How do you know if a VPN is actually trustworthy? Because, news flash, some are actually pretty shady.
A virtual private network, or VPN, is a handy tool that helps boost your digital privacy and unblock geo-restricted video content from around the world. It works by encrypting your internet traffic and hiding your public IP address, making it appear like your device is in a different location while shielding your online activity from snoops, including your internet provider.
But despite how user-friendly VPNs have become, they’re still complex tools behind the scenes — and there are a lot of factors to watch out for before you commit to a VPN service. Not every VPN is as secure or trustworthy as it claims.
To help you avoid a shady VPN app, I’ve drawn on my years of experience testing and using VPNs to share all the things I personally do to determine whether a VPN can actually be trusted with my data and streaming needs. Here are the top 10 things I look for to tell if a VPN is trustworthy.
1. Read the no-logs policy carefully
For a VPN to boost your digital privacy, you have to trust that company with your online data, including the websites you visit and apps you use. When you connect to a VPN, it routes your online information through an end-to-end encrypted tunnel. By definition, this means you’re relying on the VPN to keep your data safe from prying eyes, such as your internet provider and network administrators.
In return, the VPN promises that it won’t keep a record of your online data. This promise, when put down in writing, is what’s known as a VPN’s no-logs policy. It ensures that even if a VPN were compelled by a government agency or ordered by a court to hand over user information, it wouldn’t have anything meaningful to hand over in the first place.
Not only do I always read a VPN’s no-logs policy, but I also approach it through the lens of whether the VPN truly understands what users are looking for and whether it communicates that clearly and directly.
The best-case scenario is a clear, detailed no-logs policy that avoids excessive technical jargon. If a VPN privacy policy is sprinkled with technical jargon, I question whether it’s trying to confuse me and make me accept something I don’t fully understand.
In my experience reading VPN no-logs policies, I’ve also found that they can sometimes be too good to be true.
A VPN that claims to require absolutely no information to function isn’t always as good as it sounds, because that falls into the category of unrealistic claims. That’s because a VPN does need some basic diagnostic data, such as connection success or failure logs, crash reports or app error logs, bandwidth usage, app version and device type, plus account details and billing information, to provide basic service. This helps the provider maintain performance, improve the service and keep everything running smoothly.
So you’ll want your VPN provider to be transparent about what it monitors, stick to collecting the bare minimum data and anonymize the information it gathers when possible.
2. Look for independent audits
While a VPN with a no-logs policy is better than one without, a service whose policy has been independently audited by a reputable third party is even better. A no-logs policy is essentially a company’s promise not to collect sensitive information about you, but independent audits are needed to prove it keeps that promise.
However, I don’t stop there. While VPN audits are indispensable, they don’t paint the full picture. I wouldn’t recommend choosing a VPN whose no-logs policy was audited, say, three years ago and never since. That’s because these audits only confirm that evaluators found no evidence the VPN logged sensitive user data during the period examined.
Think of it as a snapshot, where a reputable third-party cybersecurity firm comes in for a few days and tests how the VPN logs data and handles consumer information. You’d be right in thinking there’s essentially no guarantee that a VPN won’t ever log user data, because no VPN is perpetually under audit.
The solution is choosing a VPN that regularly undergoes third-party audits. My sweet spot is at least one audit a year, so look for a VPN that undergoes annual independent audits.
The bottom line: Look for a VPN with regular audits conducted at least annually, if not more often, by reputable third parties.
3. Check the VPN’s jurisdiction and data laws
A VPN’s jurisdiction is the country where it’s headquartered. My evaluation of a VPN’s jurisdiction — in terms of how important it is in determining whether a VPN is trustworthy — has changed over the years. It was initially a huge factor for me, but over time, I’ve learned that while it’s certainly important, there’s a lot of nuance to jurisdiction.
It’s true that countries outside the Five Eyes, Nine Eyes, and 14 Eyes international data-sharing alliances are generally seen as safer, since they aren’t in the business of exchanging user information with other countries within those alliances. However, you also need to consider the specific data retention laws of the VPN’s home country.
Mullvad is a great example. Even though it’s based in Sweden, which is part of the 14 Eyes alliance, Sweden’s own laws do not compel VPN providers to log user data or web traffic. So even if another 14 Eyes country were to request sensitive user information from Sweden, it wouldn’t have anything to extract from Mullvad, which has a strong and audited no-logs policy.
4. Verify encryption protocols
A VPN protocol dictates how your device “talks” to the VPN server. Think of them as methods of communication, with outdated ones such as L2TP/IPsec, SSTP and PPTP being pigeons and newer, more secure ones like WireGuard, OpenVPN and IKEv2/IPsec being texts or emails.
Most modern VPNs don’t support these older protocols anymore because maintaining them takes effort and resources, so providers usually drop them altogether. But I don’t mind it if they’re included, even though I would never use them. What I do mind is when a VPN doesn’t offer one or more of the three modern standards: WireGuard, OpenVPN or IKEv2/IPsec.
There isn’t really one protocol that’s universally better than the others; each has its own advantages and trade-offs. For example, while WireGuard is generally faster than OpenVPN, the latter is considered marginally more secure.
Some VPNs also offer their own proprietary protocols, which are essentially tweaked versions of these standard ones, optimized for what the provider wants to deliver.
For example, NordVPN has NordLynx and NordWhisper, Proton VPN has Stealth and ExpressVPN has Lightway. NordWisper and Stealth both offer obfuscation, which aims to mask your VPN usage by disguising it as standard web traffic, and may be useful in situations like slipping through firewalls on school Wi-Fi.
5. Evaluate pricing transparency and value
VPN plans generally cost between $30 and $100 per year. A VPN that’s significantly above — or below — that price bracket for no good reason deserves a closer, suspicious look.
I also like to see a VPN offer subscriptions of different lengths, ideally, monthly, bi-annual and yearly. Most VPN companies also offer two-plus-year-long plans, but here at CNET we don’t recommend multiyear subscriptions because of how quickly things change in the VPN world. Your fast, private VPN might be acquired by a shady company, suffer a data breach, experience slow speeds, or, worse, fail to unblock streaming services during the course of a year. Annual plans provide the maximum savings with the lowest risk.
I like to see the total upfront cost I’ll be paying for an annual or multiyear plan instead of the VPN only showing me what that plan boils down to per month. For example, if a VPN costs $50 a year but $75 for two years, I’d rather the provider clearly say my card will be charged $75 upfront instead of just showing a monthly price like $3 or $4.
Thanks to increasing competition in the VPN industry, premium VPNs like NordVPN and ExpressVPN have clamped down on their initial term pricing. However, I still use Surfshark — the best cheap VPN — every day, and its affordability is one of the biggest reasons why, along with the fact that it lets me protect all the devices in my household.
For context, I have four devices of my own and another eight used by family members. Trying to cover the same number of devices with NordVPN or ExpressVPN would mean I’d have to buy two subscriptions or upgrade to a more expensive plan.
While Surfshark’s autorenewal price for its entry-level Starter plan is now $99, which is tough to justify, its initial price of $54 a year is excellent. To avoid an auto-renewal price hike, cancel your plan as soon as you sign up and consider stacking subscriptions as your first term nears its end.
As a footnote, passing up NordVPN and ExpressVPN — which offer unique privacy features — was a tough trade-off, but it highlights the importance of choosing a VPN that fits your budget and includes the features that matter most to you.
6. Test streaming and unblocking reliability
One of the biggest reasons behind the explosion in VPN popularity is their ability to unblock geo-restricted content. Even as a privacy-conscious user who spends a minute or two in silence every time he hears about a data breach, I can tell you most of my interactions with my VPN app happen when I switch locations to watch a movie or TV show that’s not available where I am.
Also, streaming has gotten too expensive, and because you’ll almost never find three movies you want to watch in a week in the same place, it makes sense to save costs there and invest in a quality streaming VPN.
However, when I was new to the world of VPNs and looking for one that would aid my binge-watching habits, I learned — the hard way — that a VPN claiming to unblock every site in the world is exaggerated VPN marketing lingo. That’s because streaming platforms are constantly fighting VPNs, tracking down their pools of IP addresses and blocking them to ensure compliance with regional licensing and copyright agreements.
The best streaming VPNs are aware of this and don’t just talk a big game, but offer tons of server locations, are fast enough to support HD or 4K streaming and offer unlimited bandwidth — a must for avid Letterboxd users like me who watch tons of movies. Also, make sure that your streaming platform allows VPN use. Netflix, for example, lets you use a VPN for on-demand content, but not for live events.
7. Review the provider’s track record
My stock-picking habits have taught me to study past performance and track records to form expectations about future results. I apply the same approach to choosing a VPN.
Do I absolutely rule out VPNs that have experienced data breaches? No. It’s important to remember that behind the scenes, VPN companies run thousands of servers and complex software while constantly rolling out new features, so incidents like data breaches or DNS leaks can happen.
What matters most to me is how the VPN responds — whether it’s transparent with users and the public and how quickly it acts.
The best example would be how ExpressVPN responded when here at CNET we discovered a bug with split tunneling on Windows and DNS leaks. The company immediately removed the feature, patched it and even published a lengthy blog post for transparency. It also invited a third-party cybersecurity firm, Nettitude, to conduct a penetration test to confirm that the issue was fixed.
8. Check core security features
While having a VPN company clearly display all of its core security and privacy features on its website is a strong sign that it’s is confident in its offering and that its features work as advertised, I stick to my belief that talk is cheap. So I take it upon myself to look at a VPN’s real-time connection behavior.
I check whether my VPN app randomly disconnects, whether it has trouble connecting to a particular location, whether the kill switch works properly when the connection drops or if a server location the VPN claims is available on its website is, in fact, available in its app.
While you can’t test every single technical feature a VPN offers, it’s important that the features that matter to you are there and working well. That’s something you should test, preferably within a VPN’s money-back guarantee, so you don’t end up paying for something you’re not getting.
For example, because I like to stream my local sports events on my CarPlay while I’m driving, but at the same time have the VPN on my phone for protection, split tunneling is an important feature to me, and that’s one of the first things I check when I get my hands on a VPN.
9. Assess customer support quality
As much as I like diving into the technical settings and trying to troubleshoot my way out of a problem by carefully reading a VPN’s detailed step-by-step blog, I’ll admit that having quick and friendly customer support at your disposal is critical when you’re using a technical product like a VPN.
All top VPNs typically offer a rich knowledge base of help articles, but sometimes you need help beyond the FAQs.
While beginners should definitely make 24/7 customer support via live chat or email (or both) a top priority when picking a VPN, I urge even tech-savvy users to keep this on their priority list. Troubleshooting can be fun, but you might find yourself in a sticky situation.
For example, you’re leaving for the airport and your VPN won’t connect and you simply don’t have time to fix it yourself. In those cases, you need urgent help. I also rate VPNs higher if they quickly connect me to a real human agent instead of making me wrestle with a subpar AI chatbot.
10. Research real-world reputation
A strong public reputation can be a great indicator of how a VPN performs in real life. It’s particularly helpful if you like to keep things simple and just want to see what actual day-to-day users think of the product and whether it works for them. While you can — and should — read expert reviews, you can also check sources such as Trustpilot to gain a sense of the real-world user experience.
However, I strongly advise looking for patterns rather than one-off complaints. For instance, repeated issues with speed, streaming access or billing are more meaningful indicators of a VPN’s real-world performance than a single negative review.
Selecting a VPN with confidence
Choosing a trustworthy VPN isn’t about chasing the longest features list, the loudest marketing claims or the cheapest price tags. It comes down to transparency, repeatedly proven privacy claims, consistent performance and punching above its price bracket, even if only by a little.
If you keep the above tips in mind and test what matters to you firsthand, you’ll be far more confident that the VPN you pick is actually worthy of your trust.
Read the full article here
