Which VPN Providers Really Take Privacy Seriously in 2023?

[Marwan]

Choosing the right VPN can be a tricky endeavor. There are hundreds of VPN services out there promising to improve users' privacy, but some are more private than others. To help you pick the best one for your needs, we asked dozens of VPNs to detail their logging practices, how they handle torrent users, and what else they do to keep you as anonymous as possible.

private lockThe VPN industry is booming and prospective users have hundreds of options to pick from. All claim to be the best, but some are more privacy-conscious than others.

The VPN review business is flourishing as well. Just do a random search for “best VPN service” or “VPN review” and you’ll see dozens of sites filled with recommendations and preferred picks. Some VPN companies even own review sites.

At TF we don’t want to make any recommendations. When it comes to privacy and anonymity, an outsider can’t offer any guarantees. Vulnerabilities are always lurking around the corner and even with the most secure VPN, you still have to trust the VPN company with your data.

Instead, we aim to provide an unranked overview of VPN providers, asking them questions we believe are important. Many of these questions relate to privacy and security, and the various companies answer them here in their own words.

We hope that this helps users to make an informed choice. However, we stress that users themselves should always ensure that their VPN setup is secure, working correctly, and not leaking. We also advise people to properly research the company behind the VPN service. This article is not a recommendation of any kind.

This year’s questions and answers are listed below. We have included all VPN providers we contacted that don’t keep extensive logs or block lawful torrent traffic on all of their servers. The order of the providers is arbitrary and doesn’t carry any value.

Note: The responses below were received in 2023. Some companies failed to respond and are therefore excluded.
—

1. Do you keep (or share with third parties) ANY data that would allow you to match an IP-address and a timestamp to a current or former user of your service? If so, exactly what information do you hold/share and for how long?

2. What is the name under which your company is incorporated (+ parent companies, if applicable) and under which jurisdiction does your company operate?

3. What tools are used to monitor and mitigate abuse of your service, including limits on concurrent connections if these are enforced?

4. Do you use any external email providers (e.g. Google Apps), analytics, or support tools ( e.g Live support, Zendesk) that hold information provided by users?

5. In the event you receive a DMCA takedown notice or a non-US equivalent, how are these handled?

6. What steps would be taken in the event a court orders your company to identify an active or former user of your service? How would your company respond to a court order that requires you to log activity for a user going forward? Have these scenarios ever played out in the past?

7. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why? Do you provide port forwarding services? Are any ports blocked?

8. Which payment systems/providers do you use? Do you take any measures to ensure that payment details can’t be linked to account usage or IP-assignments?

9. What is the most secure VPN connection and encryption algorithm you would recommend to your users?

10. Do you provide tools such as “kill switches” if a connection drops and DNS/IPv6 leak protection? Do you support Dual Stack IPv4/IPv6 functionality?

11. Are any of your VPN servers hosted by third parties? If so, what measures do you take to prevent those partners from snooping on any inbound and/or outbound traffic? Do you use your own DNS servers?

12. In which countries are your servers physically located? Do you offer virtual locations?

Important note: Services that offer dedicated or fixed IP-addresses are often able to link an IP-address to a user account, irrespective of the answer to question 1.

Tip: Here’s a list of all VPN providers covered here, with direct links to the answers. Some links in this article are affiliate links. This won’t cost you a penny more but it helps us to keep the lights on. Please note that unlawful activity is strictly forbidden on these services. That includes copyright infringement.

All VPNs
– NordVPN
– ExpressVPN
– Private Internet Access
– TorGuard
– ProtonVPN
– IVPN
– Windscribe
– Oeck
– Speedify
– CyberGhost
– AirVPN
– Trust.Zone
– Mullvad
– Perfect Privacy
– Hide.me
– AzireVPN
– Guardian
– OVPN
– HideIPVPN
– Ivacy

NordVPN
NordVPN logo1. We do not keep connection logs nor timestamps that could allow us to match customers with their online activity.

2. Parent company is Nordvpn S.A., operating under the jurisdiction of Panama.

3. We use an automated tool that limits the maximum number of concurrent connections to six per customer and a system that automatically suspends the account if a specific connection pattern is recognized, e.g. hundreds of connections to different servers in a very short period of time. This is being done in order to mitigate web scraping. Apart from that, we do not use any other tools.

4. NordVPN uses third-party data processors for emailing services and to collect basic website and app analytics. We use Iterable and Sendgrid for correspondence, Zendesk to provide customer support, Google Analytics to monitor website and app data, as well as Crashlytics, Firebase Analytics and Appsflyer to monitor application data. All third-party services we use are bound by a contract with us to never use the information of our users for their own purposes and not to disclose the information to any third parties unrelated to the service.

5. NordVPN is a transmission service provider, operating in Panama. DMCA takedown notices are not applicable to us.

6. If the order or subpoena is issued by a Panamanian court, we would have to provide the information if we had any. However, our no-log policy means that we do not store any information about our users’ online activity – only their email address and basic payment info. So far, we haven’t had any such cases.

NordVPN notes on its website that it “will only comply with requests from foreign governments and law enforcement agencies if these requests are delivered according to laws and regulations.” It adds that it will “never log [user] activity unless ordered by a court in an appropriate, legal way.”

NordVPN tells us that the standard no-logging policy remains in place. It will challenge any logging requests until all options are exhausted and will use all means to keep customers informed. At the same time, the company wants to dissociate itself from bad actors in the VPN industry while sending a clear message to terrorists and criminals that it will not work as a safe haven for crime.

7. We do not restrict any BitTorrent or other file-sharing applications on most of our servers. We have optimized a number of our servers specifically for bandwidth-hungry activities. At the moment, we do not offer port forwarding and block outgoing SMTP 25 and NetBIOS ports.

8. Our customers are able to pay via all major credit cards, regionally localized payment solutions and cryptocurrencies. Our payment processing partners collect basic billing information for payment processing and refund purposes, but that data cannot be connected to an internet activity of a particular customer. Bitcoin is the most anonymous option, as it does not link the payment details to the user identity or other personal information.

9. All our protocols are secure, however, the most advanced encryption is used by NordLynx. NordLynx is based on the WireGuard® protocol and uses ChaCha20 for encryption, Poly1305 for authentication and integrity, and Curve25519 for the Elliptic-curve Diffie–Hellman key agreement protocol.

10. We provide automatic kill switches and DNS leak protection. Dual-Stack IPv4/IPv6 functionality is not yet supported with our service; however, all NordVPN apps offer an integrated IPv6 Leak Protection.

11. Most of our servers are leased, but we are gradually increasing our collocated server network. That said, the security of our infrastructure is our top priority. Due to our special server configuration, no one is able to collect or retain any data, ensuring compliance with our no-logs policy. Our no-logs policy has been audited and verified by Deloitte — an industry-leading Big Four auditing firm. We do have our own DNS servers, and all DNS requests travel through a VPN tunnel. Our customers can also manually set up any DNS server they like.

[Silent Watcher]

Avoid unnecessary posts such as 'Thank you', 'Welcome', etc. Such posts will be deleted and user will be warned if it happens again. If caught spamming, the following actions are applicable -

• First time - Warning
• Second time - 5000 Points will be deducted
• Third time - Ban for 7 days
• Fourth time - Permanent Ban

If the post helped you, reward the user by reacting to the post like this -