It’s one of the most-asked questions to The Washington Post’s Help Desk: Do I need a VPN — and if so, which one?
There’s just one problem: There are hundreds of VPNs, and some of them are snake oil. Many over-promise, making you think your activity is more hidden than it really is. Some may market themselves as free, but covertly mine your Web surfing for profit, or hand it over to the government. Constant industry consolidation means a VPN you trust today might be shady next month.
And to make matters even more confusing, some VPN reviews are just paid promotions. “We’re highly concerned that this deceptive advertising is giving abortion-seekers a false sense of security when searching for abortion-related care or information,” Rep. Anna G. Eshoo (D-Calif.) and Sen. Ron Wyden (D-Ore.) wrote in a recent letter to the Federal Trade Commission.
The short answer: Be especially suspicious of any free VPN. And three particular paid VPNs do a better job at earning our trust, according to researchers at Consumer Reports and the Freedom of the Press Foundation who each recently conducted independent reviews of the market. They are:
- IVPN, which costs $5 per month with a year-long plan.
- Mullvad, which costs five euros per month (currently $5).
- Mozilla VPN (from the makers of the Firefox browser), which costs $5 per month with a year-long plan.
These aren’t necessarily the VPN brands that do a lot of advertising. If your current VPN isn’t on this list, it doesn’t necessarily mean you have a problem — but definitely keep reading.
Before you download anything, we should have a conversation about whether you even need a VPN. Reader Lev Raphael from Okemos, Mich., asked us the most important question: “How much protection, if any, does using a VPN offer?”
Not as much as you might think. What a VPN does is act like a tunnel between your computer and the internet, keeping your service provider from seeing what you do online and also obscuring your internet address from the sites you visit.
If your concern is being spied on by Big Tech companies such as Google, a VPN won’t help much: Once you’re logged into their services on your phone or laptop, they can still track you around the web.
Okay, Google: To protect women, collect less data about everyone
There are lots of other steps I’d recommend to improve your privacy and security before getting a VPN. Start with our super handy step-by-step guides to privacy and security basics. And if you are specifically concerned about keeping reproductive health information private, this guide will take you through the critical considerations.
With that out of the way: A VPN can be useful if you want to hide what you’re doing online from your ISP or secure the data flowing back to your computer. ISPs can amass large pools of sensitive information, even in the United States. Just know that hiding from ISPs has become a bit less necessary in recent years as more and more websites and apps have started to encrypt their traffic. (Look for the little lock logo next to the web address.)
A VPN could also be useful if you’re on a public or insecure network or if you’re in a place where the internet is monitored and censored (like your school, office — or China). Some people also use VPNs to access overseas video streaming services with geographic restrictions, known as “geoshifting.”
What makes a trustworthy VPN?
“Picking a VPN is about picking a substitute for your internet service provider — one that you’re going to be trusting your information to,” said Kendra Albert, a clinical instructor at Harvard Law School’s Cyberlaw Clinic.
The problem is too many of them say, effectively, “pinky-promise just trust us.”
So we owe a debt of gratitude to recent investigations by Yael Grauer from CR and David Huerta from FPF. Studying many of the popular VPNs, they tried to see which ones made privacy and security claims that could hold up to scrutiny. Most could not. That doesn’t mean they’re necessarily insecure — it’s just that it’s hard to know.
Both researchers agreed Mullvad, Mozilla VPN and IVPN did a better job. There were five big technology and policy factors that make them appear more trustworthy.
- They don’t log your activity. These three take the extra step of minimizing information about their users. If a company doesn’t have data about you, it can’t sell it or have it stolen. It also can’t hand it over to the government.
- They take advantage of the latest and most-secure tech. All three use an underlying communication protocol called WireGuard.
- They conduct (and make public) regular outside audits. These services let security professionals regularly study their systems to make sure it does what they claim it does. Then they publish the reports: Here’s Mullvad, Mozilla VPN and IVPN.
- They don’t oversell: These three “don’t pretend to offer a higher level of service than they really do,” Grauer said. Some 12 of the 16 VPNs she tested weren’t totally honest, including saying they offer “military-grade” encryption — a thing that does not actually exist.
- They have a kill switch. This can make sure your internet traffic doesn’t inadvertently leak if your VPN connection fails (which can happen from time to time).
Are there any important differences between the three recommendations? Mullvad and Mozilla VPN are essentially the same where it matters: Mozilla outsources its servers to Mullvad, though their app designs and payment systems are different. Mullvad doesn’t accept recurring subscriptions, because it says having “a long-lasting link to your bank account — and therefore to your identity” is a privacy risk. Mozilla’s VPN can also integrate into some nifty privacy-protection features of its Firefox browser.
IVPN takes a few extra steps of its own: All the tech to operate and maintain its apps, infrastructure and administrative processes is hosted on its own servers. That means less chance of an unexpected leak.
Just keep in mind, these are the recommendations in 2022. “The results may be different next time we evaluate,” Huerta said. Reports like this are raising the bar for VPNs to compete on privacy and security, rather than just price, so more could join the recommended list.
What if you’re just trying to stream video?
In my tests, all three of these services were simple to set up and use, but one big issue came up: I couldn’t stream video. With any of these VPNs on, Hulu pops up a message that reads, “Hulu is not available in your region, or you may be using a VPN.”
In recent years, streaming services looking to curtail global use have developed better technology to detect a user’s location. If you’re less concerned about privacy, you may be able to find different VPNs that might work … for a while. “It’s like a game of whack-a-mole,” said Grauer. But this problem is not unique to just these three or more privacy-focused VPNs.
Even if your priority is streaming, not privacy, you should keep your guard up. The most suspicious VPNs are often ones that claim to be completely free. They have to pay the bills somehow, and your personal information might be how.