Misleading promises of the world's fastest, anonymous, military-grade VPNs

VPN Worst Practices By Viktor Vecsei | Posted on December 4, 2020

Trust is hard to build and telling the truth is a valuable habit to support this process.

Trust is also easy to lose and telling lies (even white ones) is a fast way to diminish it.

When picking a VPN service, the most important questions to ask are: do I trust them to act in my best interest? Can I trust that they do not inspect my traffic or log my activities?

Most popular VPN services are guilty of a practice that plagues bad parenting, budding relationships and political discourse: false promises. However, they stay popular as most customers don’t know they were enticed by lies.

We discussed how popular providers over-promise in our earlier post, ‘Why you don’t need a VPN’. Now we observe the five most common, misleading tropes in the industry.

TL;DR - 9 out of 10 of frequently recommended VPN services we observed used at least one of the misleading wordings we have identified. The three boldest (PIA, HotSpotShield, CyberGhost) used all five. TunnelBear was the only provider to pass with a clean slate.

Here are the promises and claims we recommend providers to get rid of:


1. “Become anonymous”

and its variations, “achieve anonymity”, “total anonymity”, or “surf the web without a trace”.

Perfect anonymity online is close to impossible to attain. You need to understand your threat model, use tactics like compartmentalization, airgapped and burner devices, getting around device fingerprinting… and the list goes on. Using a VPN alone will get you nowhere near an anonymous presence online. You can be tracked without major efforts after giving out personally identifiable information, through collected behavioral data and with cross-device tracking.

VPN services promising “total anonymity” are not just misleading, they are dangerous to their customers - especially to journalists, dissidents and people living under totalitarian regimes. Why do they do this? Because fear, uncertainty and doubt creates a strong emotional need, and promising a cure-all sells the service.

6 out of 10 most recommended providers are guilty of promising “anonymity” in some shape or form.

Misleading samples:
ExpressVPN home page - “Stay secure and anonymous online”
CyberGhost home page - Promises “total data anonymity across all apps and platforms”
ProtonVPN home page - “Our anonymous VPN service enables Internet without surveillance”

Using a no-logs VPN does not make you anonymous - ExpressVPN disagrees

2. “Complete privacy”

and its variations, “most private”, perfect privacy", “truly private browsing” or “absolute privacy”.

Next on the list is the little brother of the anonymity promise, “perfect privacy”. Privacy is a spectrum. Just as zero privacy is not possible - even in extreme cases your thoughts can remain private - you cannot attain complete privacy either. There are many ways to capture your behavior, actions and inputs offline and online, generating pieces of data that reflect a piece of your personality or behavior. That data can be used to violate your privacy.

Some providers also add “total security” and “perfect security” to their promises - a similarly dumbfounded claim.

6 out of 10 most recommended providers are guilty of promising “complete privacy” or variation of it.

Misleading samples:
Private Internet Access home page, black friday promo - “Full online privacy for only 1,94 €/month”
SurfShark country promo pages - “allows you to surf in complete privacy”
VyprVPN (get vyprvpn page) - “Total Privacy and Security”

Absolute privacy and total data anonymity provided by CyberGhost

3. “Fastest VPN”

and “highest speeds” or “best VPN speeds”.

Using a mediocre VPN can slow your connection down - speed matters, and this pushes brands to make lofty claims about it.

Yet most VPN companies use the same service providers and very similar hardware setups to run their servers. Recent advancements in VPN protocols (particularly WireGuard) offer better speeds, but if the “best” services use them, it creates no speed advantages for any of them.

While many other factors affect your connection speed, you need to trust your VPN to pick good infrastructure partners, use the latest hardware, deploy the best protocols, not oversell their servers or throttle your speeds.

Good VPN providers will likely yield similar speeds for a significant sample size of customers averaged over time. Measurements will vary across different locations, devices, times, etc. and network conditions change all the time. There are no universally applicable metrics to award the title of “Fastest VPN”.

For these reasons such claims can not be true, and assuming one service will offer the fastest connection for each potential subscriber is misleading.

Misleading samples:
NordVPN Fast VPN page - “The fastest VPN experience on the planet”
HotSpotShield Fastest VPN page - “Get the world’s fastest VPN experience”
TorGuard VPN and Proxy network page - “The fastest VPN and Proxy Network”

NordVPN promises the best possible speed for every person on Earth

4. “Military grade encryption”

or “industry-leading encryption” and “most encryption”.

“Military grade encryption” is a popular marketing gimmick in the VPN provider sales vocabulary. There is no fixed standard set in militaries for encryption, and implementations vary across different segments of armed forces.

There are weak encryption protocols which you obviously don’t want to see used by a VPN service e.g. PPTP. However, the vast majority of providers implement the same level of encryption using OpenVPN or Wireguard with the default cipher (AES-256-GCM / ChaCha20). Providers don’t develop their own encryption protocols (excluding obfuscation layers). Providers calling their encryption technology “industry-leading” is misleading.

Misleading samples:
ExpressVPN Blog - “ExpressVPN for routers protects all your devices with military grade encryption!”
Private Internet Access home page - “…to provide the highest speeds and most encryption.”
SurfShark streaming promo - “all of your data is protected by a military-grade encryption system”

Three paragraphs, at least three misleading claims by PIA

5. “The best VPN”

or “market leading VPN” and “best VPN for X”.

Eight out of ten VPN providers we looked at claimed they are the best for everyone or for a specific purpose. This number alone demonstrates the issue with this claim.

No VPN solution works universally well for each customer’s needs. A comparison website, after careful, independent evaluation might judge that a brand offers the “best all-around solution on the market”. But for service providers to claim they are the best for you is a bold move.

This problem points to a general issue with US-focused marketing, where advertisers enjoy flexibility for wording in advertising. But even there you need to support your claims with substantial, objective evidence.

Misleading samples:
TorGuard country promo pages - “Don’t settle for second best. Use the best VPN for Australia.”
NordVPN home page title - “NordVPN: Best VPN service. Online security starts with a click.”
VyprVPN home page - “Get the best VPN for streaming with lightning-fast and reliable connections”

Surfshark working hard to rank for "best VPN" keywords


We have empathy for the marketing teams of VPN providers. The competition is fierce. Writing copy that sells is hard. You need to optimise for juicy search keywords.

Yet, you should not make promises or claims that are untrue.

Start removing the misleading words from your websites today.


Addendum:

VPN providers included in this research and their score:
Private Internet Access 5/5
CyberGhost 5/5
HotSpotShield 5/5
TorGuard 4/5
NordVPN 4/5
ExpressVPN 4/5
VyprVPN 3/5
SurfShark 3/5
ProtonVPN 1/5
TunnelBear 0/5

Download the full table to review scores.

All websites were observed during a period between 15 November and 1 December 2020.

References:
https://www.cyberghostvpn.com/en_US/
https://www.expressvpn.com
https://protonvpn.com
https://www.privateinternetaccess.com
https://surfshark.com/servers/turkey
get.vyprvpn.com
https://www.hotspotshield.com/what-is-a-vpn/fastest-vpn/
https://torguard.net/network/
https://nordvpn.com/features/fast-vpn/
https://www.expressvpn.com/blog/popular-vpn-app-for-routers/
https://surfshark.com/blog/how-to-stream-premier-league
https://torguard.net/australia-vpn.php
https://nordvpn.com
https://www.vyprvpn.com

Privacy Security
We invite you to discuss this post in our Reddit community or on Twitter. You can also send your feedback to blog@ivpn.net.
IVPN News

Independent security audit concluded

By Nick Pestell

IVPN News

IVPN applications are now open source

By Viktor Vecsei

Releases

Beta IVPN Linux app released

By Viktor Vecsei

The privacy issue is real and you can't solve it with just a VPN VPN Worst Practices

The privacy issue is real and you can't solve it with just a VPN

Posted on August 13, 2020 by Viktor Vecsei

In the two previous posts in our series we have discussed even though mainstream VPN providers over-promise on their services, VPNs are useful and necessary tools for privacy protection. This third post looks beyond promises of VPNs to examine why and how sensitive data is accumulated of our lives, and what can we do about it.
VPNs are imperfect, but necessary privacy enhancing tools VPN Worst Practices

VPNs are imperfect, but necessary privacy enhancing tools

Posted on June 4, 2020 by Viktor Vecsei

I’ve given everything away in the title. If you want better privacy online, use a VPN, but don’t expect perfect protection. Another blog post discussing the benefits of a VPN might feel unnecessary in 2020. Hundreds of companies give you thousands of reasons on why you need one, bombarding you through ads, flashy landing pages and YouTube shout-outs.
Spotted a mistake or have an idea on how to improve this page?
Suggest an edit on GitHub.