VPN privacy: more than 70% of providers are breaching GDPR
Many VPNs don’t take their users' privacy very seriously
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
VPN serviceshave increasingly become an essential tool for securing your online privacy during everyday browsing. Short forvirtual private network, it’s a versatile software that spoofs your IP address and encrypts the data leaving a device.
However, the level of protection offered differs significantly from provider to provider. That’s why researchers atPrivacyTutor examined 144 servicesto understand how serious these companies actually are about the privacy of their users.
The findings paint a pretty grim picture across the industry considering that, among other things, over two-thirds of the providers analyzed currently violateGDPRprovisions.
Reader Offer: $50 Amazon gift card with demoSave 250+ yearly hours on manual configuration. Deploy your entire organization within a single day. Learn why Perimeter 81 is TechRadar’s choice for the best Business VPN. Ditch legacy hardware and make the move to the cloud. See how simple it is for yourself.
Preferred partner (What does this mean?)
VPNs and tracking cookies
Web tracking refers to the collection and sharing of information about a specific internet user’s online activities.Web trackershide in the code to gather data in the background for different purposes like running ads, analytics, and profiling.
Researchers found an astonishing number of tracking cookies lurking across the great majority of VPN providers' websites and Android apps. Many companies didn’t even give the option to opt-out from this tracking, in complete breach of current GDPR rules.
“If VPN providers use cookie-based tracking and web analysis services such asGoogleAnalytics, this is only permitted with prior express and voluntary user consent according to Section 25 (1) TTDSG,” attorney Phil Salewski of IT-Recht Kanzlei Munich told the researchers. “In case the consent is not obtained before or not given voluntarily, there is a violation of applicable data protection law.”
Even worse, in our view, individuals ready to make a purchase to improve their privacy online were actually achieving the opposite and were tricked into thinking they would besafe from snooping.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Around72% of VPN services(104 out of 144) were guilty of not complying with data protection laws byfailing to ask for consent to tracking cookies. In some cases, like withHideMy.name VPN, the website set cookies like Facebook or Google Analytics even when researchers didn’t give their consent to tracking. Only 24% (34 providers) do not use any tracking cookies on their website.
Researchers also found a huge amount of different types of web trackers hidden in the code of manyAndroid VPNapps—79% of services analyzed use trackers in their Android appwith an average of 3.4 trackers each. The numbers are sometimes way higher. For example,iTop VPNapp counts 17 of them. Unfortunately, it wasn’t possible to check the same for iOS apps.
Overall,only 12 providers were completely tracker-freeon both websites and apps. These includeMullvad,AirVPN, andProtonVPN. Our experts run similar tests on a regular basis, too. According to our results,Hide.meandWindscribealso had no trackers on their websites or apps.
Failing no-log VPN promises
Another feature that tells a lot about the degree of protection of a VPN is whether or not the software collects users' usage data.
Swedish-based Mullvad VPN has recentlyproved its no-log promisesin real life after being hit by an inconclusive police raid. The police intent was to seize computers containing customers' personal information, but officers left empty handed asno user details had been stored.
Ano-log VPNmeans that, despite some functional data, the provider doesn’t store any information on users' activities. That’s important as even in case of law enforcement requests or data breaches there won’t be anything to share.
There are countless VPNs out there calling themselves no-logs. Yet, just a tiny fraction of providers actually back up their promises with an independentsecurity audit.
To be precise, out of the 80% of the VPN services claiming to not store any usage logs,only 17% of them have had an external auditon their privacy policy.
Our top three favorite services right now—ExpressVPN,NordVPN, andSurfshark—regularly test their no-log claims, with Express undergoing 11 independent audits in 2022 alone.
On top of this, some providers tout a no-logs policy, but a closer inspection of their privacy policies shows tracking from third-party partners. The official party line seems to be"we’re not logging your data"but someone else is.
One example of this is Planet VPN (also known as Free VPN Planet and Planet Free VPN). On its Privacy Policy, it notes, “Our VPN app may show ads in Free Mode, by accepting this Privacy Policy you also accept Privacy policy of our Ad partner.” It links out to the Privacy Policy for Appodeal which offers a hefty list of tracked information, including:
“Internet protocol (IP) address, cookie identifiers, mobileadvertising identifiers, and otherdevice identifiersthat are automatically assigned to your Device when you access the Internet,location data, browser type,operating system, Internet service provider,pages that you visitbefore and after using the Website or our Services, thedate and time of your visit, the amount oftime you spend on each page, information about the links you click and pages you view on our Website, and other actions taken through use of the Website or Services such as preferences.”
All in all, it feels quite an underhanded approach to us. After speaking with a spokesperson for Planet VPN, they claimed “As for the privacy policy, we openly state that our partners may collect data for advertising purposes. We run those ads to keep the service alive. This is a common practice in the world of technology. Additionally, we believe that data collected by our partners do not un-anonymize users in any way.”
Common practice or not, that doesn’t excuse the fact that it flies in the face of the intended use of the service—privacy.
After some back and forth with the representative, they noted that “As of now we have an agreement with Appodeal, that they never sell or disclose any info that may be obtained from our integration.” That all felt a bittooconvenient for us, and was somewhat contradictory to their previous statements.
Tracking users has no place in the VPN industry, and it’s clear that a large portion of the industry is set on exploiting users for their own gain. This is why we do not recommend such services, and why our top picks are always trusted services that work to protect your online privacywithoutlooking to exploit yourself.
Anonymous payment
When it comes to payment options, providers across the board generally offer several options: from credit card and bank transfer to PayPal and cryptocurrencies. However, complete anonymity isn’t always guaranteed here—even when it looks like it.
Researchers found, in fact, that56% of examined providers offer anonymous payments via Bitcoin and other crypto coins. Yet, many of them (including NordVPN andPureVPN) seem to only allow these types of payment via intermediary companies. “If this is the case, anonymous payment is no longer feasible,” noted the experts. On the contrary, Mullvad uses a unique payment address to make the process more anonymous.
Just 5% of providers also accept the anonymous transaction par excellence: cash. These include Mullvad and ProtonVPN.
As PrivacyTutor’s research shows, not all VPN providers actually care of their users' privacy. And, while for users simply looking for a goodstreaming VPNto unlock worldwide content this may not matter much, a failing level of protection can cause more harm than good for whose privacy is essential.
We then recommend users at higher risk checking oursecure VPNguide for the latest advice on the safest providers on the market right now. Besides an audited no-logs policy, a good range of secureVPN protocolsand security features, also the country where the company is headquartered is something to keep an eye on. We suggest opting for a service based outside the14 Eyesnations whenever possible.
Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up.She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com
Is it still worth using Proton VPN Free?
Mozambique VPN usage soars as internet restrictions continue
Alien: Romulus gets a Hulu release date but there’s still no word on when it’s coming to Disney Plus
