Trust is, or should be, the number one factor in picking a VPN service. This is a point we have mentioned in previous posts in this series, but it’s worth expanding on and taking a closer look at the why.
Can you trust the service to encrypt your connection and not log any information about you? Can you trust its owners to act on your best interest when someone tries to identify you, be it a data broker or an overzealous government entity? Can you trust someone you don’t know and cannot hold accountable?
A common defense by companies hiding their ownership in the VPN industry is the following: “we are a privacy company, so our owners wish to remain anonymous”. In other cases they reason anonymous operators can fight government pressure better. These are red herring arguments. Privacy protection services don’t exist to serve their owners, they exist to serve their customers. If a government agency wants to pressure operators of large-scale VPN services, they have the means to find them.
If anything goes wrong and the VPN service bails on its promises, those in charge need to take responsibility. If a company that is supposed to protect you is registered in an obscure location, it shields the owner’s identity, which is beneficial for them, but not for you. The chance for accountability is lost.
A further reason to learn and understand who is behind the VPN service is to assess their motivation. Entrepreneurs motivated by financial gains can run services at a high quality and some may put principles before profits. Yet if those operators have a history of running malware, or investing in data mining services, their commitment to protect your privacy is less clear. If having some unwelcome connections is a reason for hiding their ownership, that is a cause for alarm.
Some popular VPNs are owned by vertically integrated conglomerates that also operate media companies and run tech comparison websites. They are not breaking any laws, yet corporate visions rarely include activism motivated by the desire to challenge a new surveillance status quo. Rather, they tend to favor structures and decisions that prefer creating shareholder value and improving financial performance indicators.
When considering other reasons for obfuscated ownership, we can only contemplate the worst cases. We have no proof on any top VPN services being secretly owned by governments or malicious actors that use them as honeypots. This is something we cannot rule out either, and the consequences are grave.
If you are evaluating VPN services, we suggest researching the owners of your top choices.
You can start with the following steps:
- Review their website and look for information on who operates the service: About Us pages, Terms and Conditions, Career sections.
- Do a DuckDuckGo search on the operators or use sources like Crunchbase or LinkedIn to find out more about their background. Based on the available information, you can determine whether their profile fits the mission of protecting your privacy.
- Check if the team members are listed on the website or other public spaces. Relevant activity on platforms like GitHub and LinkedIn are good signs.
- Do a search on Reddit and Twitter for the company and brand name and see what pops up - are there any obvious issues or reports of maleficence?
What we would consider red flags:
- No company name provided on the website, or a company registered in an obscure location with no owners specified.
- Vague missions statements and no persons responsible listed on the About Us page.
- No trace of the brand name, owners or staff mentioned outside of the homepage of the service.
- Repeated complaints about the service without any redress.
The VPN industry has changed considerably in the past couple of years. Gone are the days where companies serving millions of customers could get by with obfuscated ownership and unclear policies. This is a welcome trend, but transparency should be the norm for every VPN service. We hereby call on VPN providers to do the following:
- Fully disclose final and beneficial owners of the service, so customers know who is responsible for protecting their data.
- Announce the jurisdictions they operate in and publicise law enforcement response guidelines to make customer aware of their policies.
- Disclose team members and include information about background on your website.
Suggest an edit on GitHub.