Many widely used, popular VPN services fall short of their hype. A recent investigative analysis by Consumer Reports shows that buyers should beware of companies that overpromise and underdeliver.
Smart consumers need to understand why they want a VPN and where it fits in their overall security position before they make a purchase. VPNs remain a good layer of protection, but they are no substitute for a vigilant cybersecurity mindset.
Consumer Reports Analysis
The Consumer Reports Digital Lab partnered with a team from the University of Michigan to analyze 16 VPNs (chosen from an original list of 200). Their primary goal was to review each provider’s data security and data privacy practices. They also analyzed the way the companies’ websites marketed their products to users. All testing was completed in Windows 10.
Generally speaking, Consumer Reports analysts agreed that the entire VPN ecosystem lacks accountability due to an absence of good industry security standards and a lack of oversight.
Half of the reviewed VPNs did not have current, public, third-party security audits available. And only 5 of the 16 products analyzed were open source. This means that independent security researchers are unable to evaluate the code for security flaws.
CR researchers also investigated password safety for all 16 VPNs. They found that 6 were vulnerable to brute force attacks or account lockouts. Three of the services allowed for 30 password attempts without triggering any kind of defense (like CAPTCHA).
Two of the services tested were still using point-to-point tunneling protocol (PPTP), a deprecated technology from the 1990s with serious security flaws. Remarkably, one of these services claimed it provided “military-grade encryption.”
Most VPNs collect data about their customers to use in marketing. Finding out the details of how your data is used is harder with some services than with others. Transparency reports on what user data is shared with governments are also rare.
When shopping for services, look for VPNs that provide a high level of user control of data. You want to be able to request what data a service has. Most do not do this, except for users in Europe and California where GDPR and CPRA require it.
There are a few VPN services that promise (and appear to deliver) on only collecting and storing the bare minimum of data for functionality.
VPN providers make a lot of unrealistic promises. From the relatively innocuous claim of “unrivaled anonymity” to the major red flag of “military-grade encryption,” the majority of VPNs analyzed cannot possibly deliver on what they are promising.
The fact is that complete anonymity and total blocking of ad tracking is not possible through VPN alone. No one is “digitally invisible.”
Several of the analyzed companies were more realistic in their claims. They honestly promoted their services as a means to be “more anonymous online” and to be “less easily tracked.” CR’s most highly recommended services also use space on their websites to remind customers of all the other ways to stay safe online.
Be Clear About Why You Are Buying a VPN
VPN marketing can make users overly nervous about activities that are relatively safe. In the 2020s, your average browsing session–online banking, checking email, watching YouTube–is done on 100% HTTPS encrypted sites. A typical at-home session online is well-guarded by standard encryption and your password protected WiFi.
If you want to prevent your ISP from sharing or selling your data, it’s reasonable to invest in a high-quality VPN. A private network is also important if you frequently use public WiFi during travels. But remember that a bad VPN can actually make you less safe online. Instead of your ISP collecting (and maybe selling) your data, now a VPN service is doing it. Be alert to who you chose to give this data.
One caveat is your company-provided VPN. If you’re working anywhere outside the perimeter of your office (at home, a coffee shop, the airport), access to the private company network should only be available through its VPN service.
A Layer Cake of Protection
Don’t fall into a false sense of security just because you are purchasing a “safety product.”
A VPN is a good start. But remember that VPNs only mask your IP address, and IP masking is not synonymous with anonymity. You can still be tracked in other ways. And you’re still vulnerable to malware and phishing.
The best security practices cannot be sold. It’s hard to market the benefits of multi-factor authentication. There’s no sleek website reminding you to update your software and enable HTTPS-only mode in your browser. And where’s the spokesperson for not clicking on the link in that fake “FedEx” tracking email?!
We all wish that cyber security was as simple as buying a product and plugging it in. But even the best VPN is just one layer in the cake. Fortunately most of the other security practices are free and simply require an alert mindset and consistent practice.
Consumer Reports shared all of their findings in a lengthy white paper. The report provides recommendations for the best service providers based on their stringent standards and thorough analysis. They ultimately conclude that while every VPN provider could do better in some area, there are some that are worth your money as they exist now.