A few friends have asked me for recommendations recently so I thought I would write a guide with recommendations and explain why I chose them.
The recommendations:
- Vpn.AC – fairly cheap, good speeds, does not spy on you
- downside: does log time, IP, and bandwidth but not actual traffic
- Mullvad – fairly cheap, takes antispying very seriously, anonymous payment
- downside: does not support easy payment such as PayPal. Your best bet is to buy bitcoin, which is easy but an extra step.
The basis of my recommendations:
- Threat model: Your threat model is the basis of who you are hiding sensitive information from. If you are in a US university they are legally required to log information about the internet traffic you generate, that is, they are mandated to spy on your browsing history, and some people may not like the websites you visit. Even if you are not in a university, internet service providers will soon be allowed legally to sell information about you and your browsing habits to advertisers and that is creepy. Even if you “have nothing to hide” this information is still valuable to bad guys who want to know things like the name of you dog or you mothers maiden name. That information is valuable for password reset security questions and for stealing your identity. This guide should cover most threat models. Personally, my interest in in hiding from advertisers and the government.
- Is the provider based in a Five Eyes or Seven Eyes country?
- Five Eyes / Seven Eyes / Fourteen Eyes is an international spying program in which countries spy on their citizens. If the information is stored, it can either be used for immoral purposes or it can be hacked and stolen.
- Does the provider store logs?
- if the provider logs things like your IP, the times you were logged into the service, your bandwidth used, or the websites you visit that information could be either sold to creepy advertisers or hacked and used against you. You are paying for the product, you should not also be the product.
- Does the provider by default put policies into place to avoid leaking data.
- A misconfigured VPN can leak DNS data, which is the method that your computer translates a domain name (google.com) to an IP address (216.58.193.142). Providers should force DNS data through the VPN so that your university, ISP, or other DNS provider cannot see the websites you visit.
- Misconfigurations can also leak WebRTC traffic which unmasks a permanent token that can be used to track your web browsing.
- Do policies require full disclosure?
- This basically means that the VPN provider will promise to always make a public statement when they receive a legal order for user data, or if they have a security breach.
You can see a huge comparison chart of VPN providers here to see a larger list of issues and providers to do your own research and select your own. Edit: TOPS sold out and the link now redirects to some fake comparison advertisement site. I could link to some wayback machine archive but it would be 2 years out of date.