0
Posted May 10, 2014 by TopDog in Articles
 
 

Can You Trust Your VPN?


When choosing a VPN provider, your priority obviously to enhance your privacy and security online. Many people don’t stop to wonder: How do I know if I can trust my VPN? The truth is, it’s impossible to ever know 100% for sure, but there are several steps you can take when choosing a VPN provider in order to be 99.9% sure you’re making a safe choice.

The VPN Trust Paradox

The entire VPN industry is moving towards fewer and fewer logs and less requirements for subscriber information. Almost all the top VPN’s not accept Bitcoin, the world’s #1 cyrpto-currency. Why? Simply put, because that’s what the users want.

This is a double edged sword

As VPN’s move towards greater anonymity, it also makes them less vulnerable to government pressure and regulation. One the one hand, this is what the users want, which is freedom from government oversight and complete anonymity online. But the question remains, if the can’t watch you, how can they watch the VPN to make sure they’re upholding their agreement with you?

This may make you wonder, How can I trust that my VPN really doesn’t keep logs or monitor my traffic? Well, unless you went in and did a complete technical inspection of the VPN’s operation, you can’t. VPN’s are deliberately non-transparent to protect the end user, but this could leave you vulnerable if the VPN provider you subscribe to is not exactly what they claim to be.

With new VPN companies popping up every day, all of the world, how do you really know which ones you can trust and which ones you can’t?

Here are our best tips to help you choose the Best VPN, the 1st time!

 Choose a VPN Provider with a long-standing reputation

Sure, you may google “cheap vpn provider” and see 5 companies you’ve never heard of offering you VPN service at rock-bottom prices, but it should make you wonder: how can they afford to offer such low prices? And how do you know who’s running these companies. For all you know, it could be a front for identity thieves, or an intelligence organization.

Rule #1: Choose a VPN Provider that has been in business at least 3 years

This is a long enough time frame that there will be lots of quality reviews of the VPN, so you can see if there are any issues like bad tech support, reports of hacking, spotty service etc. If you use a VPN for a month, it’ll be pretty clear whether they care about the long term success of their business. We’ve tested dozens of VPN’s and some of them can’t even build working VPN software. Needless to say, they don’t make the cut for this website.

Some VPN’s that have been in business quite a while:

It also helps if the VPN company (or parent company) is a well known, established company that has a reputation to uphold. One such example is IPVanish. Their parent company (Highwinds Networks) owns one of the largest fiber-optic data backbones in the united states, and has a massive global presence. As such, they are highly trustworthy. Visit IPVanish to get the full details on their VPN service.

Choose a VPN From the Right Country

So many people keep trying to subscribe to offshore VPN’s from tiny island nations, or small former soviet-block countries. The truth is, many of the best VPN services are located right in the United States. Alot of people don’t realize that the USA does not have data retention logs for VPN providers. They do have laws for internet providers like Timewarner, Comcast, Verizon, etc, but VPN companies currently are not required to maintain any logs of activity on their network. As such their are plenty of non-logging US based VPN’s.

Our Favorite No-Logs VPN’s based in the USA:

The U.S. isn’t the only place that has quality VPN companies, but it’s a decent place to start. The reason I like U.S. based VPN’s is because you want a company to be located in a country where their contract with their subscribers (their terms of service/privacy policy) is enforceable. If a USA based VPN guarantees that they keep no logs, you can believe it! If a VPN in some tiny island nation in the south pacific says it, you might be a little skeptical.

If a VPN company is located in a country that is free from government oversight, then it is also probably free from accountability to its customers.

Some good guidelines for choosing the right country:

  • Choose a nation that is global leader in freedom (USA, Germany, Netherlands, Switzerland, etc)
  • Choose a democratic country (Companies and government accountable to the people)
  • Choose a nation that values internet freedom and free speech.

Choose a VPN that cares about ‘Transparency’ and ‘Privacy’

Sure, you don’t want your VPN company to be transparent when it comes to the privacy of their users, but you might like your VPN to be transparent to consumers regarding their practices and policies so you can make an informed decision when choosing a VPN provider.

Two VPN’s really stand out in this regard. They have both expressed interest in having the EFF (Electronic Frontier Fundation) serve as an independent auditor for VPN services, to verify the setup, practices, and logging policies of VPN’s to make sure that they are honoring their promises to their customers. Once audited, the VPN might receive an EFF certified stamp or something similar that they could display on their website. As of now, this sort of vetting process doesn’t exist, but hopefully it will in the future.

The first firm on our list is Private Internet Access. They are an American based VPN company that, since it’s founding, has chosen not to log any customer data regarding VPN usage. They’re also well respected in the industry for not divulging customer information, even to government requests, for the simple fact that they don’t have any information to release (no logs). That, coupled with their interest in having the EFF serve as a transparent VPN auditor, earns them our stamp of approval.

Proxy.Sh is another VPN firm that’s really making progress in terms of transparency and openness. They actually the first VPN transparency report which is updated on a daily basis. This transparency report lists every legal request that Proxy.sh receives as well as the action they took in response. They receive dozens of these types of requests daily, most of which are DMCA requests for files downloaded over peer-to-peer networks like Bittorrent.

Here’s an example of a common response by Proxy.sh to a DMCA complaint:

‘we have reset accounts who forwarded port 2071 (nothing may identify a single account) and we have blocked port 2071 via Firewall.’

What this really means is no action was taken against any subscribers and no personal information was divulged. Proxy.sh has in a few select cases divulged identifying information about subscribers, but only when these VPN subscribers were using Proxy.sh to harm human beings. Proxy.sh actually has an ‘Ethics’ policy on their website where they discuss special circumstances of abuse on their network including:

• Paedophilia;
• Physical supply of materials directly harmful to human beings (drugs, weapons, etc.);
• Activities planning and executing the death of other human beings (assassination, bombing, etc.);
• Identity theft to the extent of committing crimes on the behalf of someone else.

I personally believe it’s refreshing that a VPN is willing to take a moral stance and draw the line regarding use and abuse of their VPN network. Proxy.sh has stated that unless an activity on their network causes direct harm to human being(s), user privacy will not be violated.

Proxy.sh Warrant Canary

Proxy.sh has also instituted an experimental feature called a ‘Warrant Canary’ which is a mechanism designed to circumvent gag orders from a court regarding legal requests that might violate user privacy. It works like this:

A federal court might order proxy.sh to divulge subscriber information, and also order them not to speak about or divulge this request or exposure of user data. If the court has jurisdiction to enforce the first request, they must by definition have enough power to enforce the second.

The warrant canary is a page on the Proxy.sh website, certifying in legally binding terms that Proxy.sh has not executed and warrants, searches, or seizures of customers’ data that has not been disclosed in the transparency report. The critical line from the canary is this:

Right now, we are Friday, May 09. 2014 Friday – 09:00 CEST: Thick Cloud, 13°C (55°F) in Amsterdam, Netherlands.

To this date, there has been no warrants, searches or seizures that have not been reported in our Transparency Report, and that have actually taken place. The sky is blue 🙂

No warrants, searches or seizures of any kind, other than those reported via our Transparency Report, have ever been performed on proxy.sh assets, including in the following locations:

The first line is an identifier used to verify the current time and conditions of the statement via automated technology. The idea is that while proxy.sh may not be able to disclose specifics of a request if they are subject to a gag order, they can still legally say ‘I haven’t executed any legal requests that haven’t been published’. It’s kind of a brilliant concept.

The effectiveness of a warrant canary hasn’t been fully tested in court (for example, does a warrant canary violate a gag order?) but it’s a huge leap in transparency and Proxy.sh is on the cutting edge. Please visit their website to learn more and read the warrant canary for yourself!

 Take Additional Security Measures

If you need more then trust, you can always take additional steps yourself to make sure that even your VPN service can’t see the full picture of your internet traffic and/or identity. Here are a few simple measures you can institute to build a rock solid web privacy fortress!

Make your web browsing even more anonymous with Tor.

If you want to make sure that even your VPN provider can’t see what sites you’re visiting online, use an anonymous web browsing solution like Tor. The Tor Browser is a free software solution that allows easy access to an anonymous internet access. In simple terms, the Tor Browser encrypts your browser data and bounces it through multiple relay proxies, while not allowing any of the relays to know the originating point of the data.

Since Tor both encrypts and anonymizes your web browsing, even your VPN snoop on it.

Use HTTPS Everywhere browser extension

HTTPS Everywhere is a collaborative project between the Eff and Tor Project, to easily enhance individual’s online security for free.

HTTPs is an encrypted web protocol used by almost all major websites where sensitive data is transferred. For example, when you log into your bank account online, I can guarantee the start of the website address will read https instead of http. HTTPS uses SSL encryption to make sure sensitive data transferred between your computer and the website isn’t vulnerable to being easily stolen.

The problem with https is that your bank’s website has to specifically tell your browser to use https instead of the unencrypted http connection, and sometimes it forgets to do this when you go from an unencrypted page (something like faq or information) to an encrypted one (like your account balance). As you can imagine, this is a big security leak.

HTTPS Everywhere is a simple browser extension (totally free) that forces your browser to use an https connection whenever available. If https is available on a website, it’s available on every page, even if the website doesn’t tell your browser that. The result is your browser will always use the more secure protocol whenever it is available on any website.

HTTPS Everywhere is currently available for: Firefox, Chrome, Opera, and Android. Download your free copy now!

Use Redundant Security (Add a 2nd VPN)

If you want to insulate yourself even further, utilize a 2nd VPN service (from a different VPN provider obviously) simultaneously. The idea is this: you always connect to the VPN’s in the same order. One VPN will be the inner, the other will be the outer.

The inner VPN can see your traffic but can’t see where it’s going because it will then be routed to the outer VPN. The outer VPN can see what sites you’re visiting, but doesn’t know who you are or where the data is going. Each VPN only has half the picture and you’re much more secure.

 Conclusion:

This article is a work in progress and we’ll continue to add solutions to help you increase your online security. In the meantime, I hope it helped make your decision a little easier and maybe you even learned something in the process. If you’re ready to choose a VPN provider, feel free to read our reviews. If you still need a little advice, go out to the interwebs and ask somebody who they’d recommend. The truth is, you’re always gonna have to place a little trust in somebody; so who’s it gonna be? Good luck 🙂