Dear Lifehacker, I've read about why I really should use a VPN and I've been looking into different providers, but there's one thing I'm worried about. Can't a VPN provider just look at my traffic all they want and see what I'm doing? Don't I just have to trust them not to spy on me? If that's true, how do I pick one I can trust, when they can all see what I'm doing?
Sincerely, Watching the Watchers
Dear Watching the Watchers, To a certain extent, you're right. You do have to trust that your VPN service provider has your best interests at heart, because you're relying on them to secure your connection, keep everything encrypted, and to protect your activity from prying eyes. You're connected to their network and their servers, and you have to trust that when they say your exit IP is in Sweden, for example, it really is and they're not just obfuscating something else. It's true—when you sign up for a VPN, you put a lot of trust in the company you sign up with.
Why Trust In Your VPN Provider Is Important
Not all VPN service providers are worth your trust. Some diligently log your connection times, dates, IP addresses, keep track of how long you're connected, and some even keep an eye on the types of traffic that you send through their networks while you're logged in. They'll tell you it's in order to make sure you're not doing anything illegal, or anything that would damage their network, but that level of snooping does kind of go against the whole purpose of a VPN, doesn't it?
The best ones keep as few logs as possible, and aren't interested in what you do while you're connected at all. Some don't even track when you're logged in or out, and even if they do have to keep some logs, they purge them periodically in order to protect your privacy. After all, the reason you pay for a VPN is for privacy and security, and if they keep their own data, they're the weak link in that chain. Here's are some tips on how to research a VPN and decide whether they're a good match for you.
Ask Yourself: What Are You Using a VPN For?
Whether you have a VPN provider already or you're searching for a good one, the first thing you should ask yourself is why you want one in the first place. Now, we've made the case for why most people should have one and what types of people need a VPN, but ultimately most needs boil down to two things: Security and privacy, or some combination of the two.
If security is all you're concerned with, and you have a VPN provided to you by your school or company, you're already set. In fact, almost any VPN will cover you from the security angle, because you're only really concerned about protecting your activity from prying eyes, presumably on the same network that you're on—like a hotel, coffee shop, or airport's free Wi-Fi. Of course, you still need to make sure that your VPN provider isn't just sniffing your traffic themselves and making themselves the security issue, but we'll get to that in a moment.
If privacy is your concern, you have more to consider. Privacy-minded VPN users have to trust that their provider isn't watching what they're doing or willing to roll over and hand off their activity, logs, and personal data to whoever comes calling with a fancy-looking letter written in legalese. They also have to worry about what information the VPN provider themselves are keeping, and whether that information can be turned against them, sold to third parties, used for marketing, or just kept forever just in case someone comes calling. In either case, all it takes to either allay your fears or warn you off of a VPN provider is a little research. Here's how to go about it.
Do Your Homework
This should go without saying, but you shouldn't sign up for a VPN service without at least looking at their privacy policy and terms of service. That should go for anything you sign up for, but with VPNs it's a bit more important. With free VPN providers, you should definitely do as much research as possible. Free providers have to make money somehow, and if it's not on premium plans or usage limits, after which you have to pay, you should assume they're making their money off of your data, logging your activity, and using it for marketing purposes.
Services we've mentioned, like previously mentioned Hotspot Shield, CyberGhost VPN, and HideMan, another service we like, are all great examples of free VPN providers that don't log, go out of their way to say so, and that support their free services by also offering premium and paid plans that offer more features (in the case of HotSpot Shieldf and CyberGhost) or more hours of use (in the case of Hideman).
Paid VPN providers are a different matter. Ideally, because you pay for their service, they should cater to both the privacy and security minded, but that's not true at all. Some providers are security minded, not privacy minded, and market themselves as such: You can use their services to stay safe online, but don't come with an expectation of privacy. If someone comes with a subpoena or a Cease and Desist, they'll cancel your account and turn over your data to whoever's asking for it, and they're not afraid to admit it. Here are some quick tips to help you research paid VPN services:
Google their name and "logging" in the same query. It may sound simple, but it's actually really effective. You'll usually turn up the provider's own privacy policy (which, in the worst cases can be so buried it's difficult to find), which can answer the question right away. Some VPN providers are proud to say they don't keep logs, or that they only keep access logs in order to bill you for usage, or that they do log, but they purge daily or weekly. Some will try to dance around the issue by saying they keep "whatever logs are required by law," which really means whatever law enforcement has asked them for—which could be anything. Others won't address the issue at all—that's where the rest of the results come in. You'll probably find other sites and articles discussing the company's logging policies, which can help you figure out if they care about your privacy as much as they care about your security.Don't be afraid to ask outright. if you don't get the answer you want from simple searches, contact them and ask what their logging and data retention policies are. Again, this is something you'd want to do with premium providers more than free ones—you don't want to spend your money unless you're sure what you're getting.Don't fall for the geography trap. Some people swear only by VPN providers outside their country for privacy. They're convinced that their local laws are privacy unfriendly, or that a provider in their country can be manipulated by other companies, legal wrangling, or law enforcement, and they'll just roll over and hand off whatever private data they have on their users. Trust us: geography won't save you. Living under the assumption that because a VPN provider is in another country it's immune to your local laws or will defend you when pressured is a false sense of security. Both law enforcement and private industry groups can exert authority and pressure anywhere in the world they choose, and in most cases they'll get the results they want if they push hard enough. Otherwise, they'll just pressure the government in that jurisdiction to act on their behalf. Put simply: Don't assume that because you live in the US and you use a VPN provider in The Netherlands that you're immune from the law, or that a VPN provider in your own country wouldn't fight harder for your privacy than one overseas. In some cases this is true, but logging, privacy policies, and the general philosophy of the company are generally more important than physical location. This thread at Wilder Security is essential reading on the topic.Pay attention to technology. When asked back in 2008 by CNET about WiTopia's privacy stance and technology, WiTopia president Bill Bullock explained that a number of single-server, fly-by-night VPN providers were beginning to pop up, making big privacy and security promises without actually having the technology to back them up. Since then, the number has only grown—it doesn't take much to set up a VPN concentrator anymore, and all it really takes is a few friends in a few different cities and countries willing to run their own servers to build a small network. However, if the company doesn't have the right technology on the back-end, they could be putting both your security and your privacy at risk, or wind up being victims of data theft, hacking, or spying themselves. When you're researching VPN providers, make sure they're above board with the level of encryption they offer, the security features they provide, and are open about who's reviewed them and the press they've gotten. Then double-check those reviews and look for independent opinions of their service, just to be sure.VPN services are thriving, and new subscriptions are big money. It's not uncommon for a VPN provider to play dirty, whitewash their issues, and put on a good face to attract customers. When we did our last Hive Five on VPN providers, we saw the ugly side of the business so clearly that we decided to do our own independent analysis to clear the air and make our own recommendations.
The best thing you can do is to take everything a provider themselves says with a grain of salt. If they're good, they'll back up their own claims, and welcome you to do as much additional research into them as you'd like. In addition to our guide to the topic, our friends at TorrentFreak recently updated their guide as well, and it's worth reviewing.
Take Matters Into Your Own Hands
VPNs aren't perfect. One thing you should always remember is that in general, traffic between your VPN exit node or exit server and your eventual destination is unencrypted—so while someone snooping on the other end may not get all the way back to your computer or location, if your data is unencrypted or sent in the clear (sites not using HTTPS, encrypted passwords, etc) it can be easily intercepted anyway. Using a VPN is no excuse for lax personal security.
Remember, whatever VPN provider you choose, you can always use additional privacy tools in conjunction with it. We've discussed some of those tools in detail, but it makes sense to keep them running. You could always combine services, like Tor and a VPN (although you really shouldn't use Tor for file-sharing traffic, if that's your goal) for extra anonymity, even if it doesn't offer any additional security. If you want to go that route, this thread at Wilder Security discusses the issue in detail. Similarly, TorrentFreak has an excellent guide to making your VPN even more secure.
Finally, you can always roll your own VPN if you have an always-on device at home, or a router that supports OpenVPN. You could even turn a $35 Raspberry Pi into a personal VPN you can connect to while you're on the go. Of course, this option is for the security-minded, not the privacy minded (as your traffic is only encrypted between a user and your home VPN server or personal router, and then unencrypted as it goes out to your ISP) but it's always an option, and add-ons like Privoxy (which we've shown you how to set up) can offer some anonymity for your home VPN.
We know it's a tricky topic, but you are right, Watching the Waters: Ultimately you have to trust your VPN provider has your best interests in mind, but the only way to get that level of trust is to do your homework, verify their promises and services are legit, and then take additional steps to protect yourself even if they're not, or they fail you somehow. There are good providers out there committed to your security and your privacy (we've mentioned some of them) that are worth your trust.
Sincerely, Lifehacker
Have a question or suggestion for Ask Lifehacker? Send it to tips+asklh@lifehacker.com.
Photos by Maksim Kabakou (Shutterstock), Maksim Kabakou (Shutterstock), Maksim Kabakou (Shutterstock), Maksim Kabakou (Shutterstock), and Maksim Kabakou (Shutterstock).
You may know what a VPN, or Virtual Private Network, is; you probably don't use one. You really should be using a VPN, and even if you don't think so now, at some point in the future you may consider it as important as your internet connection. More
Picking a VPN service provider to keep you safe and secure usually comes down to features, price, server location, and performance—not to mention the provider's track record on privacy and data logging. Last week, we asked you which providers you thought were the best for all of those things, and you weighed in. Then we took at look at the top five VPN service providers, based on those nominations. Now we're back to highlight the overall winner. More
Whether you're killing time at your favorite coffee shop or you're traveling for work and don't want your data falling into the wrong hands, you need a VPN to keep your traffic encrypted and secure. Even so, which VPN service is the best, and which offers the best combination of reliability, features, security, and affordability? We asked you, and this week we're going to look at the top five VPN service providers based on your nominations. More
Windows/Android: Hideman is a VPN service that's free for 4 hours per week and lets you select the country you want to look like you're coming from while you surf, perfect for getting around regional restrictions on streaming media services. More
Chrome: You can do almost all of your web browsing with just keyboard shortcuts, but in Chrome one of the missing features is the ability to open links inside a page. With the DeadMouse extension, you get that ability just by typing the words in the link. More
Coders love text editor Vim because you can do everything from the keyboard, avoiding detours into into slow, distracting mouse-click work. Here's how a single Chrome extension can change your browsing habits in similar get-what-you-came-for fashion. More
iOS: (Jailbroken): For whatever reason the mobile version of Safari doesn't have the same handy swipe gestures as its desktop counterpart. If you're looking to add those same gestures to the your iPhone or iPad, Swipe Safari does just that and allows you to customize your gestures in a variety of ways. More
Chrome: Whatever you use private browsing for, sometimes you want to start your secret browsing from the page you're already on. Incognito This moves your current page to a new incognito window, so you can continue browsing privately without starting from scratch. More
iOS: Private browsing isn't too difficult on a desktop computer, but keeping your web travels anonymous on an iPhone is a bit more difficult. If you want to hide your every move, Onion Browser is an app that uses Tor proxy servers to hide your activities from ISPs, other Wi-FI connections, and more. More
We've mentioned Collusion for Firefox in the past, but the folks at Disconnect have rebuilt the plugin for Chrome users as well, giving them the same live view of how the sites you visit on the web are tracking and transmitting data about you as you browse. As you browse, you can pull up the Collusion map to see which sites have dropped tracking cookies on your system and who else those sites send data to, all in real-time. More
Even if you have no idea what a VPN is (it's a Virtual Private Network), the acronym alone conjures visions of corporate firewalls and other relatively boring things, right? While a VPN is a common corporate security tool, it's also one of the coolest things you can set up for personal use that you probably have never tried. More
Android: If you've ever forgotten a USB cable and need a way to transfer data to your Android phone from your PC (or vice versa), Software Data Cable is a free app for Android that turns your phone into a networked storage device you can browse from your computer, no cables attached. More
Picture this: After hours of web browsing, your body is contorted in various unnatural positions over time. Your legs up on the table, or you're lying on the bed sideways with the laptop rotated sideways as well. Does that sound familiar? More
Dear Lifehacker, More
Firefox: If you miss real progress bars that tell you how much a web page has loaded, Progress Bar on Tab sticks them in Firefox's tab bar. More
You probably know that your iPhone has a .com button for quick domain extension typing, but did you know you don't even have to use it? If you want to go to a .com web site, all you need to do is type its name. More
Whenever you open Safari on iOS, it tries to load your last session. This is sometimes really helpful, but other times can be annoying, since you have to wait for your old page to load. Here's how to bypass that. More
Android only: Just because you don't have a fancy 4G phone doesn't mean you can't eke some more browsing speed out of your phone. Masqed Crusader speeds up your rooted phone by blocking ads, using Google DNS, and more with one tap. More
So, there are a new slew of services that promise to make the Internet an even more fraught place for the privacy-minded. From the Times: More
So, there are a new slew of services that promise to make the Internet an even more fraught place for the privacy-minded. From the Times: More
