Virtual Private Nightmare: Your VPN Isn’t Safe. What’s The Best VPN?
Even the honest VPN companies can be forced to go bad. Only you can avoid the potential bad eggs. Read more:
Virtual Private Networks (VPNs) have become essential tools for online privacy, encrypting internet traffic and masking users’ IP addresses. However, despite marketing claims of being “no-log” and “privacy-focused,” most VPN providers collect some level of user data. Additionally, many operate within jurisdictions under surveillance alliances such as the Five Eyes, Nine Eyes, and Fourteen Eyes, raising concerns about potential government access to user information. This article explores the reality of VPN logging, the influence of intelligence-sharing alliances, and controversies involving major VPN providers.
The Reality of VPN Logging
Most VPNs claim to have “no-log” policies, meaning they do not store data about users’ online activities. However, the term “no-log” can be misleading. While some VPNs do not store connection logs (such as IP addresses and browsing history), they often log metadata like timestamps, bandwidth usage, and server connections (and worst of all, payment details with email). This data, while seemingly harmless, can still be used to track user behavior if combined with other sources.
Many VPN providers are also required to comply with local data retention laws. Even if they do not log user activity themselves, they may be forced to hand over connection data to authorities if requested.
The Five Eyes, Nine Eyes, and Fourteen Eyes Alliances
VPN jurisdiction matters because of international surveillance alliances that facilitate intelligence sharing between governments.
• Five Eyes (FVEY): A longstanding intelligence-sharing alliance between the United States, the United Kingdom, Canada, Australia, and New Zealand. These countries collaborate to monitor and collect global communications data, often bypassing their own domestic surveillance restrictions by collecting information through allied nations.
• Nine Eyes: Expands the Five Eyes alliance to include Denmark, France, the Netherlands, and Norway.
• Fourteen Eyes: Further extends the alliance to Germany, Belgium, Italy, Sweden, and Spain.
If a VPN provider operates in a country within these alliances, it could be legally compelled to provide user data, even if the company claims to have a no-logging policy. Moreover, these countries may share intelligence among themselves, making it difficult to determine how widely user data may be distributed.
VPN Controversies: Who Can You Trust?
Several major VPN providers have been embroiled in controversies over data logging, acquisitions, and government cooperation.
Kape Technologies’ Acquisition of PIA and Other VPNs
Kape Technologies, a company with a controversial past in adware and malware distribution under its previous name “Crossrider,” has acquired several major VPNs, including:
• Private Internet Access (PIA)
• CyberGhost
• ZenMate
• ExpressVPN
The acquisition of PIA, once a widely trusted VPN provider, raised concerns among privacy advocates. Critics argue that Kape Technologies’ history in adware contradicts the fundamental values of privacy and security that VPN users seek. While Kape has since rebranded and distanced itself from its past activities, skepticism remains regarding the company’s true commitment to user privacy.
ExpressVPN and Ties to Government Agencies
ExpressVPN, also owned by Kape Technologies, faced backlash when it was revealed that one of its executives, Daniel Gericke, was a former operative in Project Raven — a secret UAE surveillance program that targeted journalists and activists. This raised concerns that ExpressVPN’s leadership had ties to government surveillance operations. Despite this, ExpressVPN has maintained that its infrastructure remains private and secure.
NordVPN and the 2018 Data Breach
NordVPN, one of the most popular VPN services, faced a controversy in 2018 when it was discovered that a hacker had gained access to a server in a third-party data center. Although NordVPN claimed that no user data was compromised due to its no-logs policy, critics questioned why the company did not disclose the breach sooner. This incident highlighted the risks of trusting VPNs that rely on external infrastructure rather than fully owning their servers.
PureVPN and Cooperation with the FBI
PureVPN, a provider that claimed to have a no-logs policy, was found to have cooperated with the FBI in a 2017 criminal investigation. Court documents revealed that PureVPN provided authorities with IP address logs that were used to track a suspect. This directly contradicted their claims of not storing any user data, demonstrating that some VPNs may mislead users about their logging practices. All of this is just the tip of the iceberg, as nearly any VPN can be forced to cooperate with authorities; even if they didn’t log before, they absolutely can be forced to.
The Risk of Honeypotted or Compromised VPN Servers
Even if a VPN provider has a strict no-logs policy, its servers — especially those located in jurisdictions within the Five Eyes, Nine Eyes, or Fourteen Eyes alliances — can still be hijacked, monitored, or turned into honeypots by federal authorities.
How VPN Servers Can Be Compromised
1. Law Enforcement Seizures and National Security Letters (NSLs)
• Governments, particularly in the U.S., U.K., and other allied countries, have the power to seize VPN servers or force VPN providers to turn over access to their infrastructure.
• In the U.S., the Patriot Act and National Security Letters (NSLs) allow federal agencies to demand user data in secret, preventing the VPN provider from notifying its customers.
• Some VPNs use rented servers from third-party data centers, which can be forced to log traffic even if the VPN itself does not want to.
2. Honeypot Servers to Monitor User Activity
• Authorities may secretly take control of a VPN server and use it as a honeypot, meaning it continues to function as usual but logs user activity in the background.
• Since VPN traffic is encrypted, authorities may not be able to see exactly what a user is doing, but they can log connection times, originating IP addresses, and destinations, which can be enough to correlate users with specific activities.
3. Compromised or Malicious Third-Party Hosting Providers
• Many VPN providers rent servers rather than owning their hardware, especially in high-traffic locations. This means that the data center or hosting provider could be logging traffic without the VPN’s knowledge.
• Even if a VPN claims a “no-logs” policy, it may have little control over whether an external hosting company is secretly logging user metadata.
4. Court Orders and Secret Cooperation
• Some VPNs claim they would “shut down operations” rather than comply with a government order, but history has shown that companies often comply when pressured.
• For example, Riseup VPN, a privacy-focused service, was forced to comply with an FBI subpoena in 2017. While it did not log user activity at the time, this case demonstrated that VPN providers operating in certain jurisdictions could be compelled to comply with law enforcement requests.
High-Risk VPN Locations
VPNs with servers or headquarters in Five, Nine, or Fourteen Eyes countries are at higher risk of having their servers compromised. Some of the highest-risk locations include:
• United States (FBI, NSA, CIA)
• United Kingdom (GCHQ)
• Australia (ASD, AFP)
• Canada (CSE, RCMP)
• New Zealand (GCSB)
• Germany, France, Netherlands (within Nine Eyes)
• Sweden, Belgium, Italy (within Fourteen Eyes)
How to Protect Yourself from Compromised VPN Servers
• Choose a VPN based outside surveillance alliances — Countries like Switzerland, Panama, and the British Virgin Islands have looser data retention laws and are not part of intelligence-sharing agreements.
• Use Multi-Hop (Double VPN) or Tor over VPN — This helps obfuscate traffic so that even if a VPN server is compromised, the originating IP address is hidden behind another layer of encryption.
• Prefer VPNs that own their hardware — Some VPNs, like Mullvad and IVPN, run their own bare-metal servers instead of relying on rented data center servers. (Note: Mullvad and IVPN both still use rented servers as well)
• Use Open-Source VPN Protocols — Open-source protocols like WireGuard or OpenVPN allow users to inspect the code and verify that the service does not have hidden backdoors.
Conclusion: No VPN is Completely Safe, But Which Is Best?
You’ve done enough reading. You’re probably wondering now, “which VPN is the safest for me to use?”
Without a doubt, Proton VPN. They’re Swiss based, have a flawless track record in terms of dealing with data requests from governments, allow you to pay with cash by mail or crypto, have “Secure Core”, a built in multi-hop function that allows you to connect to their USA based servers, but routes that through their personally owned and managed Swiss servers — essentially, they hit all marks. They have been independently audited numerous times and have been found to possess essentially no user data. Even their software is open source!
A solid runner up is IVPN, without a doubt. Arguably better than Mullvad due to the jurisdiction it resides in, it requires no email address to hold an account (works like Mullvad). It has passed audits by Cure53 and has not had any real controversies since inception.
Mullvad has had an excellent track record so far, but sadly, fourteen eyes… They could flip at any time with something massive enough.
BONUS READ — The Hidden Dangers of Free VPNs: Data Logging and Privacy Risks
The Reality of Free VPN Services
Free Virtual Private Networks (VPNs) are appealing to users seeking online privacy without financial commitment. However, many free VPNs, especially those readily available on app stores, come with significant privacy and security concerns. Operating and maintaining VPN servers is costly, and free VPN providers often resort to alternative revenue streams that can compromise user privacy.
Common Practices Among Free VPN Providers
1. Data Logging and Selling: To monetize their services, some free VPNs collect user data — such as browsing history, IP addresses, and connection timestamps — and sell this information to third parties, including advertisers and data brokers.
2. Embedding Tracking Libraries and Malware: Research has uncovered that certain free VPN apps contain tracking libraries or even malware within their software. These components can monitor user activity, collect personal information, and expose devices to security vulnerabilities.
3. Injecting Advertisements: Some free VPNs display intrusive ads during browsing sessions. While this practice generates revenue, it can degrade user experience and potentially introduce malicious content.
Case Study: Betternet VPN
Betternet VPN, a popular free VPN service, exemplifies several of these concerns:
• Data Logging: Despite claims of protecting user privacy, Betternet’s privacy policy indicates that while they do not log browsing activities, they do log domain names visited (not full URLs) without associating them with individual users or devices.
• History of Malware and Tracking Libraries: Academic research identified Betternet as one of the most malware-infected apps in the Google Play Store, with its Android application containing multiple tracking libraries.
• Revenue Model: Betternet generates income through a combination of premium subscriptions and advertising. The free version often displays ads, and the inclusion of tracking libraries suggests potential data collection for advertising purposes.
Finally, The Hola VPN Controversy: A Cautionary Tale
Hola VPN, once a widely-used free virtual private network service, has been at the center of significant controversy due to its unconventional operational model and associated security risks.
Peer-to-Peer Structure and Security Concerns
Unlike traditional VPNs that route traffic through dedicated servers, Hola operates on a peer-to-peer (P2P) network. In this setup, users’ devices serve as both clients and servers, routing traffic through each other’s internet connections. This approach can lead to several issues:
• Bandwidth Sharing: Users unknowingly share their idle bandwidth with others, which can result in decreased internet speeds and potential overuse of data limits.
• Exposure to Malicious Activity: Since traffic is routed through personal devices, users’ IP addresses can be utilized for illicit activities without their knowledge, potentially implicating them in cybercrimes.
Unauthorized Sale of User Bandwidth
In 2015, it was revealed that Hola was selling access to its users’ bandwidth through a separate service called Luminati (now known as Bright Data). This meant that third parties could purchase and utilize the internet connections of Hola users for various purposes, including data scraping and potentially malicious activities. This practice was conducted without explicit user consent, raising serious ethical and privacy concerns.
Vulnerabilities and Exploitation
Further investigations uncovered critical vulnerabilities within Hola’s software, making users susceptible to external attacks. Researchers demonstrated that these security flaws could allow attackers to execute malicious code on users’ devices, effectively turning them into part of a botnet. This compromised not only individual user security but also the broader internet community.
Response and Current Status
In response to the backlash, Hola made amendments to its website and FAQs to provide more transparency about its operations. However, many of the fundamental issues, such as bandwidth sharing and associated security risks, remain inherent to its P2P architecture. As of recent evaluations, cybersecurity experts continue to advise against using Hola VPN due to these unresolved concerns.
Lessons Learned
The Hola VPN case underscores the importance of thoroughly vetting free VPN services. Users are encouraged to:
• Research Service Models: Understand how a VPN operates and the implications of its architecture on privacy and security.
• Read Privacy Policies: Be aware of data collection practices and how personal information and bandwidth may be utilized. Remain aware that even if the policy is solid, they could be lying — or even taken over by a government agency.
• Consider Reputable Providers: Opt for VPN services with transparent operations, positive security track records, and preferably those that undergo regular independent audits.
In conclusion, while free VPNs like Hola may offer attractive features, they often come with significant hidden costs that can compromise user privacy and security.
TL;DR:
• Most VPNs are hot garbage due to the jurisdiction they’re owned or operated out of, regardless of if their no log policy is true.
• VPN companies within “the eyes” can be forced to betray their users at any point.
• FREE VPNS MOST DEFINITELY COME AT A SEVERE COST!
• Invest in ProtonVPN or IVPN.
Great read. Have you tried building your own VPN? That should address many of the risks with commercial vpns.