This new methodology update to our VPN test bench introduces our best effort at a comprehensive, fair, and accurate evaluation of the privacy aspect. Our goal is to help you identify how trustworthy the VPN providers are with your data. From the privacy leaders (Mullvad, IVPN, Windscribe, and Proton VPN) to those that have questionable policies (HotSpot Shield and MegaVPN), this article aims to provide more details on how to interpret the scores of the "Private Browsing" usage, and what the compromise you're making is when choosing a middle-ground VPN like Private Internet Access, ExpressVPN, Surfshark VPN, or NordVPN.
There are many reasons to use a VPN, and it can be a real challenge to find reliable information in the VPN space. The VPN landscape is riddled with:
- non-tech YouTubers recommending VPNs and enjoying generous affiliate programs,
- fear-mongering advertisements,
- VPN review sites owned by VPN providers that are pushing their own products
- Etc.
And on the other side, we are exposed to stories about how important online privacy is, like Edward Snowden's NSA leak, the Cambridge Analytica scandal, near-daily data leaks, and the 300 billion dollar data brokerage market.
 | |
 |
 |
In the middle of all this, all we want to do is use the web responsibly, securely, and privately. Depending on how you use the web, there may or may not be good reasons to use a VPN. And sometimes, using a VPN can do more harm than none at all.
Identify Why You Need a VPN (Defining Your Threat Level)
Before committing to a VPN provider, you must first understand your needs and motivations for using a VPN to make an informed buying decision. Defining your "Threat Level," a term borrowed from digital security, is the notion commonly used when choosing a VPN. It boils down to defining what you want to protect, who you want to protect it from, and how much you can afford to lose in case something goes wrong. The table below shows examples of different motivations for using a VPN.
| Usage | What are you protecting? | Who do you protect it from? | Exposure risk |
| Torrenting | Hiding your P2P traffic of copyrighted material | Copyright holders via your ISP | Might depend on the amount/content: You might be exposing yourself to a DMCA takedown notice and could face legal action for theft or publication of copyrighted material. |
| Accessing geo-restricted content | Spoofing your location | Streaming services | Not being able to access the content or getting your account banned. |
| Bypassing censorship | Bypassing DNS filter/firewalls, or bypassing account limitations due to age | ISP, government | Will depend on the country. Bypassing the age verification requirement for adult content in the UK will have a different risk than bypassing censored content in China. |
| Protecting your web traffic while using public Wi-Fi | DNS calls, unencrypted web traffic | Hackers, IT admin, parents, roommates, landlords | Most popular websites use HTTPS, meaning most of your web traffic is most likely already encrypted. DNS calls can be used to see which web domains you were viewing, without knowing about the content. |
| Avoiding trackers | Personal user data, IP address | Data brokers | The risk is generally pretty low with your content being targeted with personalized ads. |
| Preventing being hacked on P2P networks while gaming | IP address | Script kiddies | Targeted DDoS attack during multiplayer games. |
| Prevent price fixing (surveillance capitalism) or benefit from regional pricing/discounts | IP address | Data brokers, Online shops | Price increases. |
There are other use cases for a VPN, like accessing your internal or business network from abroad, which we don't cover, since we focus on VPNs targeting the consumer market that route your traffic through their global infrastructure.
Before choosing your provider, ensure that a VPN will cover your protection needs. If a VPN alone isn't enough, you might want to define your whole ecosystem of products (private emails, password manager, and cloud storage, etc.) before committing to a particular provider since you might want to take advantage of discounted bundles from a particular provider, or the opposite, ensuring you're not putting all your eggs in one basket by choosing different providers for different services. The answer depends on the risk you're willing to take if one provider gets compromised.
When using a VPN to mostly hide your web traffic or spoof your geo-location, the risk you're exposing yourself to is pretty low, and any decent VPN should provide you with enough protection. When torrenting, ensure you have a proper setup that won't leak outside of the VPN tunnel by enabling the VPN's kill switch and ensuring your torrent client is bound to the VPN.
If you're using a VPN to privately browse the web to either hide your identity or hide from trackers, a VPN is definitely a good start, but alone, it's not enough (e.g., browser fingerprinting can occur). Some VPNs will also state in their privacy policies that they can share your user data with third parties. While some providers like Proton VPN are clear about what is shared with whom, some providers use broad blanket claims, which makes it difficult or impossible to know if or how your data is collected. Again, your choice of a VPN will depend on your motivation and the risk associated with not being as private as you think.
The Compromise Between Features and Privacy
If you already use a VPN, you might have noticed the increased number of CAPTCHAs you face when surfing the web, or maybe your login attempts get flagged as suspicious and require extra approval steps to log in. These are just two examples of the compromise between features and privacy when using a VPN for everyday browsing. Privacy most often comes with a convenience cost. Depending on your reason for using a VPN, you could instead use split tunneling to send only your torrent traffic to your VPN, making you browse the internet as if you didn't have a VPN, while still protecting your sensitive peer-to-peer (P2P) traffic. But this can't be an option if you are trying to circumvent geo-restricted content or attempt to reduce online trackers.
Other features, like port-forwarding, can be used to increase speeds on P2P networks. But two of our most privacy-focused VPNs, Mullvad and IVPN, have disabled the feature to prevent abuse on their system (links to their reasoning: Mullvad and IVPN). Enabling these features would require them to add monitoring (logging) on their system, which they don't want to do to protect your privacy, but without it, there was abuse in the past that they could simply not continue to let happen, hence the compromise in reducing their features to improve your privacy. Windscribe lets you set up port-forwarding, but only on a static IP address, which, while not being a dedicated IP address to a single user account, still only makes the IP address shared with a "handful of users." That said, most VPNs with port-forwarding capacities will simply have monitoring systems in place to protect their systems.
This is where your threat level definition is important. If you don't want to make any compromise on your user data protection, then choosing a privacy-focused VPN is the way to go. If you don't mind having a company possibly sharing that information with third parties (many providers are clear about sharing user information with third parties in their Privacy Policies), then go ahead and get a VPN with port-forwarding to increase your torrent speeds, since you're willing to make the compromise.
What Our Usage Score Tells You About a VPN Provider
The fact of the matter is, we don't know what happens behind closed doors. What we do know is that when comparing VPN providers' policies and business practices, there are clear differences in their Privacy Policies and Terms of Service (ToS) in regards to what user data is collected and shared throughout their organization or with third parties. There are also major differences in how clear a provider will be in what kind of user data is collected, who it's shared with, and why. Some companies, like IVPN, collect the minimum amount of user data and don't rely on third parties. Others will clearly list out all the third parties along with which information each receives to be able to provide their services, while other providers make generic statements without any details, which makes it annoyingly opaque to the users.
Another big differentiating factor is how providers communicate with their customers; some providers are clear privacy advocates with great informative blogs and community presence to answer any concerns, while other providers just rely on the standard customer support service to answer questions privately. All of our best-scoring VPNs (green scores) have good blog posts informing their users about the proper use, configuration, and limits of using a VPN.
In general, you can expect a green score for our privacy box to associate with VPNs that are clear privacy advocates, either keeping minimal user data or clearly informing you on what and why user data is collected. These providers tend to go above and beyond expectations to communicate with their users and answer feedback, good or bad, around their services to be able to gain and retain users' trust.
On the opposite side of the coin, a red score points to companies that are clearly sharing your user data with third parties. While we don't always know what data is shared and with whom, HotSpot Shield Free tells you clearly: they target you with ads.
There are a lot of online services like Google or Meta that already offer this kind of compromise: A free or cheap service in exchange for your information to deliver you targeted ads. If all you want is to access geo-restricted content and don't mind the ads, the risk you take by sharing user data with third parties to keep your interest profile for ads is minimal. Hopefully, your goal with using a VPN is not to fight online tracking!
A yellow privacy score is where it gets murkier. Our scoring methodology is based on a lot of different factors, ranging from objective evidence extracted from the Privacy Policies and ToS to more subjective aspects centered around business practices and transparency with users.
One surprise finding during our testing is that there weren't many yellow VPN providers with regard to privacy. With the granularity of the scoring, yellow scoring, or "high-red" scoring, VPNs tend to lose points in a lot of different aspects, but one aspect that remained mainly constant with all non-green VPNs is the user data collection exposed in their privacy policy. Since we're scoring privacy, collecting user data and sharing it with third parties meant losing a good chunk of points on the final score.
The problem that remains is that in most cases, we don't know what happens with your data behind closed doors. And VPNs get more than just your regular account information. They get to see all the web traffic you tunnel through the VPN connection. Most VPNs will tell you straight up that they don't keep logs of your web traffic associated with your personal information, but they also say straight up that they will use and share your user data with third parties, with no specifics. It's left up to interpretation where the line is drawn here. So, this all comes down to the threat level again. The reason you're using a VPN should be driving how much risk you're willing to take with your user data; that might or might not include your web traffic, since the line is blurry.
And if you're using a VPN to fight online trackers, then don't use a VPN that is clear about collecting and sharing your user data.
VPNs and Their Online Security Promise
A lot of VPN companies advertise the need for a VPN to protect yourself online. While this can hold some truth, the security risks around not using a VPN online were wildly exaggerated in the past (e.g., NordVPN facing two complaints for misleading advertisements in the UK in 2019 and 2023, or HotSpot Shield advertising with the animation below).
But if one of the main reasons you're getting a VPN is to be able to securely browse the web and encrypt your traffic so hackers cannot grab your banking details, think again. Most of the web now uses HTTPS, which already encrypts web traffic. This means the main information that is visible to packet-sniffers is the IP address you're trying to connect to. So while a hacker or an IT admin could see which domain you're contacting when using public Wi-Fi without a VPN, they can't see the content or the specific pages you're accessing on that domain. So if you're accessing websites, you're not supposed to in public spaces, like at your school, at work, or at home when using a shared router, an IT admin can see which websites you're accessing. Using a VPN with proper IP and DNS leak protection can provide you with better privacy when browsing in public spaces. In our new "Private Browsing" usage, you'll notice that 35% of the score is based on the "Security" tests, so the integrity of the VPN tunnel is accounted for in our final scoring.
Some VPNs also come with integrated anti-virus, malware detection, or ad blocker programs. We don't currently review these add-ons, so they're not part of our Security score.
Conclusion
Choosing a VPN isn't just about speed, features, or price; it's about deciding who you're comfortable entrusting your data with. If your goal is to hide P2P traffic from your Internet Service Provider (ISP), most VPNs, regardless of their privacy stance, can get the job done. But if you're using a VPN to protect sensitive data, avoid surveillance, or minimize your digital footprint, then privacy-focused providers should be your default choice.
Our Private Browsing usage can help you compare VPN providers, helping you make an informed buying decision reflecting your needs, values, and threat level. If you're still unsure where to begin, we recommend starting with our list of the best privacy-focused VPNs.