VPN privacy: more than 70% of providers are breaching GDPR
VPN services have increasingly become an essential tool for securing your online privacy during everyday browsing. Short for virtual private network, it’s a versatile software that spoofs your IP address and encrypts the data leaving a device.
However, the level of protection offered differs significantly from provider to provider. That’s why researchers at PrivacyTutor examined 144 services to understand how serious these companies actually are about the privacy of their users.
The findings paint a pretty grim picture across the industry considering that, among other things, over two-thirds of the providers analyzed currently violate GDPR provisions.
VPNs and tracking cookies
Web tracking refers to the collection and sharing of information about a specific internet user’s online activities. Web trackers hide in the code to gather data in the background for different purposes like running ads, analytics, and profiling.
Researchers found an astonishing number of tracking cookies lurking across the great majority of VPN providers’ websites and Android apps. Many companies didn’t even give the option to opt-out from this tracking, in complete breach of current GDPR rules.
“If VPN providers use cookie-based tracking and web analysis services such as Google Analytics, this is only permitted with prior express and voluntary user consent according to Section 25 (1) TTDSG,” attorney Phil Salewski of IT-Recht Kanzlei Munich told the researchers. “In case the consent is not obtained before or not given voluntarily, there is a violation of applicable data protection law.”
Even worse, in our view, individuals ready to make a purchase to improve their privacy online were actually achieving the opposite and were tricked into thinking they would be safe from snooping.
Around 72% of VPN services (104 out of 144) were guilty of not complying with data protection laws by failing to ask for consent to tracking cookies. In some cases, like with HideMy.name VPN, the website set cookies like Facebook or Google Analytics even when researchers didn’t give their consent to tracking. Only 24% (34 providers) do not use any tracking cookies on their website.
Researchers also found a huge amount of different types of web trackers hidden in the code of many Android VPN apps—79% of services analyzed use trackers in their Android app with an average of 3.4 trackers each. The numbers are sometimes way higher. For example, iTop VPN app counts 17 of them. Unfortunately, it wasn’t possible to check the same for iOS apps.
Overall, only 12 providers were completely tracker-free on both websites and apps. These include Mullvad, AirVPN, and ProtonVPN. Our experts run similar tests on a regular basis, too. According to our results, Hide.me and Windscribe also had no trackers on their websites or apps.
Failing no-log VPN promises
Another feature that tells a lot about the degree of protection of a VPN is whether or not the software collects users’ usage data.
Swedish-based Mullvad VPN has recently proved its no-log promises in real life after being hit by an inconclusive police raid. The police intent was to seize computers containing customers’ personal information, but officers left empty handed as no user details had been stored.
A no-log VPN means that, despite some functional data, the provider doesn’t store any information on users’ activities. That’s important as even in case of law enforcement requests or data breaches there won’t be anything to share.
There are countless VPNs out there calling themselves no-logs. Yet, just a tiny fraction of providers actually back up their promises with an independent security audit.
To be precise, out of the 80% of the VPN services claiming to not store any usage logs, only 17% of them have had an external audit on their privacy policy.
Our top three favorite services right now—ExpressVPN, NordVPN, and Surfshark—regularly test their no-log claims, with Express undergoing 11 independent audits in 2022 alone.
On top of this, some providers tout a no-logs policy, but a closer inspection of their privacy policies shows tracking from third-party partners. The official party line seems to be “we’re not logging your data” but someone else is.
One example of this is Planet VPN (also known as Free VPN Planet and Planet Free VPN). On its Privacy Policy, it notes, “Our VPN app may show ads in Free Mode, by accepting this Privacy Policy you also accept Privacy policy of our Ad partner.” It links out to the Privacy Policy for Appodeal which offers a hefty list of tracked information, including:
“Internet protocol (IP) address, cookie identifiers, mobile advertising identifiers, and other device identifiers that are automatically assigned to your Device when you access the Internet, location data, browser type, operating system, Internet service provider, pages that you visit before and after using the Website or our Services, the date and time of your visit, the amount of time you spend on each page, information about the links you click and pages you view on our Website, and other actions taken through use of the Website or Services such as preferences.”
All in all, it feels quite an underhanded approach to us. After speaking with a spokesperson for Planet VPN, they claimed “As for the privacy policy, we openly state that our partners may collect data for advertising purposes. We run those ads to keep the service alive. This is a common practice in the world of technology. Additionally, we believe that data collected by our partners do not un-anonymize users in any way.”
Common practice or not, that doesn’t excuse the fact that it flies in the face of the intended use of the service—privacy.
After some back and forth with the representative, they noted that “As of now we have an agreement with Appodeal, that they never sell or disclose any info that may be obtained from our integration.” That all felt a bit too convenient for us, and was somewhat contradictory to their previous statements.
Tracking users has no place in the VPN industry, and it’s clear that a large portion of the industry is set on exploiting users for their own gain. This is why we do not recommend such services, and why our top picks are always trusted services that work to protect your online privacy without looking to exploit yourself.
Anonymous payment
When it comes to payment options, providers across the board generally offer several options: from credit card and bank transfer to PayPal and cryptocurrencies. However, complete anonymity isn’t always guaranteed here—even when it looks like it.
Researchers found, in fact, that 56% of examined providers offer anonymous payments via Bitcoin and other crypto coins. Yet, many of them (including NordVPN and PureVPN) seem to only allow these types of payment via intermediary companies. “If this is the case, anonymous payment is no longer feasible,” noted the experts. On the contrary, Mullvad uses a unique payment address to make the process more anonymous.
Just 5% of providers also accept the anonymous transaction par excellence: cash. These include Mullvad and ProtonVPN.
As PrivacyTutor’s research shows, not all VPN providers actually care of their users’ privacy. And, while for users simply looking for a good streaming VPN to unlock worldwide content this may not matter much, a failing level of protection can cause more harm than good for whose privacy is essential.
We then recommend users at higher risk checking our secure VPN guide for the latest advice on the safest providers on the market right now. Besides an audited no-logs policy, a good range of secure VPN protocols and security features, also the country where the company is headquartered is something to keep an eye on. We suggest opting for a service based outside the 14 Eyes nations whenever possible.