Guide: How To Choose A VPN (Virtual Private Network) Provider

There are thousands of articles about VPNs out there, often written by VPN providers trying to position their VPN as the best. Many give conflicting advice to the point that it is confusing and challenging to choose a reliable, privacy-focused VPN provider. 

We wrote this article to help you cut through the confusion and select a VPN provider who is serious about your privacy. Your privacy is our top priority, and a big part of remaining private on the internet is using a VPN.

What Is a VPN?

VPN stands for 'virtual private network.' Most large businesses and many privacy-focused consumers use a VPN to protect themselves from internet snooping when they are surfing the web. 

Internet snoops can include your ISP (internet service provider), who likes to 'sniff' your internet traffic and record your browsing activity. They then sell that data to whoever will buy it, which is perfectly legal. Other internet snoops include whoever is providing you with the internet on public or private WiFi networks. Think about the WiFi networks you connect to in hotels or coffee shops. You are using their internet connection, and those network providers can sniff the traffic passing through their system.

So how does a VPN protect you? To put it simply, a VPN creates a secure tunnel between your computer and the VPN provider's server. Once the tunnel has been created, everything that you do is hidden from anyone who might be snooping. All your ISP can see is that you connected to the VPN provider's server. They cannot see what else you are doing through that connection. 

With a VPN, you first connect to the internet via the provider's servers and then use that connection to access the rest of the world wide web. Any website that you visit sees the IP address of that server rather than yours, making it much more difficult for them to identify you and track your online browsing habits. In today's digital world, where everything we do is tracked and logged, this can provide a robust measure of privacy when using any kind of internet network.

While you use a VPN, you can secure your internet traffic over unsecured networks (coffee shop or hotel WiFi), giving you a layer of protection when connecting to your online banking service or buying something online. The VPN ensures that your credit card details, banking logins, and passwords cannot be sniffed by whoever runs the internet network you are connected to. 

This has some advantages in addition to the additional layer of privacy it creates. For example, if you are traveling overseas, a VPN service allows you to connect to the internet via the provider's US servers, making it easy for you to access US internet services that may not be available abroad. Many websites restrict access to their content based on your geographical location. Netflix, for example, offers a broader choice of content to Americans than almost any other country and you cannot access it from overseas.

The primary goal of a VPN is to create privacy and provide security for anything that you do on the internet. But this does not always mean that your privacy is assured. There can still be plenty of risks when using a VPN because the VPN provider can effectively record and log everything that passes through its network, just as an ISP or WiFi network owner can. Remember that the VPN is their network, and they have complete visibility over what passes through it in addition to being able to identify you as a user uniquely. 

The VPN provider may also sell your personal information and data to third parties, especially if the VPN service that you are using is free. Remember that when something is free, you are the product. VPN providers are no exception to this maxim.

Some unscrupulous VPN providers even go as far as replacing advertisements on webpages with their own. Some have even been known to display malicious advertisements (also known as malvertising) to their customers, which can result in their personal computers becoming infected with ransomware and malware.

Despite the possibility that a VPN provider can behave in this way, it is always advisable to access the internet through a VPN provider, especially when you are using public WiFi networks!

Choosing a Privacy-Focused VPN Provider

There are lots of VPN providers globally. Many of them are reliable, with some offering unique features that only they have. Price points are usually cheap at around five to ten dollars per month on a subscription basis, with annual discounts provided. There are also lots of VPN providers that offer a free service in exchange for being able to show you advertisements, but as we covered above, these are perhaps best avoided. 

Most subscription-based VPN providers will provide a decent service, which will allow you to add a privacy layer to your online activity. Still, if you want to enable online privacy in the right way, then it is essential to choose your VPN provider wisely. 

Wisely because, as we mentioned, a VPN provider can sniff and log your online activity just like your ISP or WiFi hotspot provider can. 

Also, remember that if you're going to use a VPN service, you typically have to download and install the VPN provider's client onto your personal computer to control your connection to the internet. That requires that you trust the VPN provider not to snoop on you.

Instructions for the Paranoid 

If you are particularly concerned about maintaining your privacy, the following advice is for you! Forget about subscribing to VPN providers in the United States, United Kingdom, Australia, New Zealand, Canada, Denmark, France, Netherlands, Norway, Belgium, Germany, Italy, Spain, Israel, Sweden, and of course, countries such as Russia, China, Iran, and all Arab states. All of these countries engage in mass surveillance programs, and most have partnerships with third-party countries to exchange intelligence information with each other. 

Many also have data retention laws, which means VPN providers must log all customer activity and hand it over to law enforcement or the authorities if requested. You do not have to break the law to worry about this. Remember that in the US, the FBI can view your browsing history without a warrant and for any reason without notifying you, and this includes VPN usage.

In many of the countries listed above, one of the components of mass surveillance programs is intercepting VPN traffic. The usual suspects engaged in global surveillance activity and intercepting your VPN traffic are the following:

The Five Eyes Alliance - The Five Eyes (FVEY) is an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States. These countries are parties to the multilateral UKUSA Agreement, a treaty for cooperation in signals intelligence that covers VPN interception.

The Nine Eyes - This includes the Five Eyes countries as well as Denmark, The Netherlands, Norway, and France.

The Fourteen Eyes - There is another working agreement amongst 14 nations officially known as SIGINT Seniors Europe, or "SSEUR". These "14 Eyes" consist of the same members of Nine Eyes plus Belgium, Germany, Italy, Spain, and Sweden.

“I have nothing to hide from the intelligence services,” you might say. But do you really want them to be able to spy on you for any reason when you are trying to be private? Do you really agree with intelligence agencies being able to monitor your every move online?

What To Consider When Choosing A VPN Provider

• It is important that the VPN provider supports the OpenVPN project, it is open-source VPN software, and available under a GNU license. This means that its source code can be (and is) independently audited by third parties and security-researched to verify that it is free of backdoors and monitoring tools.
• It is crucial to choose a VPN provider with resources that runs its own servers in countries where the national laws are in support of your right to privacy. Most VPN providers tend to be smaller companies that use someone else's server infrastructure to provide you with their service, typically infrastructure as a service model (IaaS). For this reason, you have to be careful because if the provider does not own and completely control their own infrastructure, they cannot offer you privacy guarantees. This especially applies if they rent servers in countries where there are mass surveillance programs in operation or jurisdictions operated by repressive regimes.
• The VPN provider must support the most secure encryption protocols for connecting to their servers. The most secure one is currently the OpenVPN protocol.
• It is important that the VPN provider owns its own DNS servers to prevent the leakage of your browsing history (from the DNS requests). You should be able to check if this is the case by running the DNS leak test when you are using your VPN.
• Your VPN provider must have DNS leak prevention built into their VPN client software to protect your browsing history.
• It is important that your VPN provider separates your internet traffic depending on the protocol that you use, meaning that it should separate your web browsing from your file sharing and have a dedicated server for each protocol.
• Your VPN provider's client must have a 'kill switch' that automatically shuts off your internet connection if your VPN fails for some reason. This will prevent the accidental leakage of your online activity to your ISP or network owner.
• It is important that your VPN provider supports multiple devices so you can extend privacy protection across your entire device estate.
• Ideally, your VPN provider should be set up to accept anonymous payment mechanisms like cash, bitcoin, and gift cards without asking you for ID. If you cannot pay anonymously, you can be identified by 'following the money.'
• It is important that your VPN provider does not ask for lots of personal detail when you sign up. Ideally, it just needs an email address and password from you to get started. If you are especially paranoid, you can use a one-time email address like TempMail to avoid giving away your real address.
• Your VPN provider should not store any personal information and that they operate a no-logging or zero-knowledge policy.
• It is important that your VPN provider does not collect any anonymous information about its users, either for diagnostic purposes or for marketing.
• You should read your VPN provider’s terms of service and their privacy policy properly. Both of these policies will enable you to understand their privacy stance and the amount of information that they are going to be collecting on you. These policies also will explain the circumstances which will cause them to hand over data to either the government, intelligence agencies, or law enforcement agencies
• Never use a free VPN for important online tasks. They log your browsing history and monitor your internet usage as a way of recouping the cost of you using their 'free' service. Remember that if it's free, you are the product.

Learn About Laws Which Cover VPNs

It doesn't matter how good the technical measures your VPN provider takes to protect your privacy are if they operate in a jurisdiction that is unfriendly to privacy. 

For example, in the United Arab Emirates or China, a VPN can only operate with a license from the government. Both of those countries enforce data retention policies on VPN providers. This means that they will be gathering information on their customer's online activities to be permitted to do business by the state. Typically, this logging includes connection logs (username, password, email address, and billing address) and activity logs (your browsing history). 

In Europe, however, the General Data Protection Regulation (GDPR) forbids a VPN provider from recording and storing data on your activity logs or connection logs beyond what is required to properly maintain service to your account. But despite this restriction, nothing is stopping them from covertly gathering this data from you on behalf of intelligence agencies who do not particularly care much for GDPR. 

In the US, all VPN providers need to maintain logs of their customer's activities as part of their licenses with the government. This makes US VPN providers a particularly bad choice for privacy-focused consumers who want their activity to remain private.

Many users in the know choose Switzerland-based VPN providers. From a consumer’s perspective, Swiss privacy laws are considered the best in the world. Swiss cyber and privacy laws do not require Swiss VPN providers to log anything, and this includes your activity logs or the IP address used when you access their VPN servers. The Swiss are also not involved with any intelligence-sharing activities other countries are; they are not a signatory of any of the surveillance agreements like the 5, 9, or 14 eyes.

Conclusion

VPN is supposed to protect your privacy online and increase the overall security of your online activities. However, using the wrong VPN provider can give you a false sense of security, which is worse than having no security at all. 

There are lots of VPN providers who are actively promoting their services globally, and as a customer, you need to be very careful which of them you choose if you want to retain your privacy online. This means carefully reading all of their terms and conditions, as well as their privacy policy. You also need to take into account the jurisdictions they are based in and if they own and control their infrastructure. 

The good news is that by following the advice in this guide and being careful about the providers you choose, you can maintain your privacy online. But be warned - VPN providers are there (or should be there) to protect your privacy. They are not meant to be anonymity providers. If you want to be anonymous online, a VPN provider is a poor choice. Instead, you should be looking at the Tor Project.

Choosing any kind of cybersecurity technology can be a difficult and often confusing challenge, this is where Digital Hands can help. We employ a deeply experienced team of cybersecurity professionals who regularly make significant investments into a wide range of different cybersecurity technologies that we use to secure our customers’ IT infrastructures. If you have any questions about cybersecurity technology, or want to know how we can put our technology investments to work securing your IT infrastructure and employees, please get in touch with us.