If you like this review, please consider making a donation to support me.
VPN providers - Which one to choose?
- Introduction -
- Grading of VPN providers -
- ExpressVPN -
- IPVanish -
- SurfShark -
- VyprVPN -
- Non-responsible claims of VPNs -
- Summary -
Introduction
Using a VPN can help you to bypass geological blocks, hides your real IP address, and also hides your internet traffic from your internet service provider. However, you should always remember that it is they to encrypt your traffic and hide your IP, so if they want they can actually see your unencrypted traffic and your real IP address, and they do have a reason to do that - sell them to other advertsing platforms for profit.
If you don't want anyone to spy on you, you can always use TOR to encrypt your traffic, which is slower but more secure, as you don't need to trust them - they do encryption hop by hop and such they can't see your content. However TOR's exit nodes are public, which means websites can easily block users who access the website using TOR.
So, if you want to visit websites that blocks TOR but still want to be private, you need a VPN. That's why this review is born, to help you to get a trustworthy one. So let's start! (also check out the ratings of different providers here from the table below)
Grading of VPN providers
How the VPN providers are graded consists of different factors, which is pointed out by the list below, the highest grade I can give is A+, lowest grade is C-.
- Not higher than B+ if they uses trackers like google analytics.
- Not higher than C+ if they need your phone number, physical address or other info that is non-anonymous.
- Not higher than B+ if they collect usage datas (which is vague as usage data is defined by them).
- Not higher than B if they are cloudfared, see here for details about how it sucks.
- Not higher than B if they uses google reCaptcha/hCaptcha which can be used to track users.
- Not higher than C+ if they shares user's VPN's data to third parties.
- Not higher than B- if they don't accept bitcoin/cash as a paid service.
- Not higher than B if they don't support OpenVPN/WireGuard which is pretty basic.
You may be concerned why I didn't include 'features' as the factor of rating, it's because most features like dedicated IP, multi-hop vpn is pretty useless and will even harm your privacy. Check out the section Non-responsible claims of VPNs for more detailed description. The only 2 factors that should be included is speed and servers, in which many VPNs already crossed that bridge - so the main focus will still be privacy. Of course, I will still note you if they have bad speed or lack of servers.
Update 5 April 2022: Just realized that it is owned by Kape technologies, togther with PIA, ZenMate and CyberGhost. Kape technologies have a long history of distributing malware. So avoid this and other providers that is owned by Kape.
This service is paid at first. Their main page have nothing special, but seems lots of "privacy guides" recommend this one. So let's try to signup first. Signing up requires an email address, and you can pay via bitcoin too - but guess what? They uses bitpay as their third party payment processor, and here is what bitpay collects when you pay:
"Technical information including IP addresses used to view the BitPay invoice; the type of browser, devices and operating systems you use; identifiers associated with the device(s) you use to access our sites; the pages you visit and the features you use; access dates and times; and if you navigated from or navigate to another website, the address of that website; and information regarding your internet service provider."
I don't give a shit for what you use it for- hands off my browser information or and IP addresses! But that's only the payment, if the actual VPN service is private I can possibly deal with it, but is it?
From their privacy policy, section #Anonymous App Diagnostics, they collect the followings:
"App diagnostics, including crash reports and usability diagnostics, also without any personally identifiable information. These are handled in an anonymized form by these third parties, dependent on the platform you are using ExpressVPN on:
Android: Firebase Crashlytics, owned by Google. See Firebase’s Privacy and Security documentation.
And they said this can be switched off, yeah of course, but it is enabled by default, so if you are not aware, your "statistical information" will be collected, and you need to trust them how they define statistical information, well they can include what apps you use, android version or such. And look at that sentence again! They are using google to transit these datas, so google will be able to see these "statistics".
If you have checked their lower part #cookies and mobile identifiers of their privacy policy, it is even worse:
"ExpressVPN uses Google AdWords remarketing to show advertisements on third-party websites (including Google) to users who have visited our Site. We may show such users advertisements on a Google search results page, or on a site in the Google Display Network[...] ExpressVPN uses mobile identifiers to generate statistics related to the marketing channels and advertising partners through which users learned about and signed up for ExpressVPN mobile apps."
So you are helping the anti-privacy google to track users and show them targeted ads? Absolutely terrible. And remember mobile identifiers are unique, so they know actually which mobile is having which "statistics" in order to track users.
So that's their privacy policy, without saying that how long will these information is stored, so assume the worse - forever.
Another terrible news about this provider is that their CEO have agreed to cooperate with the FBI, which makes ExpressVPN a honeypot for the US government to spy on you.
And so in summary, here is a provider that relies on third parties like bitpay, cooperate with google by giving them user's "statistics information" plus the user's mobile identifier, bull shit marketing with google adwords and google analytics that helps the anti-privacy google to track users and send users ads, with no information about how long these datas are stored. And their CEO have agreed to cooperate with the FBI, making room for the US government to spy on you. Always remember that they are also fucking expensive for $8/month, and if you can afford this, there are much better options, so forget about ExpressVPN.
Their whole website is cloudfared, see here for details about how it sucks. Briefly, it blocks TOR traffic and forces you to trun on JavaScript and cookies for "browser checks", and because everything submitted to the website passes through cloudfare, they held great power and it can block you easily from accessing website that is cloudfared (even the owner of the website doesn't meant to block you), and they can see everything you submitted to the website - meaning they can spy on you, just like the Great Firewall of China.
When you successfully entered the website, you will see quite a lot of website trackers is spying on you (tested with uMatrix extension), which includes but not limited to: Google, Facebook, Reddit, and Bing (which is owned by microsoft). All these big corps are notorious for big data collection to spies on its users to increase their ad revenue. While they earn big dirty money by selling your personal datas to these third parties, they are also a fucking paid service which charges you $4/month. Again, that's only the website, if the VPN provider itself actually deserves the cost, then it's all okay.
Take a moment until you checked their privacy policy, you will know why I graded this service as a C-, the lowest grade I can give. From their privacy policy:
The Service: In order to subscribe to our Services you must first create an account. [...] the data collected may include: email address, name, billing address, credit card information, IP address, and affiliate tracking data.
Look at that again! Billing address (your home's address), IP address, real name collection for our favourite VPN, IPVanish! And like other providers that advertises themselves as private, they don't accept anonymous bitcoin or cash payments. The lower part of this section is even worse:
We process aggregated anonymous data to improve the quality of our Apps and Services. The data collected may include: User’s language preference, device brand, device model, OS version, country, crash reports, session lengths, server usage, protocol, build version, UI interactions, API requests and response codes, and app build version.
How come you need my country, my language preference and my device to improve the quality of your apps and services, my dear IPVanish? And over 99% of probability is that they get your country by analyzing your original IP addresses, making it becomes IPAppear. Moreover, the above 'anonymous information' sending to IPVanish cannot be switched off (unlike ExpressVPN), so be ready for your data being rob out of your control.
Our VPN applications utilize analytics tools, such as FireBase and App Center, to gather and performance data anonymously.
Wow, so not even you can get my personal data, you even share my information to firebase, which is owned by the spyware platform google. And now here comes the worst quote in the whole privacy policy:
We respect your privacy and do not seek to collect or otherwise Process your Sensitive Personal Data. If we ever need to Process your Sensitive Personal Data for a legitimate purpose, we would do so in accordance with applicable law.
As far as I can see there is no such provider that says they would process your sensitive personal data, which may include all the things such as your credit card number. And 'for a legitimate purpose' is vague, which they can use bullshit excuses like 'suspect that this user is engaged in unlawful activities' and rob your personal data out of your control. Now for some false claims in their privacy policy:
We use third-party services to assist us with processing payments, fraud detection, improving website performance, app crash information, and email communications. These service providers receive only the information needed to perform their designated functions, and are not permitted to use the information for their own marketing, advertising or research purposes.
The above is a shameless lie. Just check out the list of cookies of IPVanish. It includes google ads which is designed to track website visitors and show them ads. And now they say it won't use the information for their advertising purpose, what the fuck?
By signing up, it requires you to enable cookies plus JavaScript otherwise the page won't even show. And that's all for their service, with no clear explaination in their privacy policy for how long the data is stored, so always assume the worse - forever. I can't even find a reason to use this vpn and since there are too much shit of this provider, I am not going to write a summary about this provider.
Given how fucking it is, they still have audacity to claim stuff like this:
We take every reasonable step to limit the volume and minimize the retention period of the Personal Data that we Process.
Yeah sure - very reasonable I guess!
Their website is cloudfared, just like the upper trash IPVanish, see the section IPVanish about how it sucks - it acts as a patrol agent between you and the website, that means they can get everything you submitted to it, including your password and sensitive information. So, this VPN is already disqualified from my point of view as everything submitted there is not safe. But anyway, let's check the provider out whether the actual service worth the cost.
Just like IPVanish, it uses lots of fucking third parties website trackers including google analytics to spy on website visitors which is tested with the uMatrix extension. However their price is only $2.5/month compared to IPVanish's $4/month, and as well as a better (but still bad) privacy policy than IPVanish - which is the only saving grace of this service. Other issues with this service is that they try to do too much which they also have other services which requires your account such as surfshark search, antivirus... Just like what google have done - linking all your datas from different services and create a profile of you.
But anyway, let's go straight to their privacy policy
Update 20 April 2022: I do find out a reason to use this VPN though - they support a independent protocol called Chameleon, which they claim that it prevents censorship, but it's too slow that I can say it's useless.
Probably the most terrible one from a privacy standpoint.
Update 5 April 2022: After my research I found out that there are much worse providers out there, so I am changing this.
Like ExpressVPN, it's very expensive for around $8/month for yearly accounts. But let's don't judge them by the price, check out their privacy policy first. To make it clear, VyprVPN is owned by a company called Golden Frog, and the only privacy policy is from golden frog's website. From their privacy policy:
While using our Services, we may ask you to provide us with certain Personal Data. Personal Data that is associated with your account can include your name, email address, phone number, payment information and/or physical address.
Real name, phone number, physical address. Great, you are a quick start to the privacy hell already. Look at how they explain this stuff:
Golden Frog uses the collected Personal Data to provide and maintain our Services and provide customer support for our Services.
I see, it's all for "customer support" only. I wonder why none of the other providers need this information then, VyprVPN? Let's stop that bull shit excuse. And now the lower part of thrir privacy policy:
Golden Frog utilizes web analytics software to track, in aggregate, the number of unique views received by the pages of the web site, the domains from which users originate along with many other analytical data points.
So actually what's that web analytics software? Then I tested the website with the uMatrix extention and find out it is the tracking shit Google Analytics. Wow, so even people that only visiting their website are exposed in the mass google surveillance!
Do they actually share those a bunch of datas collected to third parties? They claim that no data will be given to third parties except in criminal investigation:
Golden Frog cooperates fully with law enforcement agencies, yet there must still be a subpoena before Golden Frog provides a member's identifying information - minimal information reasonably calculated to identify and no more. In a criminal investigation Golden Frog is required by the Law to not divulge the fact of the investigation to the member.
Read that again! They won't even tell you even you are targeted. I certainly understand that you are required by law to do this. But what they said "Switzerland has a long history of respecting privacy and has established a legal framework to protect it." - what a joke.
Except from those disadvatages, it still have 1 advantage over the others though.The users data can be erased in their privacy policy: "If you wish to be removed from our systems, please contact us at support@goldenfrog.com". So at least you can erase all the datas collected.
When you register for an account, they required you complete a fucking google ReCaptcha, which is long being criticized that it is a tool for the anti-privacy google to track and spies on users. So I have contacted them dealing with this issue - but they seemed to ignore the issue and reply to me that a captcha is needed to verify that you are not a bot. Yeah I know, but can't you develop a first party Captcha?
Another problem with this service is that they don't accept bitcoin or cash as anonymous payment method! They also uses third party payment processors to process the payment if you use credit card (in privacy policy):
We use third-party services for payment processing (e.g. payment processors). If you use a credit card that information will be collected by the payment processor. We do not collect or store your credit card number.
So actually what's the payment processor? I have asked them again and the answer is recurly. However, this recurly doesn't yet have a privacy policy for customers, so I won't even know what they actually stores. The problem of using third party payment processors is that even if you requested data deletion at vyprvpn, that recurly can still see your credit card number - and from your credit card they get your name, bank and such info...
In summary: A very expensive service for $8/month, but stores lots of things including your phone number and physical address, uses google analytics for tracking, lying about for "swiss privacy laws" while given the fact that they won't tell you that you are targeted, not accepting anonymous payment method, uses third party payment processors, and uses the fucking google reCaptcha. The only advantage here is that you can delete the datas from vyprvpn, but except the most important credit card number as it is handled by third party processors. Avoid this service!
Non-responsible claims of VPNs
Summary
I haven't yet finished the whole review, but you get the point - the VPN industry is as dirty as fuck.
Don't forget to support me with a donation if you like the review!
Return to main page