A wide variety of entities provide VPN services for several purposes. But depending on the provider and the application, they do not always create a true private network. Instead, many providers simply provide an Internet proxy that uses VPN technologies such as OpenVPN or WireGuard. Commercial VPN services are often used by those wishing to disguise or obfuscate their physical location or IP address, typically as a means to evade Internet censorship or geo-blocking.
Providers often market VPN services as privacy-enhancing, citing security features, such as encryption, from the underlying VPN technology. However, users must consider that when the transmitted content is not encrypted before entering the proxy, that content is visible at the receiving endpoint (usually the VPN service provider's site) regardless of whether the VPN tunnel itself is encrypted for the inter-node transport. The only secure VPN is where the participants have oversight at both ends of the entire data path or when the content is encrypted before it enters the tunnel.
On the client side, configurations intended to use VPN services as proxies are not conventional VPN configurations. However, they do typically utilize the operating system's VPN interfaces to capture the user's data to send to the proxy. This includes virtual network adapters on computer OSes and specialized "VPN" interfaces on mobile operating systems. A less common alternative is to provide a SOCKS proxy interface.
In computer magazines, VPN services are typically judged on connection speeds, privacy protection including privacy at signup and grade of encryption, server count and locations, interface usability, and cost.[1][2][3][4]
In order to determine the degree of privacy and anonymity, various computer magazines, such as PC World and PC Magazine, also take the provider's own guarantees and its reputation among news items into consideration.[1][2] Recommendation websites for VPNs tend to be affeliated or even owned by VPN service providers.[5]
VPN Use Cases
Accessing Geo-Restricted Content. VPNs allow users to bypass regional restrictions by masking their IP address and simulating a connection from another country. For example, users in regions with limited streaming libraries can use VPNs to access content available in other locations, such as accessing Netflix US from abroad.[6][7]
Protecting Data on Public Wi-Fi. Public Wi-Fi networks, such as those in cafes or airports, are often unsecured and susceptible to hacking. VPNs encrypt users' internet traffic, protecting sensitive data like login credentials, financial information, and personal communications from potential interception.[8][9]
Ensuring Privacy for Activists and Journalists. Activists and journalists working in restrictive or authoritarian regions often use VPNs to maintain anonymity and protect sensitive communications. VPNs mask IP addresses and encrypt data, ensuring safe access to information and secure communication channels.[10]
Criticism and limitations
Users are commonly exposed to misinformation on the VPN services market, which makes it difficult for them to discern fact from false claims in advertisements.[11] According to Consumer Reports, VPN service providers have poor privacy and security practices and also make hyperbolic claims.[12]The New York Times has advised users to reconsider whether a VPN service is worth their money.[13] VPN services are not sufficient for protection against browser fingerprinting.[14]
Common misconceptions
A VPN does not make one's Internet use private. Users can still be tracked through tracking cookies and device fingerprinting, even if the user's IP address is hidden.[15]
A VPN can log the user's traffic, although this depends on the VPN provider.[15]
A VPN does not make the user immune to hackers.[15]
A VPN is not in itself a means for good Internet privacy. The burden of trust is simply transferred from the ISP to the VPN service provider.[16][17]
In March 2018, the use of unapproved VPN services was banned in China, as they can be used to circumvent the Great Firewall.[18] Operators received prison sentences and were penalized with fines.[19][20][21][22] Russia banned various VPN service providers in 2021.[23]
Comparison of commercial virtual private network services
Privacy
PC Magazine recommends that users consider choosing a provider based in a country with no data retention laws because that makes it easier for the service to keep a promise of no logging.[24]PC Magazine and TechRadar also suggest that users read the provider's logging policy before signing up for the service,[24][3] because some providers collect information about their customers' VPN usage.[25][26]PC World recommends that users avoid free services as a rule of thumb and said free services either sell their users' browsing data in aggregated form to researchers and marketers, or only offer a minimal amount of data transfer per month.[25]
^ abThere is no mention of Avira's VPN logging policy in their privacy policy. However, it is stated in an FAQ section that neither traffic nor IP addresses are logged on their VPN service.[27] It is also stated that bandwidth is logged.[27] When visiting Avira's website, the visitor's IP address is logged by both Google Analytics and the CrazyEgg tool.[28]
^Hotspot Shield claims to collect "anonymous, aggregate data about which websites you visit and which apps you use."[38]
^"We DO NOT keep any record of your browsing activities, connection logs, records of the VPN IPs assigned to you, your original IPs, your connection time, the history of your browsing, the sites you visited, your outgoing traffic, the content or data you accessed, or the DNS queries generated by you."[63] However, in 2017, PureVPN provided connection logs including IP addresses to the FBI for use in a criminal investigation.[64]
^Name and e-mail is required for every payment method.[65]
Whether the users' bandwidth is logged while using the service, according to the service's privacy policy.
Diskless
Whether the service's server hardware is connected to hard drives, according to the service provider. If the servers are diskless, the service provider should be unable to log any usage data.
Whether the service has the ability to immediately sever your connection to the Internet in the event that the VPN connection fails. This prevents a user IP address leak.[149]
Logging
Whether the service stores information about their users' connection or activity on the network, according to the service's privacy policy or terms of service. If logging isn't mentioned in those sections but denied somewhere else on the website, the particular table cell will be marked as "No" in yellow and include an explanatory note.
Privacy Impact Score
An indicator of a website's usage of potentially privacy intrusive technologies such as third-party or permanent cookies, canvas trackers etc.[150] The score can be in the range from 0 to 100, where 0 is minimal privacy impact (best) and 100 is the biggest privacy impact (worst) relative to other web sites.[150] The score also has a simplified letter and colour presentation from A to F where A is "No cookies" and F is "Score above three standard deviations from the average".[150] The metric is developed by WebCookies.org.[150]
Obfuscation
Whether the service provides a method of obfuscating the VPN traffic so that it's not as easily detected and blocked by national governments or corporations.[151][152]
^ abEddy, Max (2018-01-15). "The Best VPN Services of 2018". PC Magazine. Archived from the original on 2018-01-18. It's important to keep a few things in mind when evaluating which VPN service is right for you: reputation, performance, type of encryption used, transparency, ease of use, support, and extra features.
^ abAthow, Desire (2018-01-13). "The best VPN services for 2018". TechRadar. How to test a VPN. Archived from the original on 2018-01-17. We were looking for features, value, and clear and honest pricing. Free ways to learn more about a service - free plans, trial periods, refund periods - were important, and we also looked for companies which maintained your privacy when you signed up (no email address required, trials available without credit cards, Bitcoin available as a payment option).
^""翻墙"网民受罚 中国进一步强化网络管控" [Internet User Fined for Scaling Great Firewall - China strengthens Internet Control]. BBC News 中文 (in Simplified Chinese). 2019-01-11. Retrieved 2020-08-10.
^"Privacy policy". User Experience and Statistics. Archived from the original on 2017-12-31. Information about your use of our website the Cookie generates is usually transferred to a Google server in the USA and saved there. However, before this happens, Google shortens and anonymizes your IP address [...] if located within a member state of the European Union or in other contracting member states to the Agreement on the European Economic Area. The entire IP address is transferred to a Google server in the USA and saved there only in exceptional cases. [...] Information about your use of our website (including your IP address) that Cookies generate is transferred to a CrazyEgg server in the USA and stored there.
^ abcExpressVPN. "ExpressVPN Privacy Policy". Archived from the original on 2018-01-04. Retrieved 2018-01-04. We do not collect logs of your activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of your IP address, your outgoing VPN IP address, connection timestamp, or session duration.
^ExpressVPN. "ExpressVPN Privacy Policy". Archived from the original on 2018-01-04. Retrieved 2018-01-04. We collect information about whether you have successfully established a VPN connection on a particular day (but not a specific time of the day).
^ExpressVPN. "ExpressVPN Privacy Policy". Archived from the original on 2018-01-04. Retrieved 2018-01-04. We may know, for example, that our customer John had connected to our New York VPN location on Tuesday and had transferred an aggregate of 823 MB of data across a 24-hour period.
^"AnchorFree Hotspot Shield Privacy Policy". When you launch Hotspot Shield. 2017-11-29. Archived from the original on 2017-12-28. Retrieved 2017-12-28. When you use Hotspot Shield to access the internet, we collect only anonymous, aggregate data about which websites you visit and which apps you use.
^"AnchorFree Hotspot Shield Privacy Policy". When you launch Hotspot Shield. 2017-11-29. Archived from the original on 2017-12-28. We collect your IP address [...]. We may also use your IP address to derive your approximate location [...]. Your true IP address is stored only for the duration of your VPN session and is cleared after your session is closed.
^ abcdeIVPN. "IVPN Privacy Policy". What information is logged when customers connect to our network?. Archived from the original on 2018-03-26. We do not store any connection logs whatsoever. In addition we do not log bandwidth usage, session data or requests to our DNS servers.
^IVPN. "IVPN Pricing". What payment types do you accept?. Archived from the original on 2018-03-26. We accept all major credit cards, Paypal, Bitcoin and cash. However paying with cash is only available when purchasing an annual subscription.
^ abcde"No-logging data policy - Guides / Mullvad". What we don't log. Archived from the original on 2017-12-26. We log nothing whatsoever that can be connected to a numbered account's activity: no logging of traffic; DNS requests; connections, including when one is made, when it disconnects, for how long, or any kind of timestamp; IP addresses; user bandwidth [or] account activity except total simultaneous connections [...] and the payment information detailed in this post.
^"PureVPN's Privacy Policy". 2016-01-15. None of the following records are stored by PureVPN' ... Browsing activity ... Browsing history ... Sites visited ... Content or data accessed
^"PureVPN's Privacy Policy". 2016-01-15. None of the following records are stored by PureVPN' ... DNS queries generated by the user
^"PureVPN's Privacy Policy". 2018-07-30. None of the following records are stored by PureVPN' ... Connection timestamps
^"PureVPN's Privacy Policy". 21 April 2021. We keep track of the total bandwidth consumed by a user to make sure everybody is getting the highest speeds and the best possible experience from our product.
^"PureVPN's Privacy Policy". 2018-07-30. Archived from the original on 2018-07-30. From here on forward, we do not keep any records of anything that could associate any specific activity to a specific user.
^U.S.A. v. Lin, p. 22 (D. Mass. 10/03/2017) ("Further, records from PureVPN show that the same email accounts - Lin's gmail account and the teleportfx gmail account - were accessed from the same WANSecurity IP address. Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time, and the software company where Lin was employed at the time."), Text.
^"PureVPN's Privacy Policy". 2016-01-15. Archived from the original on 2017-12-27. Since we are huge believers in anonymity, we have included Bitcoin and Gift Cards – 100% anonymous payment methods – in the payment methods accepted by us.
^ ab"TunnelBear DNS: Protecting Your Privacy and Mauling DNS Leaks". 2017-06-22. Archived from the original on 2017-12-28. Every time you connect to TunnelBear, your DNS requests are directed to TunnelBear DNS servers, so your ISP can no longer see what websites you're visiting. And because we don't keep any records of your DNS, you're the only one that knows your browsing history.
^ ab"A Privacy Policy You Can Actually Understand". 1.5 Operational Data. Archived from the original on 2017-12-28. Understanding how much data people are using is a critical metric for TunnelBear. [...] We felt that overall usage would respect individual user privacy (i.e. no login timestamps [...]) [...].
^NordVPN. "Frequently Asked Questions (FAQ)". Do you offer socks5 proxies?. Archived from the original on 2017-01-13. Yes, we do support Socks5 proxies as well as HTTP proxies (1 HTTP and Socks5 proxy at each of our VPN server destinations).
^"Why can't I send email when on the VPN? / Private Internet Access". 2017-10-31. Archived from the original on 2017-12-27. Retrieved 2017-12-27. Any VPN provider that does not retain logs must block outgoing SMTP traffic due to rampant spam associated with usage of VPN services. With that said, we can whitelist (allow) any outgoing email server that a) require authentication, and b) is correctly setup so as not to be an open relay.
^"PureVPN P2P File Sharing - Break P2P barriers anonymously!". 2014-07-08. Archived from the original on 2018-01-03. Furthermore, we have blocked P2P on some of our servers as per changing Global Web Policy. We don't allow p2p/filesharing where it's illegal by law named United Kingdom (UK), United States (US), Canada, Australia etc.
^"PureVPN Servers". Virtual Servers and When you Should Use them?. 2017-11-11. Archived from the original on 2018-01-04. PureVPN has never denied using virtual servers. To make matters simpler, an update on our Server Location page will state which servers are virtual and which are physical.
^"GhostBear: How to Hide Your VPN From DPI". 2017-07-18. Archived from the original on 2017-12-28. When you turn GhostBear on, it changes your VPN traffic signature to look like a different kind of traffic. To do this, GhostBear uses a technology called Obfsproxy.
^ abcd"Hotspot Shield Privacy Frequently Asked Questions / Hotspot Shield". How does Hotspot Shield secure my Internet connection?. Archived from the original on 2017-12-28. Retrieved 2017-12-28. Turning Hotspot Shield on encrypts all of the traffic between your device and our servers using TLS 1.2 with perfect forward secrecy (ECDHE), 128-bit AES data encryption.
^ ab"AnchorFree Hotspot Shield Privacy Policy". Security. 2017-11-29. Archived from the original on 2017-12-28. We encrypt all of the traffic between your device and our servers using TLS 1.2 with perfect forward secrecy (ECDHE), 128-bit AES data encryption, and HMAC message authentication.