The advice is everywhere, from Consumer Reports to the New York Times to the Federal Trade Commission: If you care to keep your web browsing private and secure, you should consider a virtual private network, or VPN.
A VPN encrypts your internet traffic and routes it through remote servers, protecting your data (like your browsing history, downloads, and chat messages) and masking your location. Long popular with hackers and software pirates, VPNs are poised to go mainstream—like ad blockers before them—as the average internet user becomes more sophisticated about online privacy. Reliable data on their use is hard to come by, but two VPNs recently cracked the top 30 of Apple’s App Store, surging ahead of mainstays such as Lyft, PayPal, and Yelp. One industry analysis estimates that VPN usage worldwide quadrupled between 2016 and 2018, while a forecast by Global Market Insights predicts the U.S. VPN market will be worth more than $54 billion by 2024.
So shouldn’t I, like, have one? After all, I’m a tech columnist who is well aware of how chimerical our assumptions of online privacy can be, and who occasionally does reporting that involves secrets and anonymity. I sometimes connect to insecure Wi-Fi networks at airports or coffee shops, and while I’ve never pirated a movie, there are times when I wouldn’t mind skirting geographic restrictions on web content. I certainly don’t like having to trust my internet service provider, Verizon, with all of my browsing data. And yet, for years, I’ve resisted signing up for—or even fully understanding—a technology that many privacy and security mavens consider essential to safe browsing.
When I set out to find the right VPN, however, I ran into an awkward problem: figuring out which of the scores of VPN providers to trust.
The search for a VPN I could rely on led me on a convoluted journey through accusations and counteraccusations, companies with shadowy leadership and those with conflicts of interest, and VPN ratings sites that might be even shadier than the companies they’re reviewing. Many VPNs appear to be outright scams. Others make internet browsing sluggish. Free versions bombard you with ads. It’s a world so thicketed that the leading firms and experts can’t agree on the basic criteria for what counts as “reputable,” let alone which companies best meet that description.
The CEO of one top VPN company, Silicon Valley–based AnchorFree, told me in a phone interview that he suspects one of his top rivals is secretly based in China—which would raise a red flag for many privacy advocates because of the Chinese government’s aggressive surveillance regime. An executive for that rival, ExpressVPN, insisted that isn’t true, though he wouldn’t disclose where the owners are actually based or even who they are. (The company is incorporated in the British Virgin Islands.) He argued the secrecy is actually a virtue because governments can’t apply pressure to ExpressVPN’s principals to give up user data if they don’t know who, or even where, those principals are. Indeed, many VPN users consider offshore providers preferable to U.S.-based firms.
AnchorFree, for its part, has been dinged by reviewers for running a free, ad-supported VPN, which some privacy experts consider a conflict of interest. (It also offers a paid VPN service.) The two companies point to dueling trust reports by outside groups, each of which appears to reflect well on the firm that’s touting it, thanks to different methodologies.
“It is fascinating the amount of sniping that goes on” between VPN companies, said Joseph Jerome, who has closely studied VPNs in his role as policy counsel for the Privacy and Data Project at the nonprofit Center for Democracy & Technology. “They are very quick to pull out knives and shiv each other.”
While it’s possible AnchorFree is just trolling ExpressVPN by suggesting that it’s based in China, the risk is not imaginary. On Feb. 7, while I was working on this story, U.S. Sens. Ron Wyden and Marco Rubio called for the Department of Homeland Security to launch an investigation into the risk of foreign governments spying on Americans via VPN apps.
I just wanted internet privacy. I hadn’t bargained on a knife fight.
VPNs work by rerouting your internet connection through remote servers that disguise your location and make you harder for websites to identify. They also hide your browsing activity from your own ISP, which would otherwise have access to pretty much everything you do online—as could, say, a law enforcement agency that subpoenaed your activity (or, if you’re really paranoid, an intelligence agency that somehow hoovered it up).
Though they’re careful about how they advertise it, many VPNs can also be used to sneak around your country’s laws or copyright restrictions by patching you through servers in a different country. In fact, access to entertainment content is the top reason for VPN use around the world, according to a 2018 report from GlobalWebIndex. Other top reasons include access to social networks and news sites in countries where they’re blocked (VPNs are especially popular in China, despite officially being banned there) and maintaining privacy while browsing.
In case you needed more incentive to consider using a VPN, Congress in 2017 nixed a rule that was supposed to prohibit ISPs from tracking and selling information about your online activity without your consent. Basically, your wireless provider and home internet provider are now free, legally speaking, to mine your online habits for profit.
At the same time, the end of net neutrality rules in the United States opens the doors for ISPs to further restrict or throttle certain types of content, or to charge more for them. VPNs could offer a workaround—although if they become too popular for that purpose, ISPs might try to crack down on VPNs themselves.
VPNs are not a new phenomenon. Their origins can be traced to 1995, when Microsoft engineers developed a way for business customers to secure their internet connections. In the 2000s, they started to gain popularity with tech-savvy individuals, as open-source software helped to bring the price down and high-profile hacks raised public awareness of internet security issues. AnchorFree was founded in 2005, ExpressVPN in 2009.
But it’s only in recent years that VPN companies have become a hot commodity in the tech world. They’ve been pushed along by the rise of insecure public Wi-Fi networks and the proliferation of online content that’s available in some countries but not others. (For instance, the 2012 Olympics were available for free to Brits on BBC, but in the United States, you could only watch with a cable subscription.) TunnelBear, a popular VPN service founded in 2011, was acquired by the computer security giant McAfee in March 2018 for an undisclosed sum. In September 2018, AnchorFree raised $295 million at an undisclosed valuation, an unprecedented amount for a VPN startup. It has a chance to be the first VPN unicorn—a startup valued at $1 billion or more—if it isn’t already. As of February, AnchorFree CEO David Gorodyansky told me his company’s VPN, Hotspot Shield, is being downloaded some 400,000 times per day.
There’s never been a better time for a VPN boom. Which brings us back to that pesky problem of trust. If it’s so hard to assess the credibility of the industry’s top names, like AnchorFree and ExpressVPN, you can imagine how difficult it might be to suss out the myriad lesser-known alternatives. A January investigation by the site Top10VPN found that more than half of the top 20 free VPN apps on the iOS and Android app stores either have Chinese ownership or are based in China. That’s all the more suspicious given that China officially banned VPNs last year. The concern: If China is allowing them to continue operating, it could be because they’re sharing data on their users with the Chinese government.
When you use a VPN, you’re trusting that VPN with the same deep level of access to your online activity that you’d normally give your ISP. In other words, now they can see what you’re up to whenever you’re using the internet. VPNs may be more privacy-focused than big, corporate ISPs, but they’re also smaller, more opaque, and less publicly accountable.
And while every VPN will swear to you that it cares more deeply about your privacy than anything else, some also have a penchant for pointing fingers at rivals who they say are not to be trusted.
So how to choose? You might want to start with the biggest VPN—but it’s essentially impossible to figure out which one that is. Most of the major players are privately held and don’t disclose the size of their user base. To further complicate matters, the easiest way to become large as a VPN is to offer a free product, which usually means one that’s ad-supported. (Free VPNs also tend to come with data limits and geographic restrictions.) Many in the industry will tell you that’s a reason to stay away, since it puts the VPN’s interest in privacy at odds with its interest in serving users well-targeted advertisements.
AnchorFree, which offers a free version of Hotspot Shield for Android users that includes advertising, says it has addressed that concern by displaying only generic Google ads that don’t use any data from AnchorFree for targeting. The ads pop up periodically as you use the app, and you have to watch them to keep browsing. (A free version of Hotspot Shield for iOS is ad-free, though it has data limits and only allows you to connect through the United States.)
How about the VPN that gets the best reviews? Ah, but there are dozens of review sites, their findings often conflict, and their criteria aren’t always transparent. Two of the more reputable tech sites that review VPNs, PCMag and CNET, both give Panama-based NordVPN the top spot, citing its speed, ease of use, and privacy features. But two others, Wirecutter and Tom’s Guide, found NordVPN slow and buggy. And, like ExpressVPN, NordVPN goes to great lengths to obscure its ownership. As Tom’s Guide notes, it’s a subsidiary of a Panama-based holding company called Tefincom S.A., which appears to be a shell company. (As with ExpressVPN, there are potential justifications for that anonymity.)
ExpressVPN, for its part, takes the top spot on at least two other lists that are highly placed in Google search results, TechRadar and TheBestVPN.com. Both sites emphasize its connection speeds and ease of use in their glowing reviews; neither mentions that ExpressVPN doesn’t disclose who owns it.
AnchorFree’s outspoken CEO, Gorodyansky, has his theory for why his company’s service doesn’t fare as well on these sites. Many VPN review sites make money through “affiliate links,” a program by which they get small kickbacks for each new user they refer to a given VPN. “These sites are not incentivized to tell users the truth,” he argues. In particular, he alleges that they either downgrade or omit Hotspot Shield altogether because they can’t make any money by referring users to its free service.
Harold Li, ExpressVPN’s vice president and only public face, defended his company’s privacy practices as among the industry’s best, not despite its opaque ownership but because of it. It’s a matter of operational security, he said, but also personal privacy. Is it so surprising that the kind of people who created one of the world’s top virtual private networks, way back in 2009, would also zealously guard their own identities?
Li himself is based in Hong Kong, which lies outside of mainland China’s “Great Firewall” and is not subject to the same onerous internet censorship policies. ExpressVPN’s team is distributed around the world, Li added, and any claim that it’s based in mainland China or has ties to the Chinese government is wrong. “If people are throwing around speculation with no evidence, I don’t see why that would be worth covering,” he said. It’s also fair to note that VPNs with ulterior motives would most likely offer a free service to attract more users. ExpressVPN, whose services range from $8 to $13 per month, is one of the costlier options on the market and does not offer a free version, which helps its credibility.
(Update, March 1, 2019: After this story ran, ExpressVPN’s Li sent a longer statement denying any connections to the Chinese government. “ExpressVPN is fundamentally opposed to all government censorship and surveillance, and our service helps many in China and around the world circumvent censorship every day,” the statement reads. “That’s the reason we are regularly targeted by the Chinese government for blocks, as well as removal from the App Store in China. Any insinuation that we have ties to the Chinese government is 100% false.”)
For a better indication of ExpressVPN’s credibility, Li said, look at its record. He pointed to an international incident in which ExpressVPN’s data practices were tested in the public eye: In 2017, Turkish authorities seized servers from ExpressVPN while investigating the dramatic assassination of Russian ambassador Andrei Karlov. They hoped the data would shine light on communications between the suspect and U.S.-based Turkish cleric Fethullah Gulen. But the servers held no logs, supporting ExpressVPN’s claim that it doesn’t keep records of its users’ activity.
Successfully protecting suspects in an international conspiracy might not sound like an endorsement of ExpressVPN’s service. Some in the VPN industry think it highlights the shadier side of a product that should really be about online security, not evading or circumventing the law.
When a VPN hides its owners’ identities and incorporates in an offshore territory, “it’s usually because they’re breaking laws,” says Francis Dinha, co-founder and CEO of OpenVPN, an open-source service aimed at business customers. Dinha said he finds it “far-fetched” that ExpressVPN would be linked to the Chinese government, and more likely that the owners are keeping a low profile because their service is geared toward people pirating content or other illegal activity. To his mind, the best reason to use a VPN is for cybersecurity, not anonymity. He notes a VPN won’t stop platforms such as Facebook and Google from identifying and tracking you in other ways besides your IP address.
But in the privacy realm, the Karlov episode counts as a powerful proof of concept: If ExpressVPN works for political assassins, the thinking goes, it should be plenty good enough for the rest of us. Plenty of VPN companies say they don’t keep logs of user data, but it’s a hard claim to substantiate, absent an international incident that puts it to the test.
Jerome, of the Center for Democracy & Technology, is well-acquainted with ExpressVPN. Looking to bolster its bona fides, ExpressVPN last year joined four other VPN providers in partnering with CDT to launch an initiative around VPNs and trust. Together they developed a list of “Signals of Trustworthy VPNs,” inviting other VPNs to answer a series of eight questions about things like their ownership, business model, and privacy practices. The ownership question asks companies to disclose their full legal name, any corporate parent companies, and where they’re headquartered. One thing it doesn’t ask: the names of the company’s principals.
When I asked Jerome if he knows who runs ExpressVPN, he told me apologetically that he couldn’t comment. “We worked with all these companies in some degree of confidence,” he said. “Our final product reflects some of the challenges we had.” Jerome says he had initially hoped to develop a more rigorous audit, but would need both more resources and more cooperation from the VPNs themselves. “Getting them to agree on how they would be assessed, and who would actually assess them, was just really difficult,” he said. “I think they all see themselves as good players. But I think there’s also some fear that if you let people open up the hood, they might find bad stuff.”
AnchorFree has not participated in CDT’s project. Instead, it commissioned its own third-party industry audit by Germany-based AV-TEST, which evaluates antivirus and security software. Perhaps not surprisingly, that report emphasized disclosure of ownership and management as a key criterion and called out ExpressVPN and NordVPN for their lack of transparency. AV-TEST also looked at which firms release an annual transparency report, something AnchorFree has recently started doing. Oh, and AnchorFree topped AV-TEST’s connection speed rankings.
Considering the popularity of its free service, its aggressive fundraising, and partnerships with companies like Samsung—whose phones now come with a version of AnchorFree’s Hotspot Shield VPN built-in—AnchorFree might be the company best-positioned to capitalize on the VPN boom. But it doesn’t top many ratings, partly because of the stigma among experts against free VPNs and partly because it has suffered in some third-party speed tests.
As it happens, AnchorFree’s biggest privacy black eye came via CDT in 2017, when the nonprofit filed a complaint with the Federal Trade Commission alleging that Hotspot Shield was misleading users about its ad-supported free VPN by logging more data than necessary, and was in some cases redirecting their traffic to the websites of its advertising partners. AnchorFree’s Gorodyansky calls the allegations “an unfortunate misunderstanding,” but AnchorFree did revise its terms of service soon after. The FTC published a blog post on the benefits and risks of VPNs in 2018, but has not taken further public action.
ExpressVPN, for its part, nearly won the coveted recommendation of Wirecutter in its extensive, highly detailed VPN review. There are hints throughout Wirecutter’s report that ExpressVPN would have taken the top spot if not for one pesky concern: its refusal to publicly disclose who owns it. Wirecutter editor Mark Smirniotis notes near the end of his review that ExpressVPN offered to arrange a confidential call with its owners, but he decided that wouldn’t be enough to change his recommendation and declined.
Wirecutter instead recommended a smaller service, IVPN, which it said “excels at trust and transparency.” IVPN is officially based in Gibraltar, which like the British Virgin Islands is a British Overseas Territory. (Offshore territories are a popular choice for VPNs because they lie outside the direct law enforcement jurisdiction of major world powers, and tend not to have large national security apparatus of their own.)
With demand for VPNs soaring, there’s plenty of incentive for the industry to outgrow its Wild West phase. The partnerships with nonprofits and third-party audits are a step in that direction. NordVPN recently followed AnchorFree and ExpressVPN down that path, commissioning an audit by PricewaterhouseCoopers to back up its claims to protect user privacy. But such audits would mean more if they weren’t each commissioned by an individual VPN firm. People like Jerome are pushing for industry standards, but so far VPNs have shied away from audits whose methodology they can’t control.
A bigger change may come when some leading VPNs go public or get acquired by public companies. Public companies aren’t immune to shady behavior, of course, but they’re subject to disclosure laws and scrutiny that private companies aren’t. Other VPNs will stay private and risk some skepticism over their ownership in exchange for staying under the radar—or out of the reach—of big national governments.
I thought when I began writing this story that I’d figure out which VPN I’d trust for my own use. Several weeks, dozens of calls, and thousands of words later, I can’t say I’m much closer to a clear-cut answer.
One of the only definitive takeaways, besides “steer clear of free VPNs,” is that your choice of VPN should depend on what you’re using it for. If you’re just trying to stay safe online, it may make sense to steer toward a larger, U.S.-based company that’s clear about both who owns it and how it treats your data. If your goal is to torrent pirated files, view blocked content, assassinate an ambassador, or otherwise evade the long arm of your government (or the governments it shares intelligence with), one based offshore might be a better bet—provided you’re quite sure it doesn’t have secret ties to the government you’re trying to evade.