We highly recommend that everyone uses a VPN—there's no doubt about that. Indeed, there are many reasons to always use a VPN online, including but not limited to improved personal privacy.
But not all VPNs are worth using. In fact, some VPNs are so bad that you'd actually be better off not using anything other than routing your traffic through their servers. Here are some warning signs to look out for, plus specific VPN services to avoid if you value privacy.
What Makes a VPN Bad for Privacy?
Not all VPNs are created equal. Here are a few reasons some VPNs are bad.
Country of Origin
Never connect to a VPN server that's located in one of the "Five Eyes" countries. Those are the US, UK, Australia, New Zealand, and Canada. Also, avoid the "Nine Eyes" countries (France, Norway, Denmark, The Netherlands). And avoid the "Fourteen Eyes" countries (Belgium, Italy, Germany, Spain, Sweden).
The governments of these countries either spy on their citizens, spy on each other's citizens, swap such intelligence with each other, or otherwise enable and encourage surveillance in some way. These countries are likely to pressure and acquire intelligence from VPN servers operating in their territories.
Activity Logging
When connected to a VPN, all of your internet traffic is routed through the VPN's server. Some keep minimal logs. This might be the IP from which you connected and the time of your connection. Others keep complete track of browsing habits: websites visited, apps used, etc. Logs are bad because they allow activity to be traced back to you eventually.
Even VPN services that promise "no logging" can't be trusted at face value. They might not participate in "activity logging" but may actually be logging other things. How do you know whether a VPN's no-logging claim is trustworthy? You have to read their terms of service.
Related: Who Can Track Your Data When Using a VPN?
Terms of Service
A VPN service's Terms of Service outlines exactly what you can expect as a user: what kind of activity is forbidden, what's tracked, what's not, and more. When in doubt, you should contact the service and ask questions to determine what their logging policy is really like.
Some things to keep in mind:
- Should they log anything related to your connection, including IP or connection time, then it can eventually be traced back to you.
- If they won't block accounts, even ones that are highly abusive of the system, then there's a good chance the service truly is log-free.
- If they claim they can block accounts without logging information that can identify you as a user, then you should pry into how it works. Most of the time, they won't be able to give you a clear answer, in which case you should assume logs are somehow involved.
Lack of OpenVPN
VPNs can operate using many different "types" of connections. L2TP and PPTP are some of the more popular. But they have glaring flaws that make them poor options for privacy. OpenVPN is the best protocol because it's open-source and offers the strongest encryption of traffic.
Leak Test Failure
Sometimes, your actual connection to the VPN server can be compromised. For example, your PC goes to sleep and doesn't reestablish the VPN connection upon waking, or you switch from Wi-Fi to Ethernet, or your router gets unplugged, and you have to plug it back in.
Even when you're "successfully" connected to the VPN, some of your traffic may not be routed through that connection. This is called a leak, and it undermines the entire point of using a VPN for privacy.
Specific VPN clients are better than others in this regard. So you should periodically check up on this using so-called leak tests: WebRTC Leak Test, IPLeak, and DNS Leak Test, to name a few. Visit each test twice: once without VPN, once with VPN. Your IP addresses should be different both times.
Free Service
One of the most common VPN myths is that free VPN services are good enough. It turns out that free VPNs come with a lot of risks.
The main one is that such services need to pay for servers and bandwidth somehow. If users aren't paying anything, then they need to generate revenue some other way. Most often, this is by selling user data and information. So if you've been asking yourself, "Is Solo VPN safe?," you have your answer.
Free trials for paid services are fine. But unlimited free services are not. So, as with most things, you get what you pay for, and privacy is not cheap. As such, we always recommend paid VPNs over free ones.
Lack of Anonymous Payment
One more thing to keep in mind: if you want to add an extra layer of obfuscation, you might prefer a VPN service that takes anonymous payments. Whereas a credit card or PayPal account can be traced back to you, cryptocurrencies like Bitcoin don't leave such a breadcrumb trail to follow.
Which VPNs Should You Avoid?
It's one thing to speculate whether a particular VPN service is safe or unsafe based on what they say and what they promise. It's something else altogether when a VPN service is caught red-handed as far as tracking activity, keeping logs, selling user data, etc.
If you value your privacy, here are the VPN services to avoid—ones that have been shown and proven to violate user privacy in one way or another.
1. Hola
Back in 2015, Hola was found to do something that no other VPN service does: turn the PCs of its users into "exit nodes," allowing other Hola users to route their traffic through said nodes. Hola sold this bandwidth to a third-party service. A violation this egregious puts Hola squarely in the category of services to NEVER use ever again.
2. HotSpot Shield
In 2017, a privacy group made a claim against HotSpot Shield for "intercepting and redirecting traffic to partner websites, including advertising companies." This claim accused HotSpot Shield of logging connection details, which directly went against its privacy policy.
Additionally, a 2016 research paper had previously found HotSpot Shield "injecting JavaScript codes" and "redirecting e-commerce traffic to partnering domains."
3. HideMyAss
In 2011, the Federal Bureau of Investigation tracked a hacker's activities back to an IP address belonging to the HideMyAss VPN service. The FBI acquired activity logs from HideMyAss and used them to catch and prosecute the hacker. Despite the illegality of the hacker's actions, this incident made one thing clear: HideMyAss does keep traceable logs.
4. Facebook Onavo VPN
In early 2018, it came to light that Facebook's built-in "Protect" feature for mobile apps was really just the Onavo VPN it acquired back in 2013.
Regardless of how effective it is at protecting users, there's one thing that ought to deter you: Onavo will collect your mobile traffic data to "improve Facebook products and services, gain insights into the products and service people value, and build better experiences."
5. Opera Free VPN
In 2016, the Opera browser introduced a new "free unlimited VPN" feature available to all users. But despite the naming, Opera Free VPN is not a VPN in the truest sense. It's more like a web proxy, and Opera does collect usage data that may or may not be shared with third parties.
6. PureVPN
In 2017, the Federal Bureau of Investigation tracked and arrested an alleged stalker after acquiring information on his activity using the PureVPN service. Despite PureVPN's no-logging promise in its privacy policy, it turned out that they kept enough information to be able to identify the accused when cooperating with legal authorities.
7. VPNSecure
Not only is VPNSecure headquartered in Australia (a "Five Eyes" country), but a 2016 research paper found IP leaks and DNS leaks with the service, plus "egress points" for residential users, which is similar to the "exit nodes" concept that sunk Hola above.
The paper suspects but does not confirm that the bandwidth of users may be being used without their knowledge. However, if you want to be safe, you should probably stay away.
8. Zenmate
In 2018, a test by vpnMentor found that ZenMate (along with HotSpot Shield and PureVPN) suffered from IP leaks, which could give away your identity even when using the internet with an established VPN connection through ZenMate. This, coupled with the fact that ZenMate was slow to respond to these findings, makes us wary of their respect for user privacy.
Privacy-Conscious VPNs You Can Trust
As of now, there are only a handful of VPNs with no-logging policies that privacy-minded folks trust. To learn more about what to look for in a VPN, see our advice on how to choose a VPN provider.
We recommend ExpressVPN, CyberGhost, and Private Internet Access.
