Every time you navigate the Internet or simply scroll on your social media feed, you leave behind digital traces. These can be personal information, as a name or address, or records of your online activities such as the websites you visit and movies you stream.
Commercial corporations collect this data to make your life easier, customized, and generally smarter. But hackers may also access them for stealing your identity and threatening your security. According to the Identity Theft Research Centre, cybersecurity incidents increased by 17% during 2021. Thousands have been reported, with several high-profile organizations suffering from data breaches.
If you are worried about your online privacy, you will likely have come across software that appears to magically solve all of your security problems: a VPN. Short for Virtual Private Network, it encrypts and anonymizes your internet connection by masking your internet protocol (IP) address.
But even VPN services can have their own weaknesses. Think about the massive data breach that put more than 69,000 LimeVPN users at risk. Or worse, free services that deliberately sell your sensitive information to third parties for commercial purposes.
So, are VPNs actually safe? Is even the most secure VPN provider enough for protecting your privacy from the mischievous digital world?
How does a VPN protect your privacy?
VPNs use encryption protocols to protect your data from snoopers. Hiding your location and personal information, they make your connection anonymous and private.
Every VPN protocol is responsible for defining how app and server connect with each other as well as the methods used to send and encrypt data. There are several types that VPNs use to secure your flow of information into an encrypted tunnel.
Among them, OpenVPN has historically been the most secure that you can get and many providers offer this protocol. As the name suggests, it’s an open source software meaning that anyone can check if the code is working as it should. Its original design dates back to 2001, but much has changed in the tech world over the last 20 years.
A relative newcomer into the world of VPN protocols, WireGuard is now among the choices offered by many providers – these include Surfshark and Private Internet Access, while NordVPN uses it as a basis for its own NordLynx protocol. On top of that, our testing shows that its connection can be up to three times faster than OpenVPN.
Offering a no-logs policy is another effective way to protect your online privacy. It’s the VPN provider’s guarantee that it will not keep any of your personal data in store.
Some logs are inevitable, but they should be restricted to basic data like the number of users connecting to the same server. Whereas a logging policy that keeps data on your activities is much more invasive. These include browsing history, DNS requests, URLs visited and usage metadata – the kind of stuff that you wouldn’t want revealed in a data breach.
Allowing anonymous payments, like PayPal and Bitcoin, keeps your online banking details safe. Some services don’t even ask for your email address to sign up. Mullvad, for example, allows you to create an account without providing any personal information at all.
And shared IP addresses is another feature that enhances VPN safety. It tricks the system by assigning the same IP address to multiple users from different locations, basically making it impossible to trace you.
Does a VPN service share your data?
Choosing a no-logs VPN is the best bet you have to prevent the service from sharing your data with third parties. Even if the authorities manage to demand access from your provider (in certain criminal investigations, for example), your digital footprint will be protected. This is simply because the company cannot share information that do not exist.
Generally speaking, using a paid service is much better for protecting your online activities – although not even all of those have thorough enough no-logging policies. Many free VPNs use ads that can collect your data for commercial purposes… probably not what you are looking for if you want to be safe online.
And bear in mind that there are some digital traces that even the top services can fail to secure. If you log into something like a web or social media account, you can still be tracked to a certain extent. Some apps keep your location data, for example.
Can a VPN be hacked?
Sadly, even VPNs can have some faults and weaknesses that hackers can take advantage of. In 2021, several security services have been the target for cyber attacks.
For example, cybercriminals managed to leverage a vulnerability on the Pulse Secure VPN entry point to execute malicious codes. After an investigation, the provider seems to have fixed its VPN issue – at least on paper.
In June, it was then the time of the no-logs service LimeVPN. More than 69,000 users’ data was put at risk when a hacker tried to sell them on RaidForums.
Also a bunch of less than reputable Android apps – SuperVPN, Gecko VPN and Chat VPN – failed to protect more than 21 million users. It worth mentioning that SuperVPN had already suffered from a major data breach only a year before.
In 2018, it was a NordVPN data breach to shake the world of cybersecurity. Luckily the hack affected only a single VPN server in Finland, not its central infrastructure. Therefore, the intruder couldn’t access sensitive information like user credentials or billing details.
Since then, the company refined its security controls to prevent similar incidents from happening. This includes carrying out independent audits meant to verify the trustworthiness of its privacy policies.
Are VPNs legal to use?
Except for a few countries where they are banned, VPNs are completely legal. Governments, companies and an ever-growing amount of individuals secure their connections through these services every day.
Any use is allowed, but illegal activities that you may carry on online will still be against the law. For example, some people use VPNs for torrenting in order to hide copyright infringements. But you will not be protected in case you’d get caught.
When it comes to using a VPN for streaming, things are a little bit different. Netflix explicitly states in its terms and conditions of not allowing the use of a proxy or VPN. Although, it’s not a criminal offence to do so. In the worst case scenario, you will have your account suspended – more likely, you would have to simply disable the software to carry on watching.
Ultimately, every country has its own legislations that regulate VPNs usage. In at least 10 countries around the world VPNs are either tightly regulated (China, UAE, Iran) or completely banned (Russia, Turkey, North Korea). We recommend checking your country’s digital privacy laws on this point.
The risk of using a free VPN
Beside having problems unlocking different catalogs on streaming platforms and slowing down your internet connection, the most worrying problem with free services is that they do not often bring the same security protections as paid-for versions.
As research on 283 Android apps showed, 72% of the free services included at least one third-party tracking library against only 35% for the premium versions.
That’s mainly because without asking users a fee, companies need to turn to advertising to make a revenue and keep the software running. And ads do not just disturb your online experience, they are also known to collect your personal information – exactly what you are trying to avoid with a VPN. And in the worst cases, they may infect your device with malware or viruses.
If you are worried for your privacy and like the idea of trying a service before committing fully, most of the top VPNs offer free-risk trials – you’ll need to pay the money upfront but you can get a refund in the first 30 or 45 days by way of a money-back guarantee.
Who owns your VPN provider?
After carefully looking at encryption protocols, privacy and logging policies, there is a last element that you should probably check before making up your mind: the parent company producing your VPN service.
This an area not without its controversies. Research from VPNpro found that only 24 companies actually own or operate at least 104 VPN products available on the market. So, products that don’t initially seem connected can actually be operate by the same company.
The ownership of VPN services seems to keep changing, too. Take popular provider IPVanish, as an example. It was originally founded by the Highwinds Network Group, which was acquired by StackPath in 2017. In turn, it was one of the services then purchased by J2 Global in 2019…a company that subsequently changed its name to Ziff Davis, Inc. Are you following!?
There’s obviously nothing wrong with that – corporations are welcome to acquire and sell as they please – but sometimes the apparent lack of transparency can create confusion and raise questions for VPN users wanting to know exactly who has their data.
VPNs in global jurisdictions
Another potential problem could be when a company operates in countries where strict laws regulating VPN usage are in place – like China, Russia or even the US. These are territories in which VPN providers may sometimes have to comply with government requests under specific investigations to hand over some user data.
The abovementioned IPVanish operates under the US-based Ziff Davis, for example. While PureVPN is owned by security firm Gaditek in Pakistan – a country that has previously passed cyber-crime laws that have sparked concerns among activists and human rights groups for its potential dangers to civil liberties.
The Edward Snowden revelations in 2013 brought under the spotlight the existence of some intelligence-sharing agreements between nations. In addition to the initial Five Eyes Alliance – the US, UK, Canada, Australia and New Zealand – two more agreements have been confirmed (Nine and Fourteen Eyes countries). Among these, the original group appears to be the most interested in your data.
To ensure confidence that your data is as secure as possible, you could consider choosing a VPN that is based outside of these countries.
In fact, many providers choose to set up base in countries wlel know for being privacy havens. These include the British Virgin Islands (where ExpressVPN is based), Panama, Seychelles, The Cayman Islands and Malaysia.
Can you trust your VPN company?
There’s also the potential for a company with a history of vulnerabilities or malicious activities can be hidden behind a different VPN provider name without you not knowing it. Let’s look at Kape Technologies as an example. It changed its name from Crossrider in 2018 after it was reported that people using its platforms were infected with malware.
As the company explained to Restore Privacy: “The Crossrider SDK and development platform was used by tens of thousands of independent developers to create cross-browser extensions, and unfortunately a small number of bad actors misused the platform to develop adware and malware.
“Kape is now a leading privacy-first digital security software provider, with a fully refreshed team.”
In the very same week, the news of ExpressVPN’s CIO Daniel Gericke involvement with Project Raven caused a greater stir still. The UAE cybersecurity operation included the building of a hacking system able to exploit an iPhone’s vulnerability for taking over target devices without needing any clicks or other user interactions. Leading to comments online like this…
If you’re an ExpressVPN customer, you shouldn’t be. https://t.co/l8us92W0BQSeptember 16, 2021
In its official statement, the popular VPN provider explained its decision of continuing being involved with Gericke whilst condemning the UAE’s conduct. They also put in place new practices to verify the credibility of its software.
What are VPN providers doing to ensure your safety?
It may sometimes sound like doom and gloom, but the biggest names across the VPN world are reacting to their vulnerabilities.
Many providers – like Express, Nord, ProtonVPN and Private Internet Access – are investing in different solutions to offer a more reliable and secure product to their users. These include dropping their least secure protocols, increasing the transparency over their policies (with independent VPN audits, for example) as well as improving the software infrastructure.
As TechRadar’s Cybersecurity Specialist Mike Williams explains, a VPN’s security starts at the protocol level. In the past, providers tried to compete by offering more protocols than anyone else, not always putting security as their priority. Due to a shift into the market, their offer is now limited to the safest encryption methods like WireGuard and OpenVPN.
He said: “Trust should be key in your choice of VPN, and that’s something providers understand very well, with many now making significant efforts to improve transparency.”
That’s why Private Internet Access, ProtonVPN, Mullvad, AirVPN and others have fully moved to open-source apps. As a result, anyone can check out the code and see exactly how the software works. Despite ExpressVPN not offering open-source apps, it releases its own encryption protocol Lightway under an open source license.
“The real change is providers finally realizing that shouting NO LOGGING on their website is no longer enough,” sas Williams. “They now understand it’s necessary to provide some supporting evidence, and more and more of them are doing exactly that through public security and no log audits.”
When it comes to significant VPN safety improvements, these aren’t always visible to the end user. They’re hidden away in the infrastructure, how it’s built and organized. And many of those have come about simply as providers learned from their mistakes.
And when it comes to that NordVPN breach, Williams explained: “Since the 2018 data breach, the company has moved to take far more control of its network. Its latest collocated servers are wholly owned and controlled by Nord, allowing to manage every aspect of how its hardware operates.”
Are VPNs safe? What to do to stay secure online
Tips to improve your online security
Use a Tor browser together with your VPN service: Will slow down your connection, but your anonymity will improve.
Change your passwords often: Annoying we know, but a really good security practice. Especially the most important ones, like online banking and emails.
Clear your location footprints: Especially on your smartphone, make sure to go through each app’s permissions and turn off the location services where you can.
So if you were under the impression that VPNs are always enough to prevent hacks and data breaches, they clearly aren’t – but then nor are antivirus or any other regular security tools in isolation. Even though using a good security software can considerably help you mellow the risks, you will never be 100% safe online (sorry!).
Despite this, using a reliable VPN can still make online threats way less dangerous. The biggest providers are investing time and money to make sure their software, privacy policies and transparency are the most secure they can be.
Either way, we suggest that you always take the utmost care when online, preferably sharing less details about yourself at all times – and that’s where using a VPN can really help.