Virtual Workshop - VPNs
Published June 19, 2023, 8:20 a.m. by Monica Louis
Do you use a Virtual Private Network (VPN)? More people are turning to VPNs to boost their privacy and security but as more VPN services become available, we’ve learned that not all VPNs are created equal. Consumer Reports evaluated the privacy and security of 16 top VPN’s to understand how they protect your data, or potentially share your data without you knowing.
Join us as we talk to the lead investigator, Yael Grauer, to discuss the findings from our recent report and how you can pick the best VPN to keep your data safe.
You may also like to read about:
all right let's go ahead and kick off
welcome everyone to the consumer reports
digital wellness webinar
we're going to be talking today uh about
the marketplace of vpns to help you
understand first of all if you need one
and then second of all if you do which
one you should pick from the large uh
number of options available to you
so today we're going to give you guys a
little bit of uh introduction to who
i am and some housekeeping uh we're
going to do a
overview of what a vpn is and how one
works we're going to get into the vpns
we tested how we tested them and what we
learned from testing them and then we're
going to drop in some recommendations
for you all to operationalize and then
hopefully get a time to take all of the
excellent questions that are already
rolling in i'm very excited to see the
hefty level of engagement although i
expect nothing less from y'all who have
been coming to these webinars over some
time uh so before we get into any kind
of housekeeping i would love to
introduce the star of today's show um
yell you want to come off mute and tell
people uh who you are and
why vpns are of interest to you
sure hi everybody i'm yael i'm an
investigative tech reporter consumer
reports
and i work on a tool called security
planner and i started looking at vpns
for a really long time back when i was a
freelancer
and um
looked at some of the difficulties in
evaluating them so i was really excited
to work with steve blair's cr in kind of
looking into some of the issues and
figuring out what recommendations we can
make
and we're really excited to jump in with
you so thank you for being here thank
you for the report
so uh just a bit of housekeeping before
we go back to yale and hopefully she'll
do a lot more talking than i will over
the next little while um but
just uh some housekeeping information
we're going to be diving in deep with
vpns today we're not going to hold back
which might mean there's a bunch of
acronyms that come flying by if this
feels like you're in the deep end uh
just flag things as they happen we'll
try to explain them as much as we can
the q a is your friend in this regard we
will do our best but we also do want to
give people who have technical knowledge
as much information as we can today so
be forewarned um we are recording this
which is good news for everybody here it
means you don't have to get everything
on the first draft so we're recording
which means that we will be um sending
around a recording of this video and all
of the links and ideas that we have here
to everyone who has signed up
we will also
you should have closed captioning
available at the bottom of your screen
which
might help with the information as it
speeds by you should be able to toggle
that on and off um as i've been saying
q a is available to you and i see lots
of q a already popping up as is the chat
so please take advantage of both of
those opportunities today we will be
using chat to drop a lot of links in
that kind of backup or give more context
to the things we're talking about
finally i want to flag that we um this
is a part of a ongoing digital wellness
discussion
so we have a lot of other past digital
wellness webinars that should be
available to you
on our website if you want to go back
and see past things like we did about
what is broadband and how does it work
or uh
how to use a password manager things
like that have been part of the stuff
we've worked on in the past i also want
to spend a little bit of time
on
some ground rules for today's
conversation
we ask that everyone here assume best
intentions and that means of the
participants your fellow participants
of the volunteers you may interact with
here and of course of the speakers
myself and yael
and other cr staff we ask that you be
mindful of uh understanding
um that fellow participants are coming
from very different experiences some of
you may be vpn experts some of you may
be just dipping your toe in the water
there are no stupid questions please
also remember to speak with your own
perspectives and stories and refrain
from any kind of personal attacks and i
would just say
by attending this webinar you are
agreeing to these ground rules and this
means that if you don't adhere to these
rules for whatever reason we do a
permission term with you from this
discussion that's not going to happen
today but it's likely it's just nice to
get that out of the way early
so
let's talk about vpns
we are here today because of a new study
that yale uh has helped write and in
fact
i should i should
remember to introduce steve uh steve
blair is the person who you're going to
be getting a lot of your questions
answered from in the q a and steve was
was the
person from our testing team who helped
put all this together we have a new
report
a new study from consumer reports which
tested the privacy and security of 16
different vpn services
as they ran on windows 10.
i think essentially our study confirmed
what many security experts have said for
years that the industry's privacy and
security practices
don't always live up to its marketing
and that
the
marketing uh for vpns has outstripped
their ability their technical ability in
in different ways so we're going to be
diving into that and we'll give you a
sense of all the different
vpns we tested uh how they stacked up
and what we used um to
decide uh on our on our criteria about
how to test them
but
hopefully you'll walk away today
with a better understanding of whether
you need a vpn or not and if you do need
a vpn um which vpn might be right for
you
okay i've said the phrase vpn um maybe
30 times so far
yeah what is a vpn
sure um yeah a vpn is a service that
routes the data sent to and from your
computer or phone through the vpn
servers or servers it rents so it can be
used to hide your web traffic from your
isp but the vpn actually sees that
traffic so basically you download some
software on your device and when you're
logged in the vpn gives you some
protection when you're using the free
wi-fi at an airport or a library or a
coffee shop it makes it harder for the
network administrators to see what
you're doing online
and we're already sort of getting
questions lots of different questions
about different
uh platforms that vpns are used on can
you tell us a little bit we tested
everything on windows 10 but vpns work
with uh basically any device that
connects to the internet
yeah there's vpns that are available for
your phone and and for macs
etc
we did test them on windows 10 but when
we looked at the documentation that
would be the same for if if that service
is also available
um on you know ios or android or on a
mac
um
so we're talking about that particular
tool as a as a as a way of um
understanding
who we have on the call today and just
getting a sense of people's current
versions your expertise what you
already know about i'm gonna do a you
should have a poll popping up on your
screen right about
now
um do you use a vpn uh and kind of a
little bit how you use a vpn do you use
it for personal reasons is it something
that you use for work i myself just
turned off my work vpn to join you all
today just to make sure that my traffic
was running as smoothly as possible so
my witticisms wouldn't get lost over the
internet um but yeah this is a
thoroughly unscientific poll just to
give a sense of who we're talking about
today
and if you don't see a poll on your
screen don't worry too much about it you
can just jump in the chat and answer the
question
um
looks like we got a pretty uh
you know looks like on total about if i
can do this quick mental math it's
looking like about 40 percent of people
on the call today use it in some way
shape or form
um a lot of personal reasons
maybe 50 50 55
don't use one
this is very useful and it will help us
as we go but the good news here for
folks i'm going to end this poll now
and share with you what we think we
learned um is that you know we'll have
some space for all of you to plug in if
you're working if you're using one will
tell you more about how you should be
thinking about your vpn if you're not
using one we'll try to help you figure
out if you should be and how those how
those vpns work
i want to move right along
to
our next
poll this is a true and false question
um
true or false
a vpn will ensure you remain 100
anonymous online and no one can see your
data
let's see how well you guys trust your
vpns this is a question of understanding
how a vpn works and what a vpn does
i think a lot of you are guessing that
anytime we ask a true false question
here at consumer reports we're doing
that to teach
a lot of you are saying false
and i think that as this is a thoroughly
unscientific poll i will go ahead and
close it there
86 percent of you said false uh that is
correct 100
um there's almost nothing on the
internet when you can say with 100
certainty it's a silver bullet that will
protect you in all these different ways
um and vpn is one of those things it's
possible that your vpn service provider
and its business part uh will it
certainly will not make you anonymous
and what it will do in some cases is
hide what you're doing from your isp but
it will not uh it is not a silver bullet
and we should not treat it as such
um
yeah anything to add to
this question of what a vpn does or
doesn't do here
yeah totally i think that um there's uh
other ways that companies can track you
so a lot of people think that using vpn
will make you untrackable but there's
actually it's not just your ip address
that is used to do that
there are other other ways other things
that people can do
so all right i'll keep trucking here um
you know tell me again who is the who is
the ideal candidate for a vpn
who should be thinking about themselves
like i need one of these sure so i think
i think the most important thing is if
you already are doing things that will
protect you more broadly like if you
already have a password manager and use
multi-factor authentication and then you
just want like a small layer of
protection in addition to that or if you
know the network administrator
of where you're using the internet and
you want to make sure that they don't
see what you're doing online i think
that would be a really good use case but
for people who just want a layer of
privacy and security and are not doing
those other things i would definitely
say to do those first
i was talking to uh
ah thank you m uh in in in chat here
someone is
noting that i said isp that is a
internet service provider so that's who
that's the the person who or the company
that actually connects you to your
internet
um
so
a lot of folks i think view
maybe some of you on this call view vpns
as something that will improve my
security online and what i just heard
you saying yeah is yeah that's kind of
true but it might it probably shouldn't
be your first line of defense and there
are other things that if you're just
generally a privacy
or security conscious person there are
other things that you can do that are
probably more important to your
digital anonymity is that right
absolutely yeah and there's a question
actually that steve answered in the chat
about
like do you need to
use a vpn for your bank website and bank
websites already have https which is the
secure version of http so using a vpn
won't actually add extra protection to
that already so in some cases the type
of protection people want you're already
getting
um and i think you know if if people uh
well i guess
this is a uh
for most of the rest of this call we're
going to help people kind of open up the
marketplace of vpns and talk about what
is or like
what um
you know if you've decided you do want
one how to know if it's a good one
uh but is there anything else that that
you think like you like to tell people
as a as a sort of expert in these things
who are saying
i'm not sure if i need to vp if you're
saying i'm not sure is that is that the
same as saying you don't need one
well i usually ask people what do you
want a vpn for and if they can't answer
that question or if they just say oh i
just don't want to get hacked
you know um then and they're not using
these other steps then i'm like there's
other things that'll solve that problem
i do think yeah that makes perfect sense
to me and i do think there's a lot of
confusion just in general about um
all of the different types of security
and ways to keep yourself secure online
um and we're trying to differentiate
here very particularly just virtual
private networks
not
uh
many of the other things that might
might
be part of the puzzle of keeping
yourself safe so i would invite people
we're already seeing a pop in
conversation in chat and in q a this is
great we love it when you all share
information with each other and
knowledge with each other um
i'm not going to be able to get into
password manager recommendations right
now but i would say maybe amira can drop
this
this link in the chat we've had a full
conversation about password managers
which is up on our website and not right
now you should stay tuned with us right
now but maybe later you could go back
and watch more about password managers
and a couple of our other ways of
getting into this security question
so
if you've decided a vpn is right for you
um why is it so dang hard to pick a vpn
well uh there's been a huge rise in
consumer demand um and
people are much more concerned about
their privacy online than they have been
for a long time so people have been
turning to vpns as this extra layer of
security
sometimes when they need it and
sometimes when they don't but the
increase in demand has led to an
explosion of options in the industry um
mid covid19 crisis the global market for
vpns
estimated at 32 billion dollars and
that's in 2020
and is projected to to reach a size of
77 billion dollars by 2026 so it's going
up like crazy and that growth has meant
thousands and thousands of maybe not
thousands maybe hundreds and hundreds of
vpns available on the market um
so all those different options has led
to a bunch of confusion pricing is very
different across the many services it's
hard to gauge how much a vpn should cost
how much is too much how much is too
little um and it's important to note
that there aren't any regulations on
vpns or the industry
as a whole and i think part of you know
i think part of your project is to say
hey maybe there should be and these are
what they should be right
yeah and then just kind of looking at
some of the marketing claims and how
accurate they might be and could they
are people getting a good idea of what
vpns actually do based on that
so let's get into how we selected the
vpns we chose um tell us about security
uh vp analyzer
yeah we used we used
the vpn analyzer tool that we uh
featured on our our webinar last year so
that was fun shout out anybody in chat
were you here last year and visit have
you have you come back for a second
conversation about vpns just say hi
and then uh we looked at we looked at
16 vpns more closely based almost
entirely on market share and we looked
at their security practices
is there data being leaked that made it
vulnerable to criminals or other
attackers we looked at the privacy
policies
and how personal data might be used
obviously people who want a privacy
product are concerned about how the
companies themselves like who they're
sharing that data with and then we
looked at some of the like i mentioned
the consumer oriented language on the
vpn's website
was there hyperbole were there
unrealistic promises
if people take it all at face value
would they think they had more
protection than they really did
um
to answer pamela's question we're going
to be going in in this webinar to the 16
of the 51 that we tested that we uh dove
further into so the vp analyzer we used
to sort of screen a bunch of different
options and then for this report we
really dove into the 16.
but there is some information in the
report i think about some of the other
ones we didn't necessarily run through
the rigorous test
my goal here for everyone is to leave
understanding
if your vpn is not on the list of the
16. um
what criteria yell and steve at all used
and how you could bring that criteria to
bear um on your own work but yeah tell
us about the digital standard and why
this is sort of important to setting
um
boundaries for the vpn industry and then
other industries online to follow
sure yeah so we used the digital
standard in our evaluation um
and we we looked at uh you know the
security and privacy of these uh because
signing up for a vpn that's not doing a
good job can actually make your private
data less safe not more and so we
thought it was really important to use
these uh standards in our rankings
um can you tell us like kind of what you
like uh how do i phrase this question
from a large picture perspective about
the the um
the digital standard
uh what kind of things do you think are
the most important that industry is not
doing right now
like what
that industry's not doing there was a
there was a a lot actually
um
i just get to pick one yeah i mean i one
of the ones that kind of stood out to me
is that even though a lot of vpns made
it possible for uh
uh security researchers to report
vulnerabilities they didn't have a
timeline in which they would review
those bugs and only a like a small
amount of them said they wouldn't sue
people
uh unequivocally for making those
reports so that i found that concerning
um there was some stuff about like not
like they didn't say whether they would
share data in case of a bankruptcy or
acquisition
things like that
so we are
um
going to get into all the ways we did
test vpns but we didn't test everything
uh so for vpn experts on this call
yeah what did you not include in our in
our set of of options here and kind of
maybe if it's interesting to you what
what kept you from including these
issues sure well we really focused on
privacy and security so we didn't
actually look for performance or speed
um a lot of people use vpns or try to
use vpns for geoshifting so they want to
see
you know tv from another country and
that's something that i've tested in the
past that didn't work consistently and
it's not something we looked at and then
there was a lot of stuff that we wanted
to look at that just wasn't possible
like we don't know
even if we didn't find evidence for
logging or like data being shared with
advertisers it could still be happening
um so unfortunately no matter how
rigorously we validated them we can't
say for certain whether vpns are doing
bad things with the data users give them
and then we didn't actually look at just
because we have limited you know time
and bandwidth we didn't look at hosting
providers and third-party partners and
and things like that um and you know we
didn't have access to the actual servers
so
um we don't know if the vpn has settings
that could be you know modified or
logged in ways that we're not aware of
on the server side
and yeah and
ultimately
whenever
we when we are testing things at cr we
can only go as far as they as they let
us before we get to to
can't we can't get all the way under the
hood um
i want to pull something that i just saw
in q a out because i think it's a nice
uh callback to the question we were
already having about sort of who should
use a vpn and i saw something about this
in chat as well um
so russell writes i'm 85 years old and
pretty good health but i cannot go to
many sporting events um
we're in a blackout area for the seattle
mariners baseball team the seahawk
football team and the portland
trailblazers basketball team
uh and ms wendy as well as pacific 12
athletic events it seems that a vpn can
hide your location and we can receive
athletic events even played in their on
their home locations
um
so yeah if you're traveling and you want
to access things that
are inaccessible because of the country
that you're in or if you want to get
around local sports blackouts that's a
pretty good use case right
well some of these places block vpns so
it doesn't always work and even if it
works one day sometimes they catch on
so i don't know if it's something that
always works consistently unfortunately
so we can't we can't give that a full a
full bill of good health you try it
yeah
yeah yeah well hopefully they're not
learning too quickly all right here are
the 16 that we tested um
yeah uh how do we pick these these
sixteen it's not about market share
right yeah we picked both of these most
of these were based on market share yeah
and
we will get into this a little bit more
as we go but um
what should someone do
who is on this call right now who is
using a vpn
not on
that list
so one thing you can do is you can
if you decide you do need a vpn you can
consider changing to one of our top
three picks
or you can evaluate your own vpn based
on our criteria and see how they stacked
up and decide if that's something that
you're okay with keeping
and
yeah so
the the
the
criteria if we we will do our best to
explain how we did the testing so you
can maybe think about it for yourself
but
yeah we do have a three we recommend and
and generally that might be a good idea
to switch over
um
let's see here i want to keep rest of
any questions as we go
uh wendy asks will be receiving q a's
from the zoom session in the recording i
can't pay attention to the presentation
when i'm reading the q and a's apologies
for the amount of data and information
that we are trying to get you all to uh
open your brains up to at one time we
will be sending around uh the chat
and um
the uh the recordings of all the the
conversation happening here but we're
not able to save the q a
um
so i will do my best to vocalize as many
questions from the q a as i can so that
they are
grabbed for the historical record but we
can't necessarily promise to send around
all those answers i think we will cover
most of them live but there might be
some things that fall through the cracks
there
um
let's see uh and someone's asking the 16
that are on the screen right now let me
be clear uh these are just the 16 we
tested they are not in any order in
terms of uh preference yet
um so
how do we evaluate these things um
first of all as yeah has been saying uh
look out for sleeping claims look out
for big verbiage that uh they can't
necessarily
live up to any sort of
words or phrases that stick out to you
yell as things that are jumping up in
your in your mind oh yeah definitely i
think one of the phrases that's a red
flag is military grade encryption
uh but i would also what does that mean
nothing
yeah it doesn't mean very much
uh i'd also add like digitally invisible
untraceable anonymous anyone that
promises like absolute privacy or
uncrackable uncrackable encryption or
internet without surveillance or
anything that kind of makes it sound
like a vpn is magical fairy dust that'll
protect you from all the things
yeah that's yeah look out for anything
that's promising all the things um and
then also uh some of them were difficult
to cancel
yeah yeah we had a couple that you
either had to click multiple times or
you couldn't just click to cancel you
had to like send an email
uh did anyone did anyone win a badge of
dishonor for being particularly
difficult to cancel i'm trying to
remember the name of the ones that were
hard to cancel oh
i think steve looked at those
uh steve if you if if one jumps out for
you steve drop it in the chat yeah um
and then what when you're talking about
um
oversight uh
what what are you looking for when
you're hoping for oversight like what
does that mean for a vpn
sure so i want them to have um some kind
of internal audit and then an external
third-party audit so we look at
documentation so we look for them to
guarantee that they would do that in
their documents and then we also want i
touched on this little earlier
vulnerability disclosure program
that allows researchers to report
security issues they find directly to
the company so the company can fix it
before the bad guys find it
so that if they don't have that that's a
concern but we also want them to say
they won't sue security researchers who
tell them about these bugs and to have
a time frame to review the rewards
yeah so essentially being open to
criticism and having been used for
criticism to arrive
that's that's good that's good that
seems important um and
that does not am i correct in saying
that not having those oversight things
is not
it's not it's that's not proof of a
negative right it's not like necessarily
proof that they are
bad but it's one of the ways we look to
see whether they're doing all that they
can to be good right yeah exactly so
yeah it doesn't necessarily mean that
they're not doing this but uh oh and i
just looked up really quickly the ones
that were hard to cancel um
expressvpn had an unusual interface to
cancel you had to click off auto auto
renewal like three times
uh nordvpn
purevpn and surfshark made it i think
surfshark you had to actually send an
email in
um purevpn you had to create a support
ticket or use third party payment
processor and then nordvpn you had to
click multiple times and then
click on an email confirmation which
expired in 15 minutes so those were the
ones that were hard to cancel
yeah no need for those hoops
all right let's talk about privacy um
what kind what were you looking for in
terms of things that are
that fall under the privacy heading
um
so we looked for um
there was there was a lot like we looked
at data sharing um
like do you say you won't sell rent or
share personal data unless you need to
to complete the service and like define
what information you do share and who
you share it with
um so we looked for that we also looked
for um
like can users get all the private and
public data the company holds on them
and
do they delete outdated or unnecessary
information when they you know either
when you cancel or when they no longer
need it that kind of thing
and then
do
how much were you able to see like
their their data storage where how they
were storing data whether that was
secure as secure as you'd like it to be
uh the data storage i don't we one of
the things that i thought was cool
actually there was one one vpn that
stood out which was ivpn because they
said that no third parties had any
access to their data and everything was
hosted on their own servers
and in that case sort of in the in the
world of consumer reports rankings can
we just we can just sort of give them
binary scores on this right like yes
you're doing this no you're not doing
this
yeah well there was a lot of different
specific yeah there was a lot of
different categories that yeah they had
like yes or no scores like yes we commit
to not but there was some great asia too
where it's like uh
some of them might i'd like vaguely to
find that third parties they share with
and others might define them more
specifically or list them
what were um
data control practices that you really
worried when you saw them
um
if you couldn't get your own data
if they didn't list the types of data
you could get
if they didn't promise not to collect
information from third parties
um
that kind of thing or if they said like
yes you can get your data but only if
you live in california or the eu
right interesting
so that's basically uh because we're
legally obligated to give you your data
but otherwise we're not going to bother
right yeah i guess that's more data
retention
right right these all work together so
any did anybody did anybody do well in
the data control and data retention like
could stand out
um i thought like movab movab did really
well because they don't have data to
hand over including cookie data because
they auto delete everything as soon as
the browser closes unless you're using
stripe which you didn't have to do so i
thought that was really cool and then um
they they um did a good job of sharing
the data that they hold um with people
and then uh and then ivpn as i mentioned
i thought it was really cool that they
all first and third party tools are
hosted on their own servers
yeah
yeah
all right let's dig in a little more on
the on the security questions here and a
fair warning to people who are not
familiar with all the terminology here
it might get i might get a
little complicated but we'll dive in and
we'll be fine um
so
only six of the 16 vpns we looked at had
what it's called reproducible builds
why does that matter to you so you wanna
the idea behind it is that you can
verify that the code that's running on
your computer is the same as what is
posted publicly so you know that there
hasn't been any vulnerabilities or
backdoors introduced during the
compilation process
um
and then um
with uh
what were there were there of of this of
the 16 oh sorry of the six did anybody
do particularly well of like
standing out there or or just like this
is a binary thing six of them told us
their reproducibles and
yeah this is a binary thing like if you
have a reproducible build we can verify
that it's the same as what's on the repo
yeah
and what does it mean if they do if they
use a signature to authenticate updates
uh-huh yes you're testing this on
testing this on a windows 10 system so
you tested it on windows updates is that
right
um
yeah so like the
uh a signature authenticate like they
use what's called the checksum as a data
integrity check um and that's cool
because you can tell the update's
official and it hasn't been tampered
with and that's really important because
sometimes like malware peddlers will
bundle malicious software with
legitimate software and unofficial
versions you could tell that that wasn't
happening and um movad mobad
authenticated the signature and ivpn and
pia used checksums for data integrity
checks so that was really cool
um and then one more uh term here what
do we mean when we say uh attacks brute
force attacks
oh it's when you try to kind of enter
millions of um passwords over and over
again um
uh or you try to reset the password i
think is what we meant in this case so
like if i'm trying to hack into your
account i might hit 30 password attempts
and if there's no kind of defense like a
captcha then that's that means that
a bad actor might get access to that
account and then sometimes they just
lock you out and that can also be bad
because i can lock you out of your
account by entering an incorrect
password over and over again and cut off
your access to that service
right
um and so
to to pass that security checkpoint they
just had to have some sort of
defense again like something that that
auto jumped on when there's a certain
number of attempts to log in or attempt
to to do something right yeah they had
to have a defense and also not lock the
original user out of their account when
somebody was trying right
right
uh okay i think that that
let's um
let's take a second here because i saw
in chat someone was asking um for
you know what actually i like what's
happening in chat i'm gonna let that
keep going uh i love the the ideas
uh that the metaphors that you all are
using to describe what a vpn actually
does for a a novice or an entry-level
user let's go ahead and crowdsource that
so do your best to explain
um
how a vpn works and it's sort of
baseline
level uh and i'm seeing people
those those scroll by so that's great
let's keep doing that
all right let's get into the rankings we
actually did this is the top half
of our rankings and i think maybe the
most important thing to see on this
screen right now although you'll see how
different things did on all these
questions
is the top line there are sort of
the the the the things across the top
that we ranked on and i think that
that's important because
if one of your vpns that you're using
right now is not listed
um we
want you to be thinking about these
categories of thing right as you imagine
what your vpn should be doing
um and i'm going to go ahead and move
forward yeah do you want to say anything
about sort of the
overall rankings and and sort of how
this chart this chart came together sure
so this is kind of an average of the
overall privacy and overall security
scores for the first two and then the
the next three we thought were really
important like is the
is there open source uh software has it
been audited by third party publicly
recently and then do they accurately
represent what a vpn actually does
uh on their on their websites
and can you answer that question um from
memory off the top of your head about
what the asterix for expressvpn
signifies
so there was a oh there was a couple of
them that had audits that had been done
but one of them wasn't public let me
look that up real quickly though i think
actually amirah got to you and got it in
chat faster than we could expressvpn
audited its lightweight protocol in 2021
but did not have a recent audit of its
core product so they get
partial credit there was another one
that had partial credit i believe it was
north vegas
yeah
they had an audit but it wasn't i think
you had to be a member to see it or be a
member of the press
only when logged into a nord account
right
uh
all right so this is i mean and these
are this is the second half of things
and just as a as a reminder the first
two categories here are um a compilation
of different things that we looked at
and the last three are a little bit more
binary they get checks or or x's um
you know i notice
using the
tried and true
consumer reports ranking systems here i
see a lot of green one up arrows but
that's not our best ranking did anyone
get
uh like fully recommended here
no no nothing got the great the best
frankie
the best ranking and why
uh like do you
what what tell us about that does that
what does that mean to you that there's
nothing out there that that you could
fully throw your weight behind yeah
there was still i think there's still a
lot of areas for the entire industry to
improve so even though there were you
know some that were doing better than
others there were
um
there's still areas where vpns like as
an industry can improve
and then we did choose three that we
recommend
uh those are the movad
vpn ivpn and mozilla's vpn um which
actually runs on mobile servers right
right yeah
so these are the three we recommend um
if you are thinking that
uh
uh
you know
none of them got full green lights but
the one you're using either wasn't
listed or is further down the rankings
these are the ones that you um suggest
we suggest you should go ahead and
switch to
um
let's talk a little bit about that fact
that none of them got a perfect score
though because i think that that's
really kind of an interesting thing for
us to dig into and if we could wave our
magic wands and make
um
vpns better we have a bunch of
recommendations in the report that uh
steve and yael have have put together
here um
some of them now are on your screen so
vpns should distance themselves from
employees and partners that engage in
human rights abuses that's a really um
that's one of those that seems very
self-explanatory what about vpns is not
doing that right now
this is actually about
expressvpn and they had like a
high-level employer who um
was charged with leaking like basically
spying on activists and and government
officials on behalf of the united arab
emirates if i remember correctly
um and
the
expressvpn did put out a press release
but i feel like they didn't really
distance themselves themselves uh and
there's been a few there was a few other
issues that i brought up in the white
paper where there had been things that
happened in the past that were i don't
know
a little it made people maybe wary of
those vpns
yeah um
well i'll just keep going down this list
vpn should provide accurate information
so we talked about this a lot of the
sort of like the the things that they
were or were not using is is this mostly
uh a bullet point about disclosure to
you
there's there's been vpns in the past
that said that they didn't log and then
there was the court case and suddenly
they're like they were able to produce
logs
um so that was part of it another thing
we found is that some of these vpns were
logging locally so there was information
that was stored on people's own laptops
which i think people didn't know about
and they say they do that in case you
have a tech support question but it was
um you know on automatically it wasn't
just turned on for tech support
so that was one of the things that we
found
and then
vpn should present their products and
technology accurately that is in many
ways the consumer reports um mission
statement right you've got you y'all
should be telling us accurately about
what your product does and that gets
back to kind of the sleeping claims and
the the the big picture things that um
vpns are claiming that they can't
deliver on
right now
yeah yeah our three our three toppy fans
and also tunnelbear um we're the only
ones that i felt didn't have any of
these
kind of oh interesting so there's there
that's actually reminded me of something
that maybe i should have said earlier uh
the things that fell outside the top
three there are other vpns that you know
did a great standout job at one or two
things um and
should be given credit for that uh it's
part of the complexity of rankings so um
like you just said tunnelbear is another
standout for maybe not bragging too much
about what a vpn can do but the fact
that you only have four out of 16 that
weren't claiming
um
we'll call it hyperbolic stuff it's not
great
that's great
yeah uh okay vpns um
should let their users know about any
security breaches this is more more like
uh disclosure kind of stuff right
yeah absolutely there's been instances
in the past where um people didn't know
about a security breach until somebody
leaked it on on social media
it's like oh yeah this happened a while
ago and they didn't really tell us
oh right we're supposed to tell you
about that
um
and then uh
the
last but certainly not least make it
easier for for users to to opt out if
they decide they no longer want to have
a vpn
you should be allowed to cancel um i
don't think we need to say two more
about too much more about that one and i
would love to get to many of the most
excellent questions that have been
trickling in over the course of um
this call
and uh
let's see
congratulations to stephen america
keeping abreast of all these different
things um
one major point here price was not part
of this evaluation is that correct
that's correct yeah i'll just say that
out loud um and then i'm going to give
i'm going to give you a case study here
someone who has not identified
themselves asks i have a password
manager use
brave browser and duckduckgo so i
suspect i don't really need a vpn on my
laptop as i am retired and generally a
casual user
what would be the best lightweight not
too much slowing vpn for my phone
i also use brave and duck.go but often
need to use locally available wi-fi
so
the reason why i wanted to ask that
lives i think it's a nice uh case study
to think about moving from the sort of
windows 10 how how applicable are these
rankings that happen on windows 10 to
other devices in the rest of the world
so i all of the privacy information
that's based on documentation that would
be that would apply and all these vpns
are available on other services so that
that part would be applicable
um
i i would feel comfortable recommending
it like for the privacy we didn't
actually do
secure the same level of security
testing
um on those services
so
use your best judgment there i guess
like like i imagine it's just impossible
to say like if somebody does good in
windows with their you know how's their
iphone app like it's impossible to say
um
but
as far as the privacy that's all pretty
consistent
and we have um you know different uh
obviously people's phones and questions
along these lines
so
to sum up there uh or to restate so that
i'm being clear to myself and hopefully
therefore clear to the audience uh the
ways that different companies treat your
data
is usually generalizable some of the
technical distinctions might be
different from a phone to windows so we
have people asking you know do i do i is
a vpn necessary on my phone um and i
think i think that the answer to that
question is
the same of the same as is a vpn
necessary overall right like
if you feel that you are doing a lot of
traveling and you're doing a lot of
connecting to uh insecure
wi-fi networks and that sort of thing
then maybe you do need one but
uh generally
a vpn for a phone follows on the same as
a vpn for a laptop it's it's uh kind of
only if you fit certain use cases or
certain profiles
right yeah and we covered that we had an
article that i can put in the chat about
um you know should you use a vpn that
kind of goes into this in more detail
there are parts of the web that used to
be unencrypted that are now
encrypted there's just been a lot of
industry improvement um so i think it's
less necessary now than it used to be uh
but there are there are a few
circumstances where it can help like if
you
you know want to mask your ip address
and don't want to be easily identified
by like a small site where an
administrator might look at the log or
if you want privacy from the owner
of the you know coffee shop or college
or community center that you're at uh
yeah but but yeah for sure if you're not
using things like um
um you know password manager mfa or even
um
setting up your browser to have https on
all the time then you would do those
first before considering whether or not
you need a vpn
um
yeah it comes it comes down the line it
comes further down the line
um
just to
state for the record amira and steve are
doing a great job of keeping track of
all your questions and getting things
into the chat and there's a lot of stuff
coming at you very quickly i want to
reassure everyone that all of the
chat that's going by and all the links
that we are providing will also be
provided with a recording of this call
as part of an email that will go out uh
probably about 24 hours from now
so look for that tomorrow with all of
this information so you don't need to
grab any
um
one moment in time here it'll all be
provided to you again to um to
to to sift through
at your at your discretion um
here's an interesting question for you
um if i can still find that one there
was a question about uh paying payment
options
let's see did i
did we
move that over i wanted to flag that one
about how to pay well
um nope that one might be gone sorry
guys uh if if that if if anyone wants to
uh resend that question i can't find it
anymore sorry about that um
people are saying uh
asking about cost and
all the ones that we uh recommend and do
cost something
um
do you have any thoughts about free vpns
i there's a lot of people that are that
just don't recommend them all together
because it's like how are these
companies making their money
um are they doing anything sketchy there
are a few non-profits that offer free
vpns and we didn't actually test any of
those but i think i feel a little weird
blanketly saying like all free vpns are
bad um
but but there is cause for concern
because if you're not paying for it like
how are they making money
so i think that warren's kind of looking
into more closely
yeah and that i'm seeing i'm seeing uh
different versions of that sentiment
expressed in chat and in q a if you uh
if you are
if they are not making any money
not charging you any money how are they
making money it's a good question
um
we're getting a lot of people asking
about specific vpns um
and
uh so let's just go back to if your vpn
is not one of the 16
um that we ranked and rated in this
report
um how do you know it's a good vpn what
should you do
right yeah so if it's not listed i mean
you can try to look at some of the um
like do they have a public third party
audit is it open source and some of
those those things you can
um
try to to look at look into
someone asks um
is it worth rolling your own vpn um is
is that something
can you use open source tools to to make
something for yourself
i have tried to do that with a friend
actually who's really good at this it
was incredibly time consuming we tried
to roll our own um wire guard instance
it's really time consuming and you need
like a certain level of technical skill
um we did try to use tail scale which
made it a lot quicker and easier but you
do have to there's like other steps
involved it's not just like setting it
up you have to like
get a droplet like a digital ocean
droplet or something like that leno and
set that up and there can be issues
there so i guess it depends like
how much technical skill do you have and
how much i guess pain tolerance
oh yeah somebody mentioned pi vpn that's
another one it's something you can i
think it's cool yeah there's algo
there are different options to do that i
think they're fun to play around with if
you
are you know into technology and have a
lot of patience and what i call pain
tolerance
um yeah that's definitely something
people can test out but if you just want
like a freezy vpn and don't mind paying
five dollars a month or whatever it is
it's save you a lot of time
yeah yeah
it's it sounds like it's also a pretty
high technical specificity uh it's not
necessarily a good
a good look
um
okay uh lots of questions seems like
there's sort of a hot topic here about
built-in
vpns uh
ios android built-in um people who are
getting a vpn as part of some other
package that they are uh paying for
so
i guess um
i will phrase this question to you this
way do you have any plans of going back
and looking at vpns in some other
build or instance outside of windows 10.
uh we we we're still having those uh
those discussions
um
yeah we've talked about about reviewing
that but um i don't have any specific
like announcements or anything
yeah
fair enough um and is it more oh you you
actually flagged this one you so you you
you yeah well if we sort of already
talked about this is it more important
to have https verified encryption versus
vpn um
we would say uh
https is further up the
the um
hierarchy of need right
absolutely yeah
um
yeah people are still asking for
individual things
uh and i guess we're probably not going
to be able to answer these any thoughts
about different specific vpn x's
um
vpn specific vpns
um
okay here's an interesting one u.s
warned firms about russia's uh kaspersky
software day after invasion any comment
any thought about that
you know we actually included and this
was before that had happened but this
has happened with kaspersky in the past
and we actually included that in the
white paper and i didn't make any i
think we we looked at um some of the
issues that people had brought up in the
past and the mitigations that kaspersky
said that they were taking to address
that
um so
it's
i don't think we
gave a specific like we didn't say like
this is what you should do
we just kind of looked at um
at that but i think like for kaspersky
there's other reasons not to use it that
we
um delved into so you didn't have to
actually you know decide like who's
correct here but yeah we looked at like
there was allegations that it denied and
they had actually um
moved parts of their business um
they migrated some of their court
infrastructure to switzerland and they
have some independent review and
analysis of their source code but we
kind of left it up to people to decide
like what to believe
there
um i did find that or people have i
didn't find people have re-elevated the
question that i was looking for before
so i'll go ahead and ask it um mike
wants to know panelists i hope to talk
about payment for a vpn
what i want to choose a vpn that allows
me to use bitcoin to protect my
anonymity even in my enrollment so uh
something that would allow you to not
even enter your actual details and
billing information as part of signing
up for the thing
right yeah that but um
there are some vpns that do
offer those options um we didn't
actually look that wasn't one of the
things that we actually looked into to
see like um
like how how anonymous is this um
etc so i don't
i guess it depends also on like why why
do you want
like why do you want this to be
anonymous so i i feel like that kind of
raises more questions
[Laughter]
right that them them uh
that's interesting
so uh i guess we come down on that one
uh use your discretion but probably
it's more important that they have good
data practices than that you
protect yourself by being anonymous
yeah it's a whole can of worms about
like um
how anonymous like bitcoin is etc
right right
[Music]
well we are coming right up to the hour
so i'll say have you seen any other
things uh stream by as you've been
keeping an eye on these things that you
want to be sure to answer there was one
thing that i saw where somebody asked
about digital fingerprinting
and i i think that's really interesting
because uh you know a lot of people who
usually fans are like oh i might get
hacked at a cafe but a lot of experts
are more concerned about
ad tracking and that used to uses tools
like digital fingerprinting that a vpn
doesn't actually defend against
uh can you tell us really quickly what
digital fingerprinting is um it's a way
that you can kind of identify people
based on their compute like uh what
browser you're using how big is your
window and like other identifying
information so they can kind of
fingerprint you and like figure out
right who you are and that's something
that vpns don't actually defend against
so um
like
um so yeah that's
you're getting like a very thin layer of
quote-unquote anonymity or privacy and
not not the full deal because of things
like digital fingerprinting um or even
if you're just logged into
like if i'm logged into a gmail account
and i'm on a vpn i'm already logged into
that account so there's
stuff that people can see even if you
are using a vpn which is one of the
things we wanted to kind of
flag for people
gotcha okay
um
well then i think i'm going to uh move
us along to thank everyone uh thank you
yael very much for being here with us uh
thank you all for the questions and the
comments and i really love to see
folks in the chat uh jumping in and
helping each other out uh both
understanding technology and talking
about your own builds and what you use
and how it's all gonna go um
and i'm going to like i said make sure
to keep a copy of the chat send that
around we've been recording this we will
send that around there are many many uh
links and ideas that have been dropped
in um and i apologize to those of you
who have not managed to get your
questions either on air or answered in
chat but we did answer
um 80 questions which
is pretty good pretty good not too bad
steve not too bad amir thank you very
much thank you for keeping on top of
chat um the url on your screen right now
which is consumerreports.org
events uh is where you can find all of
our past webinars again that will be an
email coming to you tomorrow but if
you're fired up and ready to go right
now you could surf on over and check out
such things as our password manager
stuff and some of the other things that
we've talked about in the past um yeah
thank you for such this robust
interesting conversation and if you have
any questions things we didn't get to
burning desires to know more information
or even pitches for other things that we
should cover on future webinars
you can use the email address on your
screen right now or
you can wait for me to send you an email
tomorrow and just reply to that
thank you all very much
uh thank you for being here and yeah
good luck out there choosing the vpn
that's right for you or just getting rid
of vpns in your life that might be the
best for you
thanks y'all
appreciate the time and and look forward
to our next webinar
![The Art of Racing in the Rain | Official Trailer [HD] | 20th Century FOX image](https://i.ytimg.com/vi/Dp2ufFO4QGg/default.jpg)
![[Full Movie] 刺客荣耀 Assassin Glory 荆轲 | Martial Arts Action film 武侠动作电影 HD image](https://i.ytimg.com/vi/DmFOccJi66M/default.jpg)
