in or out, and even if they do have to keep some logs, they purge them periodically in order to protect your privacy. After all, the reason you pay for a VPN is for privacy and security, and if they keep their own data, they're the weak link in that chain. Here's are some tips on how to research a VPN and decide whether they're a good match for you.Ask Yourself: What Are You Using a VPN For?
Whether you have a VPN provider already or you're searching for a good one, the first thing you should ask yourself is why you want one in the first place. Now, we've made the case for why most people should have one and what types of people need a VPN, but ultimately most needs boil down to two things: Security and privacy, or some combination of the two.
If security is all you're concerned with, and you have a VPN provided to you by your school or company, you're already set. In fact, almost any VPN will cover you from the security angle, because you're only really concerned about protecting your activity from prying eyes, presumably on the same network that you're on—like a hotel, coffee shop, or airport's free Wi-Fi. Of course, you still need to make sure that your VPN provider isn't just sniffing your traffic themselves and making themselves the security issue, but we'll get to that in a moment.
If privacy is your concern, you have more to consider. Privacy-minded VPN users have to trust that their provider isn't watching what they're doing or willing to roll over and hand off their activity, logs, and personal data to whoever comes calling with a fancy-looking letter written in legalese. They also have to worry about what information the VPN provider themselves are keeping, and whether that information can be turned against them, sold to third parties, used for marketing, or just kept forever just in case someone comes calling. In either case, all it takes to either allay your fears or warn you off of a VPN provider is a little research. Here's how to go about it.Do Your Homework
Services we've mentioned, like previously mentioned Hotspot Shield, CyberGhost VPN, and HideMan, another service we like, are all great examples of free VPN providers that don't log, go out of their way to say so, and that support their free services by also offering premium and paid plans that offer more features (in the case of HotSpot Shieldf and CyberGhost) or more hours of use (in the case of Hideman).
VPN services are thriving, and new subscriptions are big money. It's not uncommon for a VPN provider to play dirty, whitewash their issues, and put on a good face to attract customers. When we did our last Hive Five on VPN providers, we saw the ugly side of the business so clearly that we decided to do our own independent analysis to clear the air and make our own recommendations.
The best thing you can do is to take everything a provider themselves says with a grain of salt. If they're good, they'll back up their own claims, and welcome you to do as much additional research into them as you'd like. In addition to our guide to the topic, our friends at TorrentFreak recently updated their guide as well, and it's worth reviewing.Take Matters Into Your Own Hands
VPNs aren't perfect. One thing you should always remember is that in general, traffic between your VPN exit node or exit server and your eventual destination is unencrypted—so while someone snooping on the other end may not get all the way back to your computer or location, if your data is unencrypted or sent in the clear (sites not using HTTPS, encrypted passwords, etc) it can be easily intercepted anyway. Using a VPN is no excuse for lax personal security.
Remember, whatever VPN provider you choose, you can always use additional privacy tools in conjunction with it. We've discussed some of those tools in detail, but it makes sense to keep them running. You could always combine services, like Tor and a VPN (although you really shouldn't use Tor for file-sharing traffic, if that's your goal) for extra anonymity, even if it doesn't offer any additional security. If you want to go that route, this thread at Wilder Security discusses the issue in detail. Similarly, TorrentFreak has an excellent guide to making your VPN even more secure.
Finally, you can always roll your own VPN if you have an always-on device at home, or a router that supports OpenVPN. You could even turn a $35 Raspberry Pi into a personal VPN you can connect to while you're on the go. Of course, this option is for the security-minded, not the privacy minded (as your traffic is only encrypted between a user and your home VPN server or personal router, and then unencrypted as it goes out to your ISP) but it's always an option, and add-ons like Privoxy (which we've shown you how to set up) can offer some anonymity for your home VPN.
We know it's a tricky topic, but you are right, Watching the Waters: Ultimately you have to trust your VPN provider has your best interests in mind, but the only way to get that level of trust is to do your homework, verify their promises and services are legit, and then take additional steps to protect yourself even if they're not, or they fail you somehow. There are good providers out there committed to your security and your privacy (we've mentioned some of them) that are worth your trust.
Have a question or suggestion for Ask Lifehacker? Send it to email@example.com.
Photos by Maksim Kabakou (Shutterstock), Maksim Kabakou (Shutterstock), Maksim Kabakou (Shutterstock), Maksim Kabakou (Shutterstock), and Maksim Kabakou (Shutterstock).