Is your VPN secure?

About a quarter of internet users use a virtual private network, a software setup that creates a secure, encrypted data connection between their own computer and another one elsewhere on the internet. Many people use them to protect their privacy when using Wi-Fi hotspots, or to connect securely to workplace networks while traveling. Other users are concerned about surveillance from governments and internet providers.

Many VPN companies promise to use strong encryption to secure data, and say they protect users’ privacy by not storing records of where people access the service or what they do while connected. If everything worked the way it was supposed to, someone snooping on the person’s computer would not see all their internet activity – just an unintelligible connection to that one computer. Any companies, governments or hackers spying on overall internet traffic could still spot a computer transmitting sensitive information or browsing Facebook at the office – but would think that activity was happening on a different computer than the one the person is really using.

However, most people – including VPN customers – don’t have the skills to double-check that they’re getting what they paid for. A group of researchers I was part of do have those skills, and our examination of the services provided by 200 VPN companies found that many of them mislead customers about key aspects of their user protections.

How a VPN secures internet activity. Mohammad Taha Khan, CC BY-ND

Consumers are in the dark

Our research found that it is very hard for VPN customers to get unbiased information. Many VPN providers pay third-party review sites and blogs to promote their services by writing positive reviews and ranking them highly in industry surveys. These amount to advertisements to people considering purchasing VPN services, rather than independent and unbiased reviews. We studied 26 review websites; 24 of them were getting some form of kickback payment for positive reviews.

A typical example was a site listing hundreds of VPN companies that rated more than 90 percent of them as 4 out of 5 or higher. This is not illegal, but it skews evaluations that could be independent. It also makes competition much more difficult for newer and smaller VPN providers that may have better service but lower budgets to pay for good publicity.

Vague on data privacy

We also learned that VPN companies don’t always do much to protect users’ data, despite advertising that they do. Of the 200 companies we looked at, 50 had no privacy policy posted online at all – despite laws requiring them to do so.

The companies that did post privacy policies varied widely in their descriptions of how they handle users’ data. Some policies were as short as 75 words, a far cry from the multi-page legal documents standard on banking and social media sites. Others did not formally confirm what their advertisements suggested, leaving room to spy on users even after promising not to.

Leaking or monitoring traffic

Much of the security of a VPN depends on ensuring that all the user’s internet traffic goes through an encrypted connection between the user’s computer and the VPN server. But the software is written by humans, and humans make mistakes. When we tested 61 VPN systems, we found programming and configuration errors in 13 of them that allowed internet traffic to travel outside the encrypted connection – defeating the purpose of using a VPN and leaving the user’s online activity exposed to outside spies and observers.