VPN Comparison by That One Privacy Guy

When I learned that my privacy was being invaded by different companies multiple times a day, I started trying to reclaim it. I wanted a VPN. However, I soon found that there was very little unbiased and reliable information about VPNs. Almost everything I came across was disguised advertising.

I started researching VPN services for my own knowledge, then posted my findings online to try and help people. I mainly publish two types of information: VPN reviews, and a Comparison Chart of detailed data about the service provided by different VPN companies.

I make every effort to keep the data on the VPN Comparison Chart up to date. However, parts of may be incorrect for various reasons, for example if a given VPN service is not transparent and does not make the data available on their official site. My chart doesn’t make any claims about any service: it simply shows a summary of all the information available (or lacking data). It is, of course, not a substitute for your own research.

If you work for a VPN company and you’d like to request an update to your information, feel free to contact me citing a proper source on the official website. If your information is verifiable, I will be happy to update your data.

The charts are color-coordinated like this:

Green – Generally good/good badge awarded.
Yellow – Something of concern.
Red – Something major of concern/bad badge awarded.
Blank – Undefined or for reader’s knowledge only.


Simple VPN Comparison Chart

See how these fields are calculated here.

You can download the original (up-to-date) file using these links: Excelxlsx | LibreOfficeods


Detailed VPN Comparison Chart

(Data last updated on 20/07/19)

See what these fields mean here.

You can download the VPN Comparison Chart in other formats below: Excelxlsx | LibreOfficeods | CSVcsv


VPN Review Badge Chart

See what the badges mean here.


Simple VPN Comparison Chart Formulas

The Simple VPN Comparison is an attempt to boil down the massive amount of raw data in the Detailed Comparison, and make it more accessible for people who don’t care about every data point.

Since this kind of comparison demands weighted values, I want to be completely transparent and open about how I’ve calculated them.

Jurisdiction:

Red Flag: Five Eyes country, Enemy of the Internet, or not disclosed.
Yellow Flag: Nine Eyes country, Fourteen Eyes country, owned by a Five Eyes country, or cooperative with their authorities.
Green Flag: Not a Fourteen Eyes country and also not an Enemy of the Internet.

Logging: Points are given for each type of data that the VPN logs. If traffic is logged, this automatically counts as 3 points. I added 1 point for every additional category, and half point for undisclosed categories. No points were given for a clear zero logging policy.

Red Flag: 3 or more points in this category.
Yellow Flag: Fewer than 3 points in this category.
Green Flag: 1 or fewer points in this category.

Activism: I gave points if no anonymous payment method was offered (including email), if the company doesn’t accept Bitcoin, and if it doesn’t have a PGP key.

Red Flag: 3 or more points in this category.
Yellow Flag: Fewer than 3 points in this category.
Green Flag: 1 or fewer points in this category.

Service Configuration: I gave a red flag if the company doesn’t offer OpenVPN or if the VPN received more than 3 points. Half points were given for some configuration issues.

Red Flag: 2.5 or more points in this category.
Yellow Flag: Fewer than 2.5 points in this category.
Green Flag: 1 or fewer points in this category.

Security: I gave points based on how far below a provider fell from the best-in-class industry standards.

Red Flag: If 2 or more points given in this category.
Yellow Flag: Fewer than 2 points in this category.
Green Flag: 1 or fewer “points” in this category.

Availability: 2 points given for < 3 connections. 1 point given for both an undisclosed number of countries and less than 10 available countries. 2 points given for < 3 servers. 1 point given for both an undisclosed number of servers or less than 10 servers.

Red Flag: 3 or more points in this category.
Yellow Flag: Fewer than 3 points in this category.
Green Flag: 1 or fewer points in this category.

Website: I gave 0 points for 0 persistent cookies, 1 if < 5, 2 if <10, and 3 for more than 10. Similarly, I gave 0 points for 0 external trackers, 1 for < 3, 2 for < 10, and 3 for more than 10. I gave 0 points for 0 proprietary APIs, 1 for < 5, 2 for < 10, and 3 for more than 10. 0 points for A+ or A server grade, 1 for B, and 5 for anything below B. I gave 0 points for a self-signed cert, 2 for CloudFlare or Incapsula, and 3 for no cert.

Red Flag: More than 6 points in this category.
Yellow Flag: 6 or fewer points in this category.
Green Flag: 3 or fewer points in this category.

Pricing: There are maximum price cells  at the bottom of the price columns. I gave zero points to providers in the bottom third (least expensive) for price and price/connection, 1 point to the middle third, and 2 points for the top third (most expensive). I gave zero points if a service offered a free trial (or free service), and 1 if they didn’t. I gave zero points for 30 days or longer for a refund (or service free of charge), 1 point for 14 days or more, 2 points for 7 or more, and 3 points for less than 7.

Red Flag: More than 6 points in this category.
Yellow Flag: 6 or fewer points in this category.
Green Flag: 3 or fewer points in this category.

Ethics: I gave 1 point for each good faith column violated. I gave 1 point for each “no” in affiliate policies, half a point for “some”, and 0 for a “yes”. I gave 1 point for each affiliate violation. I only tracked ethics for the fields indicated. Services may have shady dealings outside of these fields.

Red Flag: 3 or more points in this category.
Yellow Flag: Fewer than 3 points in this category.
Green Flag: 0 points in this category.


Terms in the Detailed VPN Comparison Chart

Jurisdiction: Negative scores are not necessarily reflective of the companies or their policies, only the countries they’re based in.

Fourteen Eyes countries: “Owned” means a country/location isn’t a Five Eyes country itself, but is a territory or commonwealth of one. Second tier “cooperative” countries are determined by Privacy International.

Enemy of the Internet: Based on the 2014 Enemies of the Internet report by Reporters without Borders.

Logging: These metrics are collected from the official websites and other reputable sources. This section takes each company at their word. It’s up to the user to decide who is trustworthy. The term “logging” refers to long-term information storage, not real-time monitoring. A company may not log your data, but that doesn’t mean that it’s not watching you in real time.

Bandwidth logging: Some services limit their users’ bandwidth. When a company’s privacy policy explicitly states no bandwidth usage logging, you can be more sure they don’t have an invisible, unadvertised cap.

Anonymous payment method: Service offers at least one payment method that does not require personal information. “Email” in this field is considered better than “No”, since it may or may not be tethered to an individual’s identity. This doesn’t include companies that claim you can falsify personal information and technically be anonymous. It’s to highlight companies that don’t ask for it in the first place.

Gives back to privacy causes: A given service supports (typically by way of donations) organizations and worthy causes which are important to privacy. Examples include donations to the EFF, FSF, OSTIF, and other organizations, FOSS audits, etc.

Meets PrivacyTools.io’s criteria: This means the VPN:

  • Does not log traffic.
  • Operates outside the USA or other Five Eyes countries.
  • Has OpenVPN software support.
  • Accepts Bitcoin, cash, debit cards, or cash cards as a payment method.
  • Does not require personal information to create an account (only a username, password, and email address).

More info at privacytools.io

Blocks SMTP (authent.): A “Some” in this field means that the companies’ support team may be willing to whitelist your email provider’s SMTP server upon request. Another possibility is the company supports some workaround method.

Blocks P2P: Services marked as blocking “Some” P2P usually only block it on servers dedicated for streaming. Other possibilities are that P2P users are throttled or banned. The user is responsible for researching further based on their needs.

Number of connections: A 25 in this field actually indicates no advertised limit for simultaneous connections (done this way for conditional formatting purposes only).

Obfuscation: Sometimes it’s useful to obfuscate the fact that your traffic is generated by a VPN, for example, if your ISP or Network Administrator blocks certain VPN protocols. These fields represent different methods of obfuscating VPN traffic so that it’s not as easily detected and blocked.

Speed: Speed tests are run while reviewing services (methodology and test setup can be found here). Averages are used for this figure. International speeds are averaged from all international tests run in a given review. A “0.00” in this field doesn’t mean no speed, just that there isn’t data to populate the field.

Number of countries: Some companies report physical server locations, and some use tricks to make a server endpoint appear to be in another country when it really isn’t. This is often the case where the number of countries is unusually high. Do your own research on a case-by-case basis if this is an important metric for you.

Number of servers: Some companies report their physical server count, and some report their virtual server count (to inflate the numbers). Do your own research on a case-by-case basis if this is an important metric for you.

Linux support (manual): This field reads “yes” if .ovpn files are available and ready to use in Linux Network Manager, not CLI. If some tweaking is needed, or if the support team of a given service has to specially make and email these, this field will read “partial”. If no files are readily available, this field will read “no”.

Number of persistent cookies: Using webcookies.org – persistent cookies.

Number of external trackers: Using webcookies.org – third-party cookies.

Number of proprietary APIs: This field is derived from a urlquery scan of each service’s website. Not all services are of equal concern (or of any concern at all). This is a loose indication of how committed to free software a company is.

Server SSL rating: Run using Qualys SSL Labs – SSL Server Test Tool.

Pricing: Pricing is based off of normal rates, and doesn’t take into consideration promotions, coupons, or sales.

Refund window: Often, payments made by cash or Bitcoin can’t be refunded. Users should research as needed. As this field only allows a numerical value, services that show -1 indicate a free service.

Contradictory logging policies: This field indicates a company which advertises a zero logs or absolutely no logs policy in their marketing, but upon further inspection do keep logs to some extent. This does not mean that the company in question has provided details about their logging policy in their terms or privacy policies, only that they have not claimed “no logging”, then immediately disproved it.

Falsely claims service is 100% effective: No security or privacy setup truly offers 100% protection or is a bulletproof solution. When a company uses hyperbole or otherwise claims 100% effectiveness, it misleads potential customers who don’t know better. This can harm users who expect it to be true. Some claims are more blatant than others, but any claim that could be construed as a surefire way to be anonymous is counted.

Incentivizes social media spam: These companies offer rewards such as extra data allowances or free subscription time to users posting about their service on social media. This clogs up research channels and pads the number of likes (and amount of attention) a given service or feature receives. This also includes affiliates who post “deals” on behalf of the company to bring in traffic. This could mislead customers.

Forbids spam: Email or comment spam (by affiliates).

Ethical copy: Some companies expect their affiliates to use ethically acceptable copy (keywords, terms, meta tags, descriptions, and web designs) in their advertising campaigns. Ethically acceptable copy is considered copy that not deceptive and doesn’t imposes on the trademarks, copyrights, or intellectual property of another product, company, or entity. Purchasing advertisements on search engines with the names of the represented companies is strictly prohibited.

Requires full disclosure: This includes, but is not limited to, Federal Trade Commission 16 CFR Part 255 (or equivalent): Guides Concerning the Use of Endorsements and Testimonials in Advertising. This requires that material connections between advertisers and endorsers be disclosed. This means that directories, review/rating sites, blogs and other websites, and emails that purports to provide an endorsement or assessment of a company must prominently disclose that financial or similar compensation is provided by the advertiser.

Affiliates: Affiliates are free agents who are bound to the terms of the companies they represent. They receive commissions or incentives to funnel traffic and referrals to the company’s site via affiliate links. While companies are not directly responsible for their affiliates’ actions, they have a responsibility to keep affiliates and resellers operating within the terms of their partnership. Ideally, this means not spamming, breaking copyright, and providing full disclosure.


VPN Review Badges

Disclaimer: Like my reviews and ratings, these badges reflect my opinions on and experiences of the VPNs I try out. As stated at the beginning of all my reviews, I will do my best to provide evidence describing how I arrive at my conclusions when awarding these badges. You can learn more about how I conduct my reviews and my methodology here.

When writing reviews, I often want to emphasize one or more aspects of the VPN in question. To make it simple to find exceptionally good or exceptionally bad points, I’ve implemented a series of badges. Some of these badges have tongue-in-cheek names intended to entertain, but they reflect strictly my opinion. Companies who earn these badges are free to use them on their websites as long as they link back to this site (with a hyperlink over the badge icon in question).

Next to the name of each badge is an example of how a VPN can earn it. These “criteria” are in addition to my impressions and experience using the service. The Badges of Honor reward outstanding, industry-class VPNs. To earn one, the VPN has to perform well in the majority of a category’s fields and demonstrate exceptions experiences, effort, systems, and policies as well.

I’ve also create Stamps of Shame. Companies can earn these badges by delivering a terrible service, for example, by not offering a major feature or never responding to support requests. These badges are not given lightly. Just as a VPN has to be truly exceptional to win a Badge of Honor, Stamps of Shame are only given to services with especially bad policies or experiences (one or two issues in a given area are usually not enough to earn such a demerit).

The Badges of Honor

VPN Review BadgesPrivacy – Doesn’t ask for more personal information than an email address (without verifying); offers at least one anonymous payment method; clear no-logs policy.

VPN Review BadgesFeatures – PGP key available; offers two or more obfuscation methods; officially supports a manual .ovpn config setup without the need to contact support; supports OpenVPN.

VPN Review BadgesTechnical – Solid service configuration: Uses 1st party DNS servers,; doesn’t block ports (at least some servers are kept open); US speeds are 80%+ and international speeds are 15%+; uses dedicated servers; default encryption is strong.

VPN Review BadgesElegance – Terms and policies are relatively simple; provides an easy method to test service (whether official trial or refund period); allows for refund without bandwidth or session limits.

VPN Review BadgesSupport – Support is both speedy (initial response less than 24 hours) and helpful (able to resolve at least basic issues within 24 hours of first response).

VPN Review BadgesWebsite – Design of the site is easy to follow and use; less than 3 cookies and less than 3 trackers; less than 3 proprietary APIs; A grade or higher SSL rating; self-issued SSL cert.

VPN Review BadgesEthics – Less than two ethics “violations”: if service has an affiliate program, terms must require ethical behavior; appears to actively support good causes and promote good business practices.

VPN Review BadgesThat One Privacy Guy’s Choice – The ultimate badge represents an outstanding review with no major faults.

The Stamps of Shame

VPN Review BadgesExposed – Requires personal information; logs everything or almost everything; offers no anonymous payment method.

VPN Review BadgesBasic – No manual configuration setup support whatsoever; Linux and Android (manual) are afterthoughts if thoughts at all; generally unfriendly towards advanced users who prefer setting things up themselves.

VPN Review BadgesBroken – Weak encryption used by default; default settings are lacking in an egregious way; ports blocked.

VPN Review BadgesObtuse – Terms are out of control and too long; company goes out of their way to absolve themselves of all responsibility towards the customer.

VPN Review BadgesSilent – Support took three or more days to respond to an initial request for assistance (if they replied at all); given even if they do respond but are not helpful.

VPN Review BadgesWebsite – Website relies too heavily on cookies and trackers (more than 10); proprietary APIs (more than 10); has a C or lower SSL rating; uses Cloudflare/Incapsula or has no SSL cert at all.

VPN Review BadgesShady – Has more than four ethics “violations” on the comparison chart; company engages in affiliate marketing without limits.

VPN Review BadgesPile of Junk – The ultimate demerit means avoid at all costs; there are too many things wrong to count.


About My Reviews

If you’ve read my site, you’ll know that I’m not fond of most VPN affiliates or their native advertising (this is usually advertising thinly disguised as content). These sites typically have dozens of reviews and features titled, “Top 10 Best VPNs!” and  “Top 10 Fastest VPNs!”. Typically, these sites require little effort. They almost never contain content beyond official marketing and some anecdotal evidence of using the service. Sadly, this is enough for most people researching a VPN – they just don’t know any better. After all, if the first 10 pages of a Google search return nothing but sites that echo the same information, who are they to argue?

Not all review sites are phony. However, the sad reality is that the vast majority are, especially in the VPN industry. To discover the root cause of the problem, one need look no further than the money trail. These review sites receive a commission from the company every time a reader purchases their service using the links in their reviews. Herein lies the conflict of interest.

It goes without saying that this kind of business makes it very difficult to find reviews that:

  • Are unbiased – Why should a reviewer be critical if criticism could cost them sales? Why should they recommend a better service over one which delivers a bigger payoff? Companies may threaten to penalize or even terminate an affiliate partnership if a review is damning, and a reviewer might punish a company that pays less or chooses to end an arrangement in their reviews.
  • Dig deep enough into the services they review – Why should a reviewer dig through pages of terms and conditions and run a series of tests on a service? It’s almost always easier to parrot marketing from a company’s site and slap a few bullet points next to an affiliate link than it is to actually use a service for a while, tests its policies, and critically analyze what’s on offer.
  • Are about companies with no such affiliate programs – Why should a reviewer pay attention to a company if there is no revenue to be generated by referral links?

Content creators who do generate honest reviews are often not paid enough for an 800 word review to justify the time it takes to use and test a VPN properly. This leads to skin-deep reviews that don’t contain detailed tests or tell the reader much beyond the obvious. Regardless, these honest reviewers are drowned out by the far more prominent and less ethical variety. A few such sites have even contacted me over the last few months offering me work writing these reviews. I turned them down (even though they were prepared to pay well and I believed  they had good intentions) because I wish to remain unquestionably unbiased for people who follow my project.

Some of the “best” (most advertised) VPN companies have accepted that this is just the way it works. They’re happy to continue operating like this. They are good at almost nothing but surviving which they manage with marketing alone.

I feel like all of the above reasons have made it almost impossible for users to find real information. The goals of my project are 1) disseminating information and 2) industry improvement. I want to make sure reliable information is available and to be an catalyst to help the industry be better than it currently is. I want more transparent VPN companies and more people prepared to criticize them. I also want to keep reviewers honest and help people bypass the torrent of monopolized search results. That’s why I’m going to write my own VPN reviews.

To reinforce my goals: I’m not taking advantage of any reseller programs, and I’m not being paid by the companies I review. My goal is to inform the reader and set a standard for others to follow. Unlike the model I described above, my interests are aligned with that of my readers. If I receive any monetary compensation for my work, it will only be from readers who find my work useful and choose to contribute to the project.

You can read more about my review methodology below. Essentially, I will randomly select a VPN to review, purchase the service, and begin using and examining it. Once I’m satisfied that I have thoroughly used it, I will write a review and post it on my site, then share it on various platforms (like Reddit and Twitter). I plan to continue this until I either am no longer able due to time constraints or am satisfied that the industry has improved adequately.

To our friends in the VPN industry: we’re now expecting more from you.


VPN Review Methodology

Platforms for privacy: Many VPN companies have their own official apps for Windows, Mac, iOS, and Android. I don’t think these platforms are ideal for privacy, as they collect and transmit massive amounts of data. All of my tests are done using the hardware testing setup referred to below. A standard setup could never realistically provide the level of privacy that you’re looking for if you’re reading this.

Layers and common sense are the best approach: My testing philosophy is aimed towards more advanced users who know a bit about networking and can change settings in their system, browser, and VPN configuration for better security. I won’t cover some typical concerns for VPN users (like IPv6 leaks and kill switch effectiveness), as the solutions for these issues should be implemented on a system level (by disabling IPv6 and properly configuring a firewall, for example). Don’t rely on an application-level feature that attempts to resolve these issues as they cannot compare to lower level solutions.

Publicly available information: My VPN Comparison Chart contains a lot of information about many aspects of each service I will be reviewing. To avoid being redundant and bombarding the reader with information that’s available in the chart, I will mostly cover my experience and the tests I perform. In other words, my reviews are a commentary on information that’s not publicly available. I’ll let the Comparison Chart stand as a review supplement for anyone interested in information on pricing, the number of connections etc. Between the glossary and color coding, my thoughts on these are well-documented. The exception to this will be any red flags I find in the terms and conditions and privacy policies of a given service. If there are problems, I will dig into them to warn the reader of potential concerns.

Random selection: This is my most updated selection process. Before writing a new review, I will give readers a chance to nominate a service of choice to be reviewed. I will send out a form on Twitter, diaspora*, and Gab. Any service nominated must already be on the VPN Comparison Chart, and must have not been reviewed in the previous 12 months. I won’t accept duplicates, and will remove them before selection. I will continue using random.org so that readers can independently verify the “roll”. The number selected correlates to the row in this spreadsheet. I will highlight the selected service and leave it on the sheet until the next review selection process begins.

Badges: In the course of writing reviews, I often want to express my satisfaction or displeasure with certain specific aspects of a VPN service. I have created badges that appear on reviews to indicate this. More information can be found here.

Current Testing Setup: Details of my current setup (as of Nov 7 2017) can be seen below:

  • Desktop: i5 4670K, 16 GB RAM, 500 GB SSD, GTX 980 (GPU isn’t really relevant for VPN tests, but somehow feels wrong to leave out).
  • OS: Manjaro Linux
  • OpenVPN and .ovpn files manually configured
  • Browser: Firefox
    • Privacy Tools tweaks
    • uBlock Origin
    • Privacy Badger
    • HTTPS Everywhere
  • Router: TPLINK Archer C7 AC1750
  • OpenWrt 15.05
  • ISP: Cox Communications Ultimate Tier (300 mbps download and 30 mbps upload advertised speeds)

Sources:

Privacy Tools Firefox Tweaks:
https://www.privacytools.io/#webrtc
https://www.privacytools.io/#about_config

Speed tests: beta.speedtest.net (html5 version of the service which should not suffer from misreading compression)


Choosing a VPN

Disclaimer: The guide below is my opinion. I will try to provide evidence and examples to support it. I reference my VPN Comparison Chart throughout because I believe that it’s a solid resource to help you determine if a VPN meets your needs and is right for you. If you’re ready to go down the VPN rabbit hole, buckle up – this is going to be long.

Contents

  1. Introduction
  2. A Word About Trust
  3. A Word About VPN Affiliates
  4. Privacy
    a. More on Trust
    b. More on Affiliates
    c. Jurisdiction
    d. Logging
    e. Payments and Communication
    f. Protocols
    g. DNS and IPv6 Leaks
    h. Encryption and Other Features
    i. Websites and Your Privacy
  5. Security
  6. Bypassing Geoblocks
  7. Bypassing Restrictive Networks
  8. Clearing up Misconceptions

1. Introduction

The following is intended as a detailed guide to answer the question, “How do I choose the best VPN for me?” This is hard because people’s needs and level of technical knowledge vary greatly. There is no one perfect VPN: they all have at least some flaws and some will be better for different people.

I’m assuming that if you’re reading this, you have some knowledge about the basics of VPNs, so I won’t cover that. I will heavily emphasize the need for a VPN for privacy, but I will expand on other use cases towards the end.

2. A Word About Trust

Regardless of why you need a VPN, you want to know that the service you choose is trustworthy and will not compromise your data. You should keep reading even if you only want a VPN for bypassing geoblocks or other non-privacy uses. I’ll go into more details in the “Privacy” section, but it’s important for everyone to understand a little about trustworthiness.

We live in a society where privacy is undervalued and under assault daily. Some people eventually notice that their privacy is at risk and discover that they actually do value it. They set out to educate themselves and learn about tools to help them protect it – like I did when I started my project. We depend on each other for direction and on others to write software and run services to help keep us secure, so transparency and trust are paramount.

3. A Word About VPN Affiliates

You probably started your search for a VPN by looking for “VPN Reviews” in your search engine of choice. This would have returned pages of what seem to be harmless review sites, with Top 10 or blog-style reviews of different VPN services. You may have even arrived at my site for confirmation of what you learned on those pages. The sites making these “honest” recommendations are almost always paid by the services they review and recommend. They are beginning their business relationship with you with what is essentially a lie. The technical term for this kind of marketing is “native advertising” and its abuse is a huge problem in the VPN industry.

I have captured this kind of data on my VPN Comparison Chart. In it, you can find information on services that have affiliate programs, the specific policies they have for them, and whether or not their affiliates act ethically. In other words, you can see what each VPN provider tolerates from those representing them when it comes to persuading you to buy into the information they put out.

Not all affiliates are bad actors, and having an affiliate program is not necessarily a reason to mistrust a VPN. Problems arise when those services allow their resellers to generate referrals by any means necessary. If you see a service appear over and over again on the kinds of sites mentioned above, there is a good chance they are making money from them, and are okay with deceptive practice as part of their business model. Companies often claim that they can’t control how their affiliates behave. This is false. Like anyone entering into a business relationship with someone, affiliates agree to certain terms from the service hiring them. If a company doesn’t expect and enforce certain standards from their affiliates (not spamming, not breaking copyright, disclosing who they are etc), they are approving these unethical methods. As such, they are not worthy of your trust. If they are willing to lie to you before you even buy their service, you can expect dishonesty as a customer.

4. Privacy

a. More on Trust

Just like a lawyer represents your legal interests, a VPN service represents your privacy interests. If a lawyer does something to violate your trust or is not honest about an aspect of their representation that could affect you, you would – rightly – fire them. VPN services are the same. Many are less-than-honest or trustworthy, are not worth your time or money. However, unlike a lawyer, a VPN can be put together and promoted by anyone with access to a computer. You never see who’s behind the brand, and have to find other ways to work out if you can trust them.

If you need a VPN for privacy purposes, you already believe you cannot trust certain parties. Those parties might be companies whose websites you visit, or maybe even an oppressive government whose mass surveillance is encroaching on your rights. If you are in a position where you must rely on someone else for protection, the last thing you need is one more party you can’t trust.

Choosing who to trust is an important decision, and not all VPN services deserve that trust. You’re trusting them to be able to operate a competent service that will protect your privacy. You’re trusting them to be responsive to new technical and geopolitical threats to their operation. You’re trusting them to be honest with you in the way they do business so that when you are shopping and comparing, you are getting accurate information.

b. More on Affiliates

I talked about affiliate practices at the beginning of this guide, so I will only briefly mention it here. If you choose a company with an affiliate program, choose one that expects and enforces good behavior from their reselling partners. You can usually read their affiliate terms on their site. If they are not publicly visible, they should respond with this information when asked. If not, or if they play games with you, look elsewhere. More information on affiliate policies and behavior can be found in my VPN Comparison Chart.

c. Jurisdiction

In the last few years, it’s come to light that various countries are conducting mass surveillance programs. These countries are known as the Five, Nine, and Fourteen Eyes. These countries don’t just spy on their own citizens where they can get away with it. They also spy on each others’ citizens and swap notes to bypass governmental restrictions on power. If a service or its owners are based in one of these countries, we can reasonably expect that they may be susceptible to unlawful searches and compromises made in the name of national security. That said, if your threat model includes protection from such actions, choosing a company incorporated outside of these jurisdictions may still not be enough to protect you. Such actors have vast resources, and if singled out, you would need to worry about more than just your VPN (and use other resources like Tor, Tails, and paying very close attention to your opsec). The location of the servers you connect to and the people who operate them is far more important than where a company is incorporated if you’re trying to protect yourself from governmental overreach.

Other countries are not part of the spy collaboration mentioned above, but still have government limitations on internet freedom and free speech. Avoid countries with limited internet freedom. The degree of internet freedom a country has can also be found under “Jurisdiction” on my chart.

d. Logging

When you connect to a VPN service, you essentially add one more stop along your route to the open internet. The VPN is a “man in the middle” who you trust with the traffic and connection data that is generated in the background when you use the internet. Some VPN companies choose to log this data. There are many reasons for doing so, and some more legitimate than others. Some services record data to protect themselves legally in case they are approached by authorities. Some companies keep minimal connection logs to aid them in maintaining servers. Some will even sell your data to third parties as part of their business model. If privacy concerns you, you probably don’t want your browsing habits and connection data to be recorded. Choose a service that states that they do not keep logs and which specifies the types of logs they do not keep. Make sure they do not keep any kind of activity or connection log. Many services claim not to keep logs, but their policies are vague and when examined are shown up as logging some data. Be wary of such promises until you’ve confirmed it for yourself in their respective terms and privacy policies.

e. Payments and Communication

If privacy is your priority, you need to be careful how you pay for your VPN service. Services that let you pay with cryptocurrency, cash, or gift cards are the best way to ensure your anonymity is protected. If a service requires more personal information than an email address, run away: this is information they’re recording about you that at best may be sold to third parties, and at worst used to identify you.

Some services offer a PGP key for additional privacy. This is a nice extra if you want to be able to communicate with them using encryption.

f. Protocols

There are many kinds of VPN protocols which allow you to establish a tunnel with your service provider. Some more secure than others. Certain protocols are documented to have been compromised. Others are free and open source, so are freely available for security experts to audit and improve. The free availability of the source code helps to ensure that vulnerabilities are patched quickly and that individuals who are so inclined can see exactly how their software works. Choose a VPN that supports OpenVPN and use it to connect to your VPN server. Avoid using other protocols, specifically PPTP which is not suited for privacy.

g. DNS and IPv6 Leaks

When you use the internet, your computer sends and receives a lot of data that you can’t see. When you type in a web address, a request is sent to a server that is usually operated by your ISP. When you connect to the internet using a VPN, the request is sent to a VPN server instead. If your VPN doesn’t take certain actions, your request – which contains information for the site you want to visit – is sent to their ISP instead. This may not be as bad as it going through yours, but as I mentioned in above, if the company in question keeps certain logs, there is a chance that the sites you try to visit can be correlated with timestamps from when such a request was sent. As an alternative, some use public DNS servers like Google’s, which is not ideal for privacy. Choose a VPN service that maintains their own first party DNS server that won’t leak, and then test it to make sure.

When using the internet, you connect to IP addresses. Traditionally, this uses IPv4. There is another standard that will someday be more prevalent called IPv6. More IPv6 numbers exist than IPv4. Most VPN services currently aren’t compatible with IPv6 data. When you use the internet (unless you have specifically taken steps to disable it), you are sending and receiving IPv6 data. This data is usually sent and resolved through your ISP and their DNS servers. Unless properly configured, this information might not be securely passing through the VPN tunnel and could be leaking to the open internet. It’s pretty easy for remote sites to identify user ISPs based on IPv6 addresses, and even easier for authorities to demand account information from those ISPs. Choose a VPN service that either blocks IPv6 traffic or prevents leaks by providing a new VPN-specific IPv6 address and an IPv6 DNS server that’s reachable only through the VPN tunnel, and then test it to make sure it works.

h. Encryption and Other Features

In around 1440 AD, the printing press was invented. It created a way for common people to quickly disperse information, paving the way for free speech and freedom of information. Today, the internet allows billions of people to freely and openly share ideas and advance humanity. This reaffirmed people’s rights to freedom of speech and information in such a way that was difficult for governments or organizations to stifle. This brings us to computerized encryption. Encryption is an easy-to-use method that allows the average user to reinforce their right to security in their persons, houses, papers, and effects, against unreasonable searches and seizures.

Choose a VPN service that has strong data and handshake encryption. Make sure the protocol you choose can use the level of advertised encryption, as services typically provide more than one protocol with varying levels of encryption strength. The VPN Comparison Chart can help you determine what is considered to be strong enough. Make sure that the service uses the type of encryption you want available by default, as some services will offer strong encryption, but it has to be manually configured (not user-friendly).

Depending on your use case and threat model, you may want to make sure that Authenticated SMTP (to send email) and P2P (to file share, download, and use Bitcoin) are not blocked on your VPN’s servers.

i. Websites and Your Privacy

When you’re browsing through services’ websites, there are some additional items you may want to consider. Some companies use tracking cookies to determine how to best serve you ads, track which other sites you’ve been to, or uncover specific personal information. In the best case scenario, this is an abuse of power by companies stretching the limits of their ideas on how to gather this information. In the worst cases, cookies can be used to intentionally violate your privacy and link your device to a certain site or activity performed. Choose a company that respects your privacy enough to use few (if any) persistent or external tracking cookies. If companies begin violating your privacy the moment you visit their site, you can’t trust that they will take your privacy seriously after you hire them to represent your interests. HTTPS allows websites to completely encrypt all data sent and received by the user, effectively blocking out anyone who might try spying on such web traffic. Choose a service that encrypts their website with an SSL Certificate.

Additionally, CloudFlare, Incapsula, and similar services have recently become popular with websites for their DDoS protection and dynamic bandwidth scaling. However, these services act as an additional man in the middle between your VPN’s website and you. In the wrong hands, the information they collect and can access about your VPN’s website and your interaction with it could be compromised. Avoid VPNs that use CloudFlare, Incapsula, and other such services.

5. Security

Many of the points made above are relevant to security as well as privacy. I’ll go into detail below.

It’s important to be aware of jurisdiction, specifically Enemies of the Internet. This helps us to know where laws are enforced, and where the physical security that we may take for granted is applied to the servers we communicate with. This also helps indicate that your VPN service and the servers you connect to are located in places that respect internet freedom. This information can be found in the Comparison Chart and confirmed on Reporters Without Borders website.

IPv6 should be specifically tunneled or blocked outright, as in the privacy scenario above. Similarly, first-party DNS servers are ideal for preventing your data from being leaked.

Strong data and handshake encryption should be available for the protocol you choose (again, this should not be PPTP). Other protocols are probably secure enough for daily use. Note that no protocol is bulletproof: holes can probably by found in all of them. Such exploits are easily discovered by governments with vast amounts of resources.

6. Bypassing Geoblocks

If your only concern is bypassing geoblocks, you’ll probably find it easier to find a VPN you’re happy with. Being able to connect to an exit node in the country of your choice is your only real requirement. However, this doesn’t mean that you should neglect the proper security measures discussed above. It just means that they’re less important if Netflix, Hulu, and sporting events are all you need your VPN for. If privacy and security concern you, you should know that getting around geoblocks will almost always come naturally when choosing a more secure VPN (as long as the one you choose has exit nodes in the country you want to access).

7. Bypassing Restrictive Networks

Some parts of the world ban citizens from freely sharing information. To prevent free speech, they have implemented roadblocks in their networking infrastructure to cripple such communication. For example, the Great Firewall of China has several layers of VPN detection and blocking built into it. Other networks belonging to large corporations or your ISP may prevent you from using certain ports, limiting what you can use the internet for. However, you can get around these restrictions with the right VPN.

Features such as multihop, TCP port 443, Obfsproxy, SOCKS, SSL tunnels, SSH tunnels, and some other proprietary solutions (which may be built specifically by a given VPN company) can be useful in avoiding these restrictions. The most effective solution depends on the problem you’re facing. Speak with your VPN service’s support team to determine what might help you. The VPN Comparison Chart shows which services support these protocols and features in their configuration. Using TCP port 443 is usually a relatively common and user-friendly measure to bypass a restrictive or oppressive network.

8. Clearing up Misconceptions

Kill switches – Many VPN services offer a feature called a “kill switch” in their clients. In theory, kill switch mean that if the VPN loses its connection, it completely prevents the device from using internet, preventing accidental leaks of local connection data. Kill switches are implemented very differently from VPN to VPN and will never be secure due to their design. The only 100% effective and secure configuration for leak prevention is a properly configured firewall. There are two main types of kill switches: those which shut down pre-configured apps in response to detecting the VPN connection has dropped, and those which disable your network connection (or delete routes etc) if they detect a disconnection. In both of these cases, the kill switch component has to react to an event, and this often leads to leaks, as just a single packet can compromise your privacy. The only way to be absolutely certain that packets cannot leak is to use an independent component (the firewall) to block all packets that aren’t heading to your VPN.

Warrant canaries – Some VPN services maintain a document called a “Warrant Canary” which is self-published and updated. It certifies that the company has not been contacted by government agencies or coerced into compromising their users’ data. In theory, if someone demanded that they hand over data, they could stop updating the canary, which would in turn show users that their data is no longer private. Not all companies use effective warrant canaries. Some experts debate if warrant canaries are effective in the first place, as theoretically governments could coerce companies into maintaining them, nullifying their integrity. As such, they are usually nothing more than marketing theater. It’s basically impossible to tell if a company is operating a good canary. It might be worth looking for a warrant canary once you’ve found a trustworthy, capable service, but don’t make it a feature to check for when shopping around.


Why Are VPNs Really Important? (Hint: It’s Not About Netflix)

Since the launch of geoblocked streaming sites like Netflix, people with almost no technical knowledge at all have become interested in VPNs. But – as you’ll know if you’ve made it this far down the page – VPNs are primarily privacy tools. While researching for my reviews, I take deep dives through companies’ sites and customer service. I get to learn if companies truly value both your privacy and you as a customer. When websites don’t bother including technical information, or customer service reps don’t understand how the product they represent works, it raises a red flag for me: this is a lazy and unethical company.

Some VPN companies just don’t take your privacy seriously. When you trust them to act in your best interests and protect your privacy at all costs, this is a huge issue.

Many governments around the world silence their citizens and strip them of their fundamental rights. Censoring political content is abuse. Blocking access to search engines and social media – especially in response to activism or terror – is abuse. VPNs exist to protect users from this abuse (and not just to unblock Netflix). You should have complete confidence in every aspect of the commercial VPN service you buy. You should expect it to be competently run by honest, transparent people who are passionate about privacy and understand what is at risk for their users: everything from maintaining their privacy to political dissidence against oppressive regimes that sanction free speech. We aren’t talking about something from Walmart breaking or an order getting screwed up at McDonald’s. The gravity of VPN company policies and actions have far greater consequences than people not being able to watch Netflix. When things go wrong, people lose their rights.

Lives are at stake.


FAQs

Q: Do you work for any of the companies on your sheet?

A: Nope! I am not associated with any VPN  or email company, or their advertisers or affiliates.

Q: Why on Earth did you start this project? Are you insane? It must have taken hours!

A: It did! Thousands of hours at this point. I started it to help me choose a VPN and thought others would like it as well, so here it is. Since people liked it, I spend my free time keeping the charts up to date, adding content, and making it all better.

Q: Why bother updating and expanding it? Haven’t you learned enough about the companies on the charts at this point?

A: Between aggressive affiliate promotion, lazy policies, and many biased reviews, I’ve come to realize that web service industry is a bit of a mess where privacy and transparency are concerned, and that I could do some good untangling the knots with my data. I’m trying to hold these companies accountable and present the data in a clear and unbiased way for potential customers, as I don’t feel I had the luxury of honest data when I started researching for myself.

Q: Why is your data even needed in the first place? Aren’t there a hundred other review and comparison sites out there?

A: Every VPN review or comparison website I’ve come across was either extremely short on data or nothing more than a disguised advertisement bought and paid for by the companies they promote. Many of these companies support unethical means to funnel in web traffic and referrals to their services, and most of the time, customers aren’t savvy enough to even know they’re being fooled. I want to change that.

Q: Can you give me a recommendation?

A: Sorry, but to be unbiased, I created my project for others to make this determination for themselves. Everyone’s needs and threat models are different, so if I made a suggestion that was great for me but that conflicted with your needs, it could make things worse for you.

However, I wrote a guide to help you choose the best VPN for you that may give you further guidance. Additionally, the Simple Comparison Chart offers a quick overview you may find helpful.

If you really don’t want to do the research for yourself, there is also a recommendation megathread on Reddit you can use. However, you’ll get out what you put in to this endeavor. If the most you’re willing to do is ask a stranger on the internet, you’ll probably get a poor recommendation or an advertisement disguised as one, in return.

Q: Why do you focus so heavily on web-based services?

A: While I like helping people learn about all kinds of privacy software and services, most of the heavy lifting has been done by some very dedicated teams (privacytools.io, prism-break.org, and reddit.com/r/privacy to name a few). However, I feel that the privacy-based web service industry in particular lacks sources of reliable information and has a lot of room for improvement. I feel that my time is best spent in that area for now. If you feel like asking me questions unrelated to web services, feel free! It’s a nice change of pace for me.

Q: Why don’t you score services that have more greens so they are sorted to the top of the chart or somehow rank the services?

A: The fields in the chart are not equal and everyone’s needs are different. If people are serious enough about their privacy to use a VPN, I believe they should spend at least a few minutes researching what to look for so they can make an informed decision for themselves.

Q: My/A company’s information is incorrect, please update it!

A: Anyone can contact me using the info in the “Contact” section. I’m happy to work with any individual or company who is courteous and professional. Do not forget to include a link to the official source that I can use to verify the change.

Q: Can your data be wrong?

A: My data simply reflects what is officially and publicly available on company’s own official websites. This is to a) encourage companies to be transparent and detailed for their potential customers, and b) to prevent a destructive third party from abusing the data by claiming to be the company in question. If a company buries a piece of information or neglects to even include it in the first place, it will be left off. In some cases, I assume the worst and give a default value (for example, if a company makes no mention of OpenVPN, I assume they don’t use it).

Q: Shouldn’t the burden be on you to make sure the data is 100% right before posting it?

A: Even if I were to reach out to each company and get confirmation about everything on the chart, I have no way of actually verifying most of the data beyond what they tell me. I’d rather be able to point to an official documented source so anyone can see and independently verify the data. Even if I wanted to reach out to hundreds of companies, there just isn’t enough time in the day. As I state above, I’m more than happy to correct something wrong, if given an official source.

Q: Why don’t you have some obvious fields like “Works with Netflix/Hulu” or “Works in China”?

A: Besides the impracticality of testing each VPN for each service, services or governments could use the data I publish to crack down on those that still work. If you’re interested in bypassing China’s firewall or streaming Netflix, your best bet is to narrow the field using the comparisons and then test out your top 3-5 options using free trials and refund policies.

Q: How does the Simple Comparisons Chart work?

A: The Simple Comparisons Chart uses weighted values from the raw data in the Detailed Chart. The purpose of this comparison is to give you a less “scary” view of the data.

Q: Can I contribute by donating?

A: You bet, and thank you for your generosity!

Bitcoin Cash (BCH) – 12s9BQoNWAr1uccJy7jK8Xvj9tUTFpBSXp

Bitcoin (BTC) – 134i9dHX9QiRPynYuy8RLzcbVoNf68xSZW

Ethereum (ETH) – 0x8e8e40e924e7022a1d409463d7b9eccea590b610

Monero (XMR) – 4322YVrNPQA8n36GULrEa8EoHXsqeDhTa3D9PVSzSKeZD4oA2NaAzqZCq69BN2VPUi8RzKVZ5JvLyX91xfJvdcRv9N3y547

Q: Can I copy, link to, and use this information for myself and others?

A: Absolutely! I have licensed my VPN Comparison Chart under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.


About

This site is intended as a resource for people who value their privacy, specifically those looking for information on VPNs (that isn’t disguised advertising). When I started down the path of retaking my own privacy, there was very little reliable and detailed information about VPNs available.

I started researching data about VPN services for my own knowledge, then posted the information online in case other people might find my work useful. Through the positive feedback and assistance those in the community offered, I’ve been able to compile all of my related work in one location and expand the resources I’m able to offer.

This project has been featured on:

EFF 1 | 2 | Digital Rights Watch | Freedom House | Business Insider | Gizmodo | NPR | Lifehacker 1 | 2 | 3 | TechCrunch | Engadget | Ars Technica | Wired 1 | 2 | 3 | Mashable | BGR | The Wirecutter | Popular Mechanics | Popular Science | Krebs on Security | The “South German Newspaper” (German) 1 | 2 |Vogue?!

Special thanks to:

/r/vpn | /r/privacytoolsio | /u/likwidtek | DunTip

Other useful sites regarding privacy and free software:

privacytools.io | prism-break.org | droid-break.infosecuremessagingapps.com | reddit.com/r/privacy | distrochooser.de/en | f-droid.org/en/

Σχετικά με τον συγγραφέα

Σχετικά με τον συγγραφέα

I started researching data about VPN services for my own knowledge, then posted the information online in the hopes the Internet might find my work useful for themselves. Through the positive feedback and assistance those in the community offered, I’ve been able to take this step into compiling all of my related work in one location and moving away from the Google Spreadsheet that it was originally created on.