WASHINGTON, D.C. — Most consumer VPN services overpromise what they can deliver and exaggerate their own usefulness, two security researchers said at the ShmooCon hacker conference here last Thursday (March 24).
"Lots of people use VPNs because they don't actually know what they do," said Yael Grauer, an investigative reporter at Consumer Reports. "People are spending a lot of money and they're still getting hacked, or they're spending a lot of money for protections they already have."
James Troutman, a director of technology at Tilson Broadband, was more blunt in his own presentation later that same day.
"VPNs are internet snake oil," Troutman said, comparing them to the worthless miracle cures that traveling salesmen used to peddle at the turn of the 20th century.
VPN claims vs. reality
Like the real snake oil, Troutman and Grauer explained, VPNs claim to resolve all sort of security and privacy ills, tossing around impressive-sounding but meaningless terms such as "unbreakable security," "true privacy" and "military-grade encryption."
The VPNs may claim in their ads and on their websites that they can protect your PC from hackers, or keep your passwords safe, or make sure that websites can't track you. For that, they claim, it's worth paying between $50 and $150 a year for their services.
In 2021, Grauer and a team from the University of Michigan tested 51 consumer VPN service providers. Along with Consumer Reports colleagues, she made more extensive analysis of 16 major VPN brands, including CyberGhost, ExpressVPN, Hotspot Shield, IPVanish, NordVPN, Private Internet Access, ProtonVPN and Surfshark. (Grauer and Troutman both warned against using lesser-known VPNs, especially free VPN services that pop up in mobile app stores.)
Grauer found that of the 16 well-known VPN services she analyzed, 12 made exaggerated claims about how much protection they really could provide.
One well-known VPN said "your data will never be compromised" if you used it, Grauer documented in her white paper. Another VPN said it would "protect [you] from hackers and online tracking." A third promised "absolute privacy on all devices," and another guaranteed "anonymous surfing."
Better privacy, but not better security
The fact is, Grauer and Troutman said, that VPNs can't protect you from hackers or malware. While VPNs do increase your online privacy, they're not doing much to make your computers and systems more secure.
VPNs also can't stop your personal information from being disclosed in data breaches. They can't stop websites from tracking you — there are many other ways to track you online besides just following your Internet Protocol (IP) address.
VPNs can't prevent you from landing on phishing sites or from being tricked into giving your passwords to a criminal. They can't "guarantee" your privacy, Troutman said.
"When people ask me if they should use a VPN," Grauer said, "I tell them no, they should use a password manager instead."
However, four of the 16 VPNs that Grauer and her team closely analyzed got high marks for honesty.
IVPN, Mozilla VPN, Mullvad and TunnelBear were clear and accurate about what VPNs could and couldn't do. They also gave potential customers suggestions about other security and privacy best practices they could take, such as using two-factor authentication (2FA) and blocking browser trackers.
What VPNs can do
Both Grauer and Troutman said that there are legitimate reasons to use VPNs, and that for the most part, the better-known VPNs do a good job of making your network connections more private.
VPNs protect against "man-in-the-middle" attacks that you might encounter using open Wi-Fi networks in a coffeeshop or hotel, even though the risks of that are small now that most websites use encrypted connections.
VPNs make it more difficult for internet service providers (ISPs) to see which websites you're visiting, although Troutman pointed out that your VPN will be seeing that information instead.
VPNs can help people in repressive countries evade mass censorship, such as Russia's recent blocking of Facebook and Instagram. And, of course, VPNs often (but not always) can let you access overseas Netflix and other services that are geographically restricted.
But, Troutman said, VPNs in practice can't do much to protect specific individuals from state surveillance. National intelligence agencies have means at their disposal that can easily evade the protections a VPN would provide a targeted person.
"Mossad is gonna Mossad," Troutman said.
Grauer and Troutman added that while VPNs do a good job of masking the "old" form of IP addresses, known as IPv4, they don't always work well with IP addresses using the newer IPv6 standard.
That's because many devices' IPv6 addresses are tied to the devices' unique network-hardware information, part of a well-documented network privacy flaw that extends beyond VPN use.
What's behind the VPN push
Yet the consumer VPN industry has grown to take in an estimated $30 billion per year, partly through repeating unverifiable claims and exploiting consumers' fear of surveillance technology, Troutman said.
One big impetus for VPN adoption was Edward Snowden's 2013 leaks of NSA documents that showed how extensive American data collection could be. Another was the U.S. Senate's 2017 vote to block an FCC rule that would have prevented ISPs from reselling data about consumer behavior. And finally, many security experts and security-focused websites, including Tom's Guide, did and do still recommend using VPNs.
VPN providers launched advertising campaigns around these issues, claiming that only paying for their services could preserve your online privacy. Advertising is still a big part of the industry.
"How many of you listen to podcasts?" Troutman asked the ShmooCon crowd. "It seems that every podcast is sponsored by a VPN."
You can't always count on review websites to provide honest information about VPNs. Troutman and Grauer pointed out that many of the VPN "review" sites you can find through a Google search are actually owned by VPN providers.
Even if a site recommends more than one VPN, recent VPN industry consolidation means that many of the largest brands are owned by the same few companies.
You bought the biggest threat to your privacy
Yet, as Troutman pointed out, the biggest threat to your privacy probably isn't your ISP, or the websites you visit on your PC, or even (for most people) the NSA, CIA, Russians, Iranians or Chinese.
Instead, the biggest threat to your privacy is the smartphone you paid a lot of money for and carry around in your pocket.
It's a state-of-the-art tracking device that constantly transmits thousands of data points about your online activities, your physical location, your travels, your health and your interests to the phone's manufacturer, to your wireless carrier, and to the makers of most of the apps you have installed — "pervasive and sophisticated online user activity surveillance," as Troutman put it.
Using a VPN on your smartphone will temporarily confuse some of these tracking methods, Troutman said, but not for long. There are many other methods of collecting your behavior and information that don't depend on an IP address.
What VPNs really are good for
So is there any downside to using a VPN that stretches the truth? Not that much, other than that you may be paying for something you may not need.
Grauer and her team found that most of the 16 top providers she looked at used strong encryption, had no known security flaws, didn't collect much user information, didn't share information with third parties, and had clear and easy-to-find terms of service.
They also found that if a VPN provider made exaggerated claims in bold letters about the benefits of using its services, those claims were often dialed back in the fine print.
Many of the top providers, however, could be more transparent about whether they log user activity, Grauer said. Almost all VPNs claim they don't log what their users do, but Grauer's team found that the VPN client software used by several top providers kept logs on users' computers.
Many VPNs could also be clearer about how long they keep the user data they do collect, and many don't let users see what has been collected about them.
Who should use a VPN?
So should you use a VPN? It depends what you want to use it for, said Troutman. Many ISPs keep logs of customer behavior for years, and if that bothers you and you can find a VPN that you trust more than your ISP, go ahead and use it.
Frequent travelers who need secure connections while abroad will also need VPNs, although streaming content across national borders isn't as reliable as it was a few years ago. And if you're doing anything illegal in the country you happen to live in, a VPN should just be the first step in masking your online activities.
But for the average home user who isn't concerned about what their ISP knows and doesn't need to access streaming services from overseas, paying for a VPN might not be worth it.