Episode #44: Choosing a VPN Provider, 2021 Edition
Different Threats, Different Technology, New Mobile Apps, and More.
Privacy, Not Illegality
There are some people who believe that if they’re doing nothing “wrong” or “illegal” that there’s no harm in companies collecting their data.
I’m not one of those people.
Instead, I’m one of those people who believe that privacy is a foundational, human right, especially if we’re doing nothing “wrong” or “illegal”. Take, for instance, driving our cars…
Even if you weren’t doing anything illegal, would you be comfortable knowing that a company was keeping track of exactly where you drove and for how long your car was parked at every location? This kind of data collection about your day-to-day behavior rightly sounds outrageous.
And yet: this is exactly what’s happening to us when we go online. As a result, one of the tools I use to reclaim some of my digital privacy is a VPN.
Two years ago, back in Episode #7, I covered the topic of how to properly choose a VPN (or “Virtual Private Network”) provider. It was an early and popular topic because - of all the subjects I write about - VPNs generate the most questions from my readers and clients. In fact, it was your questions that caused me to write about VPNs again. In Episode #24, I explained what VPN software actually is, how it works, and what it can and can NOT do.
Today, I’d like to focus on how VPN technology has changed, which providers have changed with it, and those companies I either use personally or recommend for my readers.
Let’s start with why I use a VPN service in the first place. So bear with me for a moment as we examine something I call “The Data Landscape”.
The Data Landscape
We now live in a world that is full of data: texts, emails, phone calls, website log-ins, GPS coordinates, social media posts, Wifi networks, smart home devices, and more.
In 2020, we produced 2.5 quintillion bytes of data per day. That’s 2.5 million terabytes (or “TB”) of data each day. That number will rise as more of the world becomes digitized and as we integrate more and more digital devices into our lives. Because we’re swimming in an avalanche of data, it’s important to understand just how much personal data is available about each one of us.
It’s also crucial to understand who has access to which of our data.
Collecting & Accessing Your Information
Your Internet Service Providers (or “ISPs”) have access to certain information about you, including when you connect to the Internet, the websites you visit, and how long you spend on those websites. While your ISP might not need to access those data, they can and are obtained when required.
Your landline and cellphone providers log every call that you make and receive. Logs are kept for one or more years to comply with the law. Should anyone gain physical access to your smartphone, we all have call history data on our devices that we may or may not want to purge from time to time.
“Free” email providers like Google, Yahoo, AOL, and others have historically used artificial intelligence to scan your personal emails for keywords (not content, we’re told). Data about those keywords are then sold to advertisers so they can better advertise to you. Google pioneered this service and - although they changed this policy back in 2017 - as of 2018, the company was still allowing hundreds of app developers to scan millions of its users’ emails. #Barf
“Free” social media platforms like Facebook, Twitter, Instagram, and WhatsApp scan your posts for data about you. Then, it sells aggregate data that it’s collected about all of you to advertisers. Facebook says that the data it sells isn’t specific to you. However, it still collects and keeps critical information about you like your: age, gender, political party, religion, income, number of children, sexuality, medical conditions, and more. Much, much more.
If we take the time to read the fine print before using any digital service — and we should — we’d see that companies actually disclose how they collect, share, or sell our information. But what about those companies that don’t? Because guess what, kids: sometimes your data can be collected and sold without your consent.
Grab a whiskey and have a seat…
Selling Your Information
In 2017, the US Congress voted to allow US ISPs to sell their users’ browsing data without their consent. Not only was this a violation of previously held FCC rules and protections, but the FCC was banned from changing the rules back again to favor stronger consumer protections. #Sigh
Giving Over Your Information to Authorities
Every technology company gets requests from law enforcement to hand over data from its users. Over the past decade, the number of requests from US law enforcement agencies has risen by more than 20x.
The chart above (linked here) reflects all of the requests that Google receives from US Law Enforcement Agencies. This data isn’t hard to find: just do a search for “transparency report” followed by the name of the company in question. Soon, you’ll land at reports provided by Apple, Microsoft, Facebook, Twitter, and others.
If you review these reports, you’ll notice a few trends:
The number of requests from the government about our personal data is growing massively.
Tech companies are complying with a growing number of these requests.
There are good and reasonable situations when certain companies might collect certain data about us. For example, knowing some of our data might make our shopping experiences easier; they might make our smartphones or tablets work better or safer; they might help make our driving experience safer, and they can help save us when a natural disaster strikes.
But left unchecked, unregulated, and unpoliced, the vast amount of data being collected about us can result in an increasingly-pervasive surveillance state.
It’s a careful and delicate balance which these two quotes help illustrate:
“Big Brother may be watching you, but he has your best interest at heart. In the evolving science of natural disaster prediction, collecting lots of data makes the impossible a little easier.” — Amanda Maxwell
“Every time you interact with the company, you should expect that the company is recording that information and connecting it to you.” — Elea Feit
A 2019 report from the Wharton School makes the detailed case that our data is not only collected, sold, and shared but that companies are intentionally misleading about those practices. Therefore, until better regulation and policing can be implemented at the governmental level, citizens are forced to take more and more precautions in order to retain various aspects of their privacy.
The good news? Technology tools aren’t just for large companies anymore. In the past decade, as technology has become more integrated into our lives, the free or low-cost tools for safeguarding our privacy and security have also become more readily available.
Today we’ll focus on one of those tools: VPN software.
Reclaim Some of What We’ve Lost
There are many low-cost or free tools to prevent data collection and protect our privacy. For example, to prevent Google or other email providers from reading your email, use the free or paid service from Proton Mail, a very secure email service that I highly recommend. Similarly, to prevent your phone company from logging all of your incoming and outgoing phone calls and texts, use the free and open-source Signal application instead of your smartphone’s default apps to communicate with others.
Lastly, to prevent your ISP from being able to log every website you visit, use a reputable VPN provider.
What Is It?
A virtual private network (or VPN) is a tool — comprised of hardware and/or software — which allows specific people to have access to specific data stored on specific servers in specific locations. Businesses around the globe have used VPNs for years to take advantage of this concept.
By setting up and using VPN software and hardware, a company can permit employees to access the company’s network even if they aren’t physically at the office. Being virtually on the company’s network allows employees to gain access to company servers, information, printers, and more. For most of us, VPNs have made remote work during the pandemic possible.
How Does It Work?
The top half of this illustration - the part boxed in green - shows how using a trusted VPN provider keeps your internet data encrypted (or protected) from the prying eyes of our ISP. That works because - once you’re logged into your trusted VPN PRovider - you are assigned an IP address from that provider and NOT from your ISP.
The bottom half of the illustration - the part boxed in red - shows how surfing the web without a trusted VPN provider exposes our surfing data to our ISP.
You’ll note that connecting to a trusted VPN provider is not necessarily encrypted. That means our ISPs are able to track and log the IP address and website of our VPN. Any website you connect to after you’ve connected to your trusted VPN provider will NOT be visible to your ISP. Instead, all they’ll see is the IP address your VPN has provided to you and that you’ve remained connected to your VPN server for a period of time.
What Can It Provide?
Using a trusted VPN provider every time you connect to the Internet can help you reclaim some of your privacy. But there are other, fun benefits as well…
Stop Your ISP From Prioritizing Certain Content
Some Internet Service Providers make mountains of money by arbitrarily deciding that they’ll prioritize certain websites or content. In 2014, Comcast - one of the largest ISPs in the United States - famously slowed down the speed of Netflix so much, that the company paid Comcast a hefty fee to stop the practice. That’s also creepy, so no, thank you. Using a trusted VPN provider can help prevent this from happening to you.
Bypassing Blocks to Certain Content
If you live in a repressive country (cough, cough, CHINA) that doesn’t allow Internet access to subjects like a free press, women’s rights, LGBTQIA rights, or certain types of social media, then using a trusted VPN provider can — in some cases — allow you to access those kinds of websites. Countries like China regularly block VPNs from being used, however… VPN providers are always adding new servers with new IP addresses, so the cat & mouse game continues.
Streaming Video from Another Country
If you’re a paying Netflix customer in the US but travel abroad and want access to Netflix’s American library… sorry. You won’t be able to do that. But… if your VPN service offers servers that are geographically located in the US, then guess what?! All of that content is suddenly available to you, once again. It’s the same story if you’re attempting to access the free programming on the CBC or BBC but happen to be outside of Canada or the UK at the time. Thanks, VPNs!
How To Choose The Right VPN
Let me start by reminding you that you should not trust me. Or anyone, really. Instead, you should do your own research and confirm what I’m telling you.
I began my research by reading about the technology, learning from other researchers and then finding websites that would compile and compare the features that each VPN provider offered. One fella I came to trust posted his comparisons on his website, but he was bought out by a larger company in November of 2020 and his comparison spreadsheets are now gone, replaced by sales pitches.
Thank goodness for the “Wayback Machine”, one of my favorite tools on the Internet. It’s a website that takes snapshots of websites and then saves those snapshots - which function like full websites - for posterity. Thanks to them, I can point you to that website here in July of 2020, just prior to the website changing. Worth noting: the data there (which is still downloadable!) is dated July 20, 2020, so some of it is not up-to-date.
Fortunately, other researchers have taken up the cause. You can find new data being collected and posted here at this link.
Of the hundreds of VPN providers, only a few provide service based on the key principles of privacy, anonymity, convenience, and security. Using these four principles as a template, I recommend that you only choose a trusted VPN provider which:
Keeps NO logs on the websites nor the IP addresses that its customers visit for privacy and has been audited to proove that claim.
Is NOT headquartered in the United States, to avoid scrutiny by the US Government and its intelligence apparatus.
Is NOT a member of the 5, 9, or 14 eyes security agreement, also to avoid scrutiny by the US government, its intelligence apparatus, and its international partners.
Offers servers physically located in at least 8 to 10 different countries, both for convenience and security.
Allows for at LEAST 5 different simultaneous connections on your account, so you can have your computers and mobile devices all connected simultaneously.
Offers a connection using the “OpenVPN” standard, considered a top protocol for security. Bonus, if they also offer the Wireguard protocol, a newer and faster technology.
Uses an SSL Certificate, an essential for security.
Offers a free trial and/or a money-back guarantee after at LEAST 14 days, for convenience.
Supports ALL popular devices and OSs including Macs, PCs, Android, and iOS devices.
Allows payment using both credit cards AND cryptocurrency or gift cards, for anonymity.
I’ve listed the small handful of providers below that meet all ten of these criteria. Click on any company name (the link is bolded) to visit their websites and learn more. Expect to pay $3–10/month depending on the plan you decide to purchase. I respect these companies enough that I elected to become an affiliate with most of them. That means if you purchase a VPN plan using my links, I receive a small commission of the sale as a “thank you” for recommending them. Those tips, when added up, help me earn my living, so thank you, in advance for supporting my research and writing.
NordVPN, (affiliate link) headquartered in Panama, is the VPN provider that I personally use. For years, I’ve relied on Nord’s ease-of-use and powerful features. With more servers in more countries, Nord usually ranks in top 10 lists for its speed, features, and security. Nord’s smartphone apps are easy to use, something that made it easier for me to adopt using VPNs on my mobile devices. Nord offers Wireguard, the newest and fastest VPN software protocol. Lastly, Nord’s been audited by PwC - twice - to confirm that they don’t keep logs of their customer’s web browsing habits. Priced at less than $5/month for a two-year plan it also won’t break the bank.
SurfShark, (affiliate link) headquartered in the British Virgin Islands (BVI), offers something the other companies on this list cannot: unlimited installs. That means, you buy one plan and can install their software on as MANY devices as you like including computers, smartphones, tables, etc. They are also cheaper than Nord, a nice bonus. Plus they’ve been audited once in 2018 and then a second time in 2021. Nice.
ExpressVPN, (affiliate link) headquartered in the British Virgin Islands, is one of the most popular and trusted VPN providers on the planet with servers in 94 different countries, live 24/7 tech support (a very nice touch!), and have also been audited by PwC to confirm that they don’t keep logs of customer’s web browsing habits.
ProtonVPN, headquartered in Switzerland, is offered by the very same company that offers the highly secure ProtonMail service. While Proton can’t offer the fastest VPN connection speed or the servers in most countries, but they offer something most providers do not: a free tier with limited speed and service. Good for them; I love this.
VPNarea, headquartered in Bulgaria: a smaller company providing better service, so I’ve read. Their speeds aren’t the best, but the country of Bulgaria has strict data retention and “No Logs” laws While the company provides their user servers in other countries, there aren’t as many as some of their competition. Still, a great choice for the average user.
CyberGhostVPN, headquartered in Romania is no longer active as a company. They used to offer notoriously fast VPN speeds at a very affordable price depending on the plan you decide to purchase. While they were audited regarding their logging practice, that was almost a decade ago, an eternity in the world of tech, so proceed with care.
Previous Choices I No Longer Support:
In the 2+ years since I wrote this episode, some key recommendations have changed. Here’s what happened and why I changed what I’m recommending:
SaferVPN, which was headquartered in Israel was a great choice until they merged with another company, StrongVPN. As this company is headquartered in the United States, I can no longer recommend its services. Ditto for IBVPN, another VPN company I’d used previously that merged with StrongVPN.
BlackVPN, headquartered in Hong Kong. Given that the Chinese government now controls the once-independent city, I cannot recommend that anyone use their product. China is one of the biggest state sponsors of malicious hacking globally. No one should trust “privacy” or “security” software that comes from any region controlled by an authoritarian regime.
Cactus VPN, previously headquartered in Moldova, is now headquartered in Canada. As such, I cannot recommend their services: Canada is a signatory to the Five Eyes security agreement with the US and other nations, allowing them to share data.
Caveats to Consider
Different Strokes for Different Folks
Some of you might have different security and privacy priorities than I. No matter your particulars, just know them before you go shopping for a trusted VPN provider. I use a VPN to avoid my ISP being able to log where I surf online. Any of the most popular VPN providers will be able to offer that. But…
There are those among us who require a VPN for more humanitarian or life-threatening reasons. Some of you might want to be able to freely surf the web in China, Turkey, Russia, or other oppressive regimes; those of you who are journalists might need a VPN to get online and log an important or highly-sensitive story; others might want to access websites that your school, work, or government have decided aren’t appropriate for you.
And some of you enjoy downloading media via torrent or Usenet files. #UsuallyIllegal
Find a trusted VPN provider who can help you accomplish your (legal) goals. The list I’ve provided includes companies that will allow you either to sign up for a free trial or take advantage of a money-back guarantee if you’re not satisfied.
The Limitations of VPNs
Using a VPN provider is just one ingredient in a larger recipe of good security practices. Learning and practicing good security “hygiene” is extremely important. Using a VPN won’t protect you if you surf to a non-secure website (those which start with the prefix HTTP, not HTTPS), click on a malicious email link from a total stranger, or post something offensive on social media.
It’s also important to understand that having privacy is not the same thing as having security or anonymity:
Privacy: the condition I have when others cannot observe what I am doing. For example, I have privacy in my home, because no one can see me when I close the door and the shades.
Security: the feeling of safety I have in my home. I have that feeling because I’ve invested in security measures and devices to prevent unwelcome strangers, theft, or damage.
Anonymity: the fact of my identity not being known by others, even when going about my business. For example, as I’m not famous, when I leave my home, others do not know my name, profession, or identity beyond what I wear in public.
Using a VPN can provide you some welcome privacy, but it cannot provide you security or anonymity. If you seek anonymity, then I recommend using the Tor Browser. Like all technology, Tor has its own limitations but it’s 100% free and well-regarded.
Caveat emptor, as the wise man once said!
And that’s a wrap for today’s episode, everyone. Thanks again to my subscribers for subscribing and supporting independent technology journalism. For those who have NOT yet become paid subscribers, I invite you to do so now.
As a reminder, please: use this link to share my Substack newsletter with your friends, family, and colleagues. It’s a quick way you can help me spread the word about this newsletter.
Thank you and, as always…
Most Popular Past Issues:
Click here to read about my recommendations for secure routers.
To learn how to remove your personal data from the web, click here.
To learn about my favorite tool to keep your email address private, click here.
Click here for a crash course on how to keep your devices updated.