If you like this review, please consider making a donation to support me.
VPN providers - Which one to choose?
1. Introduction
2. Grading of VPN providers
3. Unrelated claims of VPNs
4. Summary
Introduction
Using a VPN can help you to bypass geological blocks, hides your real IP address, and also hides your internet traffic from your internet service provider. However, you should always remember that it is they to encrypt your traffic and hide your IP, so if they want they can actually see your unencrypted traffic and your real IP address, and they do have a reason to do that - sell them to other advertsing platforms for profit.
If you don't want anyone to spy on you, you can always use TOR to encrypt your traffic, which is slower but more secure, as you don't need to trust them - they do encryption hop by hop and such they can't see your content. However TOR's exit nodes are public, which means websites can easily block users who access the website using TOR.
So, if you want to visit websites that blocks TOR but still want to be private, you need a VPN. That's why this review is born, to help you to get a trustworthy one. So let's start! (also check out the ratings of different providers here from the table below)
Grading of VPN providers
How the VPN providers are graded consists of different factors, which is pointed out by the list below, the highest grade I can give is A+, lowest grade is C-.
- Not higher than B+ if they uses trackers like google analytics.
- Not higher than C+ if they need your phone number, physical address or other info that is non-anonymous.
- Not higher than B+ if they collect usage datas (which is vague as usage data is defined by them).
- Not higher than B if they are cloudfared, see here for details about how it sucks.
- Not higher than B if they uses google reCaptcha/hCaptcha which can be used to track users.
- Not higher than C+ if they shares user's VPN's data to third parties.
- Not higher than B- if they don't accept bitcoin/cash as a paid service.
- Not higher than B if they don't support open standards like OpenVPN.
You may be concerned why I didn't include 'features' as the factor of rating, for users who come here because of choosing a privacy-respecting VPN, it's because it's nothing biggie and is always a disguise used by the non-privacy respecting VPN providers. If you come here to find a good streaming, then the guide is not for you. There are tons of similar reviews out there.
Update 5 April 2022: Just realized that it is owned by Kape technologies, togther with PIA, ZenMate and CyberGhost. Kape technologies have a long history of distributing malware. So avoid this and other providers that is owned by Kape.
This service is paid at first. Their main page have nothing special, but seems lots of "privacy guides" recommend this one. So let's try to signup first. Signing up requires an email address, and you can pay via bitcoin too - but guess what? They uses bitpay as their third party payment processor, and here is what bitpay collects when you pay:
"Technical information including IP addresses used to view the BitPay invoice; the type of browser, devices and operating systems you use; identifiers associated with the device(s) you use to access our sites; the pages you visit and the features you use; access dates and times; and if you navigated from or navigate to another website, the address of that website; and information regarding your internet service provider."
I don't give a shit for what you use it for - hands off my browser information or and IP addresses! UPDATE 10 May 2022: After I checked this bitpay requires you to provide your ID document and solve a fucking google reCaptcha, that's why I downgraded the provider from B- to C+. But that's only the payment, if the actual VPN service is private I can possibly deal with it, but is it?
From their privacy policy, section #Anonymous App Diagnostics, they collect the followings:
"App diagnostics, including crash reports and usability diagnostics, also without any personally identifiable information. These are handled in an anonymized form by these third parties, dependent on the platform you are using ExpressVPN on:
Android: Firebase Crashlytics, owned by Google. See Firebase’s Privacy and Security documentation.
And they said this can be switched off, yeah of course, but it is enabled by default, so if you are not aware, your "statistical information" will be collected, and you need to trust them how they define statistical information, well they can include what apps you use, android version or such. And look at that sentence again! They are using google to transit these datas, so google will be able to see these "statistics".
If you have checked their lower part #cookies and mobile identifiers of their privacy policy, it is even worse:
"ExpressVPN uses Google AdWords remarketing to show advertisements on third-party websites (including Google) to users who have visited our Site. We may show such users advertisements on a Google search results page, or on a site in the Google Display Network[...] ExpressVPN uses mobile identifiers to generate statistics related to the marketing channels and advertising partners through which users learned about and signed up for ExpressVPN mobile apps."
So you are helping the anti-privacy google to track users and show them targeted ads? Absolutely terrible. And remember mobile identifiers are unique, so they know actually which mobile is having which "statistics" in order to track users.
So that's their privacy policy, without saying that how long will these information is stored, so assume the worse - forever.
Another terrible news about this provider is that their CEO have agreed to cooperate with the FBI, which makes ExpressVPN a honeypot for the US government to spy on you.
And so in summary, here is a provider that relies on third parties like bitpay, cooperate with google by giving them user's "statistics information" plus the user's mobile identifier, bull shit marketing with google adwords and google analytics that helps the anti-privacy google to track users and send users ads, with no information about how long these datas are stored. And their CEO have agreed to cooperate with the FBI, making room for the US government to spy on you. Always remember that they are also fucking expensive for $8/month, and if you can afford this, there are much better options, so forget about ExpressVPN.
Their whole website is cloudfared, see here for details about how it sucks. Briefly, it blocks TOR traffic and forces you to trun on JavaScript and cookies for "browser checks", and because everything submitted to the website passes through cloudfare, they held great power and it can block you easily from accessing website that is cloudfared (even the owner of the website doesn't meant to block you), and they can see everything you submitted to the website - meaning they can spy on you, just like the Great Firewall of China.
When you successfully entered the website, you will see quite a lot of website trackers is spying on you (tested with uMatrix extension), which includes but not limited to: Google, Facebook, Reddit, and Bing (which is owned by microsoft). All these big corps are notorious for big data collection to spies on its users to increase their ad revenue. While they earn big dirty money by selling your personal datas to these third parties, they are also a fucking paid service which charges you $4/month. Again, that's only the website, if the VPN provider itself actually deserves the cost, then it's all okay.
Take a moment until you checked their privacy policy, you will know why I graded this service as a C-, the lowest grade I can give. From their privacy policy:
The Service: In order to subscribe to our Services you must first create an account. [...] the data collected may include: email address, name, billing address, credit card information, IP address, and affiliate tracking data.
Look at that again! Billing address (your home's address), IP address, real name collection for our favourite VPN, IPVanish! And like other providers that advertises themselves as private, they don't accept anonymous bitcoin or cash payments. The lower part of this section is even worse:
We process aggregated anonymous data to improve the quality of our Apps and Services. The data collected may include: User’s language preference, device brand, device model, OS version, country, crash reports, session lengths, server usage, protocol, build version, UI interactions, API requests and response codes, and app build version.
Now the huge collection of personal data throw this provider into privacy hell. If it's not enough - the above 'anonymous information' sending to IPVanish cannot be switched off (unlike ExpressVPN), so be ready for your data being rob out of your control.
Our VPN applications utilize analytics tools, such as FireBase and App Center, to gather and performance data anonymously.
Wow, so not even you can get my personal data, you even share my information to firebase, which is owned by the spyware platform google. And now here comes the worst quote in the whole privacy policy:
We respect your privacy and do not seek to collect or otherwise Process your Sensitive Personal Data. If we ever need to Process your Sensitive Personal Data for a legitimate purpose, we would do so in accordance with applicable law.
As far as I can see there is no such provider that says they would process your sensitive personal data, which may include all the things such as your credit card number. And 'for a legitimate purpose' is vague, which they can use bullshit excuses like 'suspect that this user is engaged in unlawful activities' and rob your personal data out of your control. Now for some false claims in their privacy policy:
We use third-party services to assist us with processing payments, fraud detection, improving website performance, app crash information, and email communications. These service providers receive only the information needed to perform their designated functions, and are not permitted to use the information for their own marketing, advertising or research purposes.
The above is a shameless lie. Just check out the list of cookies of IPVanish. It includes google ads which is designed to track website visitors and show them ads. And now they say it won't use the information for their advertising purpose, what the fuck?
By signing up, it requires you to enable cookies plus JavaScript otherwise the page won't even show. And that's all for their service, with no clear explaination in their privacy policy for how long the data is stored, so always assume the worse - forever.
I can go on but you get the idea. There is no reason to use this service either.
Given how fucking it is, they still have audacity to claim stuff like this:
We take every reasonable step to limit the volume and minimize the retention period of the Personal Data that we Process.
Yeah sure - very reasonable I guess!
Another cloudfared website that bites the dust, see the section IPVanish about how it sucks - it acts as a patrol agent between you and the website, that means they can get everything you submitted to it, including your password and sensitive information. So, this VPN is already disqualified from my point of view as everything submitted there is not safe. But anyway, let's check the provider out whether the actual service worth the cost.
Just like IPVanish, it uses lots of fucking third parties website trackers including google analytics to spy on website visitors which is tested with the uMatrix extension. However their price is only $2.5/month compared to IPVanish's $4/month, and as well as a better (but still bad) privacy policy than IPVanish - which is the only saving grace of this service. Other issues with this service is that they try to do too much which they also have other services which requires your account such as surfshark search, antivirus... Just like what google have done - linking all your datas from different services and create a profile of you.
But anyway, let's go straight to their privacy policy. From their privacy policy:
The information we collect on our Website may include anonymous “traffic information” provided by the host or similar provider of such information (e. g. Google Analytics) that does not personally identify you but may be helpful for improving the Services we offer. [...] In addition, when you visit our Website, we may also retain your IP address, a unique identifier for your computer or other access device.
Great! Prepare your privacy being ripped away and send directly to google everytime you visit this shit website. So that's the website, how about the actual VPN service?
To maintain a perfect quality of our Services and provide you with efficient support we collect diagnostics information and monitor crash reports on our apps and extensions. The information we collect contains aggregated performance information, the frequency of use of our Services, unsuccessful connection attempts and other similar information.
What this 'diagnostic information' consists of, is of course not stated which means they can interpret this anytime. Can these called 'anonymous datas' be used to link to your own account? They seems to be double-speak in this issue:
Please note that diagnostics information does not contain uniquely identifiable information.
And in another section they says:
We may receive certain information about you (cookie id, mobile device id, when you use our Trust DNS app – advertising IDs, in app events, such as in-app purchase or amount and type of ads watched, information about what browser, network, or device is used to access and use Trust DNS) from certain advertisers and advertising partners for advertising purposes. Our advertising partners help us deliver more relevant ads and promotional messages to you, which may include interest-based advertising and account-based advertising.
So actually they collect the mobile device id which is unique so it can be tracked to a specific user. Why pretend otherwise then? These personal-identifiable information are also, directly sent to the advertisers (probably google, the biggest privacy violator in the web) for the fucking purpose - interest-based advertising, which pretty makes you a product for them to earn money. Okay, so here is all the personal data they store, but how long do they store the above datas?
Personal information which is needed to provide our Services is processed for as long as you use Surfshark and no more than 2 years after you stop.
Okay, so they store your personal data after 2 years 'I stop' (anyone can explain what the hell does that mean?). Oh surfshark, what are the privacy that I got promised from your maim page?
By signing up, it requires your email address (which is pretty mild; it don't block temporary ones too). It also accepts cryptocurrency, but it use a third party payment processors - already a red flag. Do those third party proccesors collect shit like bitpay does with ExpressVPN? Let's check it out. There are 2 third party payment proccesors, and let's start from CoinGate. From it's privacy policy about what they collect:
IP address, name and surname, gender, place of birth, address, telephone number [...] address of the sender of the transaction, address of the payee of the transaction, power of attorney, data provided in the business registration certificate, data provided in the document of business address proof, requests for overpayments, Facebook ID information, Google ID information, other information provided by you.
It seems this is no difference from a direct Facebook surveillance. How about another third party processor CoinPayments? Is there any better? From their privacy policy:
full legal name, date of birth, age, nationality, gender, signature, utility bills, phone number, email address and home address, passport or other photo identification cards such as a driver’s license or national identification card, other photographs like selfies, user ID, security questions, authentication data, transaction information, financial information, cryptocurrency or wallet addresses [...]
These two payment processors doesn't even seem to care about your privacy at all, but surfshark's privacy policy tells a different story about these providers:
As for payment related information, our payment processing partners collect usual data necessary for payment processing and/or refund requests.
Is my selfie, all government documents, my Google unique ID, my telephone number and all these are usual datas?
Looking at the surface, this provider is a cheap provider that is no-log and accepts bitcoin, but after we dive into their privacy policy, it tells a different story. It uses third party website trackers on their website, double-speak that they don't collect user identificable information, while storing your unique device ID for 2 years even you deleted the account, share these datas to google directly for advertising purposes, lies on the privacy policy saying that what those third party processors collect is necessary and reasonable, but those payment processor's privacy policy actually collects a lot of your information to know your real identity. This service is actually pretty cheap, but since it is violating most of the VPN's principles, avoid!
Update 20 April 2022: I do find out a reason to use this VPN though - they support a independent protocol called Chameleon, which they claim that it prevents censorship, but it's too slow that I can say it's useless.
Probably the most terrible one from a privacy standpoint.
Update 5 April 2022: After my research I found out that there are much worse providers out there, so I am changing this.
Like ExpressVPN, it's very expensive for around $8/month for yearly accounts. But let's don't judge them by the price, check out their privacy policy first. To make it clear, VyprVPN is owned by a company called Golden Frog, and the only privacy policy is from golden frog's website. From their privacy policy:
While using our Services, we may ask you to provide us with certain Personal Data. Personal Data that is associated with your account can include your name, email address, phone number, payment information and/or physical address.
Real name, phone number, physical address. Great, you are a quick start to the privacy hell already. Look at how they explain this stuff:
Golden Frog uses the collected Personal Data to provide and maintain our Services and provide customer support for our Services.
I see, it's all for "customer support" only. I wonder why none of the other providers need this information then, VyprVPN? Let's stop that bull shit excuse. And now the lower part of thrir privacy policy:
Golden Frog utilizes web analytics software to track, in aggregate, the number of unique views received by the pages of the web site, the domains from which users originate along with many other analytical data points.
So actually what's that web analytics software? Then I tested the website with the uMatrix extention and find out it is the tracking shit Google Analytics. Wow, so even people that only visiting their website are exposed in the mass google surveillance!
Do they actually share those a bunch of datas collected to third parties? They claim that no data will be given to third parties except in criminal investigation:
Golden Frog cooperates fully with law enforcement agencies, yet there must still be a subpoena before Golden Frog provides a member's identifying information - minimal information reasonably calculated to identify and no more. In a criminal investigation Golden Frog is required by the Law to not divulge the fact of the investigation to the member.
Read that again! They won't even tell you even you are targeted. I certainly understand that you are required by law to do this. But what they said "Switzerland has a long history of respecting privacy and has established a legal framework to protect it." - what a joke.
Except from those disadvatages, it still have 1 advantage over the others though.The users data can be erased in their privacy policy: "If you wish to be removed from our systems, please contact us at support@goldenfrog.com". So at least you can erase all the datas collected.
When you register for an account, they required you complete a fucking google ReCaptcha, which is long being criticized that it is a tool for the anti-privacy google to track and spies on users. So I have contacted them dealing with this issue - but they seemed to ignore the issue and reply to me that a captcha is needed to verify that you are not a bot. Yeah I know, but can't you develop a first party Captcha?
Another problem with this service is that they don't accept bitcoin or cash as anonymous payment method! They also uses third party payment processors to process the payment if you use credit card (in privacy policy):
We use third-party services for payment processing (e.g. payment processors). If you use a credit card that information will be collected by the payment processor. We do not collect or store your credit card number.
So actually what's the payment processor? I have asked them again and the answer is recurly. However, this recurly doesn't yet have a privacy policy for customers, so I won't even know what they actually stores. The problem of using third party payment processors is that even if you requested data deletion at vyprvpn, that recurly can still see your credit card number - and from your credit card they get your name, bank and such info...
In summary: A very expensive service for $8/month, but stores lots of things including your phone number and physical address, uses google analytics for tracking, lying about for "swiss privacy laws" while given the fact that they won't tell you that you are targeted, not accepting anonymous payment method, uses third party payment processors, and uses the fucking google reCaptcha. The only advantage here is that you can delete the datas from vyprvpn, but except the most important credit card number as it is handled by third party processors. Avoid this service!
Unrealated claims of VPNs
Summary
I haven't yet finished the whole review, but you get the point - the VPN industry is as dirty as fuck.
Don't forget to support me with a donation if you like the review!
Return to main page