See the previous 0.9.1 changelog.
Our VPN 0.10 test bench adds new tests to evaluate VPN privacy. More specifically, we take an in-depth look at each VPN provider's policies, history of company practices, and other relevant factors to help you decide whether they're trustworthy or not.
Why Are We Making These Changes?
One of the primary reasons for using a VPN is to protect your online privacy. When you subscribe to and use a VPN service, you entrust it with your data. The data that the VPN provider collects and what it does with it varies depending on the provider, so it's essential to make an informed decision to properly consent to their terms of service and privacy policies.
Privacy Policy
This new box is comprised of three tests:
- No-Log Policy
- Privacy Policy Audit
- Legal & Security Events
We compile research notes into the table and assign malus points based on an internal scoring rubric. The intention of these tests is to describe each VPN provider's policy landscape, allowing you to understand how much of your data the policies permit the provider to collect. Additionally, it helps determine whether the provider upholds these policies by evaluating independent audits they've published or any security events that have revealed the provider logs user information.
No-Log Policy
For this test, we closely read all privacy policies and no-logging policies provided by the VPN provider in their entirety. We look for any mention of data collection, data sharing with third parties, ambiguities in the language, tracking, and if there's a date of modification. If a VPN's policy states that the company can log your traffic and share your personal information with third parties, that undermines your anonymity and privacy.
Privacy Policy Audit
This test evaluates any audits of the privacy/no-logging policies conducted by independent third parties that the VPN provider has published. We evaluate the frequency, scope, amount of time dedicated to the audit, the level of access auditors had, and the quality of the reports themselves. Many VPN providers publish audits that are of little substance, allowing them to boast about them in their marketing. Therefore, it's essential to understand the quality and content of any audits.
Legal & Security Events
This test evaluates any past data breaches, leaks, exploits, or vulnerabilities the VPN provider has had. If such incidents have occurred, we detail what happened, what caused them, the consequences for users, and how the VPN provider responded. If a VPN's servers were hacked but the bad actors were unable to obtain any data, it helps to prove any claims the provider makes about not storing user traffic logs.
Company Practices
This box comprises 6 tests:
- Parent & Affiliate Companies
- Marketing Claims & Practices
- Communication Transparency
- Security Audits
- Privacy By Default
- Terms Of Service
Much like the privacy policy tests, we evaluate each category and assign malus points using an internal scoring rubric. The intention behind these tests is to provide an understanding of how the VPN provider's business is structured and operated, allowing you to determine if it's worth trusting.
Parent & Affiliate Companies
We note who owns the VPN provider, if there are any other VPNs or VPN review sites under the same corporate umbrella, and whether the individuals steering the ship are known for their questionable or problematic behavior. This information reveals conflicts of interest and helps you understand who operates the VPN service you're entrusting with your internet traffic.
Marketing Claims & Practices
We note how the VPN provider conducts its marketing, and penalize it for making false claims or hyperbolizing the need for using a VPN. We also evaluate if the provider uses sleazy or annoying tactics to keep you subscribed as long as possible. A VPN company's approach to marketing can help you understand how much it respects its users.
Communication Transparency
We evaluate how the VPN provider interacts with its users and how transparent it is about what's happening behind the scenes. We examine how the company responds to official legal complaints, whether they have transparency reports or warrant canaries, and how transparent they are overall. It's essential to understand how a VPN company communicates with its users in the event of any future issues.
Security Audits
Much like with the privacy policy audits, we evaluate the quality of any third-party audits that the VPN provider has commissioned for its technical infrastructure, so you can understand how the provider addresses security.
Privacy By Default
This section notes if there are any privacy-enhancing features that aren't enabled by default in the VPN software, or if there are any optional telemetry settings that are enabled by default. Most users don't adjust default settings, so leaving optional tracking on by default is a sneaky way to collect more data.
Terms of Service
Much like our privacy policy assessment, we carefully review the VPN provider's terms of service and note the conditions you must agree to in order to use the VPN. We note what the terms allow the VPN provider to do with your data, how long they can retain it for, whether you can opt out of data collection or sharing, what happens in case of legal disputes, and whether the terms are written clearly. The terms of service are important because they are legally binding, and you have to agree to them in order to use any service. The terms stipulate how a VPN company handles your data, so the less power the terms of service give them, the better your anonymity will be.
Private Browsing
This usage comprises the Policies & Practices performance usage, the Security performance usage, and the Registration test. It's designed to assess whether the VPN provider can keep your internet traffic securely encrypted in the VPN tunnel, and how trustworthy they are based on their privacy policies, business practices, and prior conduct.
Policies & Practices
This performance usage comprises the scores from the Privacy Policy test and the Company Practices tests, and is designed to summarize our findings from those tests.
Let us Know What You Think!
Your feedback is instrumental in helping us improve our testing. If you have any comments, questions, or suggestions about this or future updates, let us know in the comments or send us an email at feedback@rtings.com!
13 VPNs Updated So Far
We are retesting popular models first. So far, the test results for the following models have been converted to the new testing methodology. However, the text might be inconsistent with the new results.
- ExpressVPN
- Hotspot Shield
- Hotspot Shield Free
- IVPN
- MEGA VPN
- Mullvad
- NordVPN
- Private Internet Access
- Proton VPN
- Proton VPN Free
- Surfshark VPN
- Windscribe
- Windscribe Free
7 VPNs Planned To Be Updated
We are also planning to retest the following products over the course of the next few weeks: