Skip to Main Content
PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

Can a New Alliance Help VPN Companies Prove Themselves Trustworthy?

After recent confidence-eroding breaches, VPN providers are banding together to form a "trust initiative." This is the industry's much-needed chance to prove it's a safe guardian of customers' sensitive information, explains security expert Max Eddy.

By Max Eddy
December 19, 2019
VPNs Have a Chance to Prove Themselves

I've covered the VPN industry for several years now and the experience has, occasionally, been quite frustrating. Measurements of quality are often contradictory and vague, and some companies are opaque about their practices. The solution I have offered up, repeatedly and to the faces of many a founder and CEO, has been the creation of an industry group for VPNs. On December 11th, some VPN providers joined together to do just that.

Opinions The new group has dubbed itself the VPN Trust Initiative (VTI), which sounds a little bit like some kind of infection, but branding is always difficult. The VTI is organized under Internet Infrastructure Coalition (i2coalition)—itself a trade group primarily of web hosting providers, registrars, and so on. As of this writing, the group includes ExpressVPN, NordVPN, Golden Frog VyprVPN, Surfshark, SaferVPN, StrongVPN, IPVanish, Encrypt.me, and WLVPN.

Note that Encrypt.me, WLVPN, IPVanish, StrongVPN, and SaferVPN are owned by NetProtect, which is owned by j2 Global, which in turn owns Ziff Media Group, the publisher of PCMag.com. Despite the corporate connection and my own advocacy for such a group, I have no involvement in VTI and was not consulted in its creation. I read about its creation for the first time in a press release—which is exactly how I want it.

In that press release, the newly minted organization explains its goals as follows:

VPNs need to follow best practices to ensure the safety of their users. The reputation of this important technology rests on VPNs following technical and ethical best practices. The VTI gathers VPN insiders and aligns industry voices to advocate, create, vet, and validate industry policies and guidelines that ensure trust in the VPN marketplace and promote constructive self-regulatory practices to best serve consumers.

Why We Need (Something Like) This

While VPN technology has been around for years, it wasn't until cheap cloud hosting, affiliate marketing, and generalized global paranoia coalesced to make selling VPNs really profitable. This ignited a wildfire in the industry. Sleepy VPN companies suddenly snatched up more customers and ballooned in size. Case in point: In 2016, NordVPN only had 3,000 servers. In 2019, that number has nearly doubled to 5,367 servers.

But it wasn't all good. New VPN companies started popping up like mushrooms after a rainstorm, and some disappeared just as quickly. A few turned out to be outright scams, not encrypting user traffic at all. Others were guilty of misinformation tactics. And around it all a massive ecosystem of "review" blogs grew up, each vying for a slice of the affiliate pie, and not always with ethical practices in mind. There have also been data breaches and stories of shady practices from within VPN companies themselves.

SecurityWatch This bad behavior compounded a fundamental problem of VPNs: They are black boxes to users. It's difficult for a person to tell if their traffic is being encrypted. It's impossible for a person to tell if companies are respecting their privacy, handling their data responsibly, correctly configuring servers, and so on. The industry has made some effort towards accountability, like by commissioning third-party audits of their services. But without a shared framework, it's not always clear if these audits measure anything useful at all.

Related Story See How We Test VPNs

The end result has been a morass of confusion around not only which VPNs are trustworthy, but what even defines that trustworthiness. The entire concept of VPNs is under threat of becoming so confusing and toxic that consumers may start avoiding them altogether. Much like a couple having a loud, angry fight on the street, it feels safer and easier to just ignore it and keep walking.

Forming an Alliance

My hope has always been that, eventually, some VPN companies would realize that their industry was at risk of eating itself alive. Instead of attacking each other, I hoped they would recognize that they all share the same goal—protecting people—and start holding each other to higher standards. The antivirus industry managed to do this years ago, and most now share information about particularly nasty threats amongst each other, rather than trying to undercut competitors at the cost of people's safety.

I reached out to the VTI to get more information about its goals regarding transparency and security for the industry, and was connected with i2Coalition Executive Director Christian Dawson. Dawson told me:

The companies that have joined this initiative did so because they know that their users will benefit from increased industry dialogue around principles and norms. The goal isn't simply to be a singular voice for the VPN industry; it's to get down to the nitty-gritty of ensuring the industry is taking responsibility and holding itself to a strong set of principles. As a group, we are focussing our efforts on defining industry principles, and ultimately drafting a set of principles to guide leaders within the VPN industry and working towards effective industry self-regulation. We are engaged in active discussions about transparency and privacy protections, as well as important issues such as disclosure, security, and advertising practices.

I have no idea if the VTI will manage to actually change the conversation around VPNs, but I have some hopes for what it, or some other VPN group, might accomplish.

How a VPN Works
PCMag Logo How a VPN Works

Any group like VTI needs to set clear, understandable standards for technology and implementation. It should be understood what the acceptable way to set up a VPN service is, and that method needs to be validated by experts outside the VPN industry. With standards in place, individual companies can simplify their messaging to consumers: this is what the standard is, this is who defined that standard, and we are meeting it.

We also need clear guidelines for how to best preserve user privacy and protect customers' privacy from both attackers and law enforcement. This includes not only technology and best practices, but also policies. When I review a VPN, I have to wade through complicated privacy policies and terms of use to learn what information is gathered, how it's handled, and what efforts are made to protect it. I shouldn't have to do that, nor should I have to wonder whether a company is actually following the rules they set for themselves.

Lastly, VPN companies need to agree on standards of transparency. It should be easy to find out which VPN servers are virtual and where those servers are located. It should be easy to find out who owns a VPN company, and where it's located. It should be easy to find reports on how many requests for information a company received from government agencies, and how much information was disclosed as a result. It should be standard practice for companies to disclose breaches and security issues in a timely manner.

Is that all the industry needs? Probably not, but it would be an excellent start. With clearly defined standards, third-party audits could have far more weight and be easier to understand.

Careful readers will notice that VTI talks quite a bit about engaging with government to craft regulation, as well as self-regulation. There's certainly room for skepticism about any industry regulating itself, or dictating the terms of government regulation of that industry. However, the US government and others have often shown themselves to be if not actually ignorant of how technology works, then actively working to erode the security and privacy of individuals. The renewed push for access to encrypted messaging is just one example of why the government doesn't always know best.

Tools for Users

An important point that's not mentioned in any of the available information about the VTI is user verification. Right now, there's no easy, practical way for a customer to verify that their information is being properly encrypted by the VPN—the most basic thing that a VPN must do. Sure, they could use Wireshark to perform some packet interception and analysis, but that's not something the average person (or even an experienced reviewer) should be expected to do.

The Anti-Malware Testing Standards Organization (AMTSO) is similar to the VTI in that it exists to foster trust in the antivirus industry. They've done a lot of work to that end, but I'd argue their most useful contribution was creating a series of tests that anyone can use to verify that their antivirus is actually doing something.

For example: antivirus companies agreed to detect the harmless EICAR file as malicious. That might seem counterintuitive, but it lets people confirm that their antivirus software is doing anything at all. Simply download the file, and if your antivirus flags it then you know it's more than just a bunch of fancy graphics posing as antivirus.

VPNs need a similar tool. Something simple that any person can use to verify that, yes, in fact, their data is being safely encrypted.

I asked Dawson if these kind of tools were on the VTI's roadmap. "To date, we have not discussed the development of industry toolsets that would be operated through the working group," Dawson wrote. "That being said, we are at the early stages of this endeavor."

"As the group gets closer to completing the first generation of its principles, discussions will also move on to how we can empower users with an understanding that the VPN provider they have chosen is one that adheres to those principles," wrote Dawson.

It's On Them

VTI is an opportunity for the VPN industry to finally define itself in professional terms, but that means taking responsibility. Creating a trade group is the first step. Now, VTI and its members need to follow through. A next step might involve getting more companies on board. I have reviewed over 30 VPN services, and have a list of 56 other companies that have contacted me for a review. The VTI has some big names attached to it, but still only represents nine brands—several of which are part of the same corporation.

It will take many more companies for the VTI to prove that it can be valuable, and not just an empty gesture. Here's hoping they can do that.

Like What You're Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.


Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

Sign up for other newsletters

TRENDING

About Max Eddy

Lead Security Analyst

Since my start in 2008, I've covered a wide variety of topics from space missions to fax service reviews. At PCMag, much of my work has been focused on security and privacy services, as well as a video game or two. I also write the occasional security columns, focused on making information security practical for normal people. I helped organize the Ziff Davis Creators Guild union and currently serve as its Unit Chair.

Read Max's full bio

Read the latest from Max Eddy