X

Are US-based VPNs trustworthy? Here's why I don't recommend them

Commentary: Sure, you can still game and stream on a VPN based in the US. But if you want top-notch privacy, you've got to import it.

Rae Hodge Former senior editor
Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.
Rae Hodge
7 min read
VPN for online security and privacy
James Martin/CNET

Fast cars, Champagne and virtual private networks -- some goods are best imported. It's not about snobbery; it's about getting the best value for your dime, especially in the case of VPNs. Sure, there are plenty of homegrown US-based VPNs that offer inexpensive subscriptions with which you can game and stream media to your heart's content. But for those of us seeking out top-notch privacy protection, I've become as sure about importing VPNs as I am about the Champagne. 

One of my fundamental criteria for ranking a VPN provider is the jurisdiction of its parent and affiliate companies. When evaluating its overall capacity to protect user privacy -- before I even check into its technical specifications for encryption -- I start by looking at whether a VPN service is headquartered outside of the US and the reach of its intelligence-sharing partner countries, like those comprising the Five, Nine or 14 Eyes compacts.

If I find that a VPN is headquartered in the US or any of those member nations, even if its technology is on par with its non-US peers, I cannot in good conscience say it offers its users globally competitive privacy. Why? Because, as far as its government's relationship to technology is concerned, the US is a privacy-averse country, and your data may not be protected from federal eyes.

Following the revelations laid bare by NSA whistleblower Edward Snowden in 2013, which detailed the existence of sweeping mass domestic surveillance -- and the continued renewal of the authorizing Patriot and US Freedom acts -- it's simply no longer reasonable to expect competitive privacy standards from any VPN headquartered in the States while also expecting its compliance with the law of the land. (Yes, a federal judge just declared the bulk data collection unlawful -- but that's closing the barn door after the cows have escaped.)

Read more: Best VPN services of 2022

When functioning under normal circumstances, VPNs operate by creating an encrypted tunnel through which communications can be safely transported from sender to destination. The debate is ongoing over whether government computing power is capable of -- or has already successfully accomplished -- decrypting the internet standard AES-256 (which is the common, minimum type of encryption you'd expect from a VPN). But the question isn't whether the NSA can decrypt your messages. It's whether you trust your VPN to go up against the US government should it request your VPN log your activity, and whether you trust your VPN to tell you about such a request when it's forbidden to do so. 

Based on what fraction of US government interference the world has seen in the VPN realm, I don't have that trust. I personally do not trust any current US VPN company to go to bat for me in those kinds of circumstances, nor to hold up against the potential legal pressure that may be brought to bear should a company try to resist. This opinion is neither brave nor unusual. 

In 2018, US-based VPN IPVanish cooperated secretly with the FBI, logging user data for the agency during a criminal investigation. Riseup, another US-based VPN, was prevented from updating its warrant canary in 2017 when the FBI handed the company a couple of subpoenas and silenced it with a gag order. PureVPN, based in Hong Kong with US servers, wasn't outside of the reach of the FBI when it handed over user data in 2017. HideMyAss -- a VPN company located in the UK, a Five Eyes member nation -- likewise handed over information to the UK feds in 2011.

Read more: Why you should be skeptical about a VPN's no-logs claims

It's fair to point out that some of these logging instances occurred in the context of companies helping law enforcement track down suspects who were ultimately found to be hiding behind a VPN to stalk, harass or abuse someone

To be clear, it is entirely possible to be grateful for the arrest of guilty-as-sin criminals while ardently advocating for consumer privacy interests. My beef isn't with any VPN company helping cops catch a child abuser via usage logs; it's with any VPN company that lies to its customers about doing so. VPN policies have global consequences for users. The lie that helps law enforcement in the US catch a legitimate criminal is the same lie that helps law enforcement in China arrest a person watching footage of the 1989 Tiananmen Square protests.

Editors' note, Feb. 9, 2022: The VPN industry has undergone significant change in the past few months, with all three of our top VPN choices announcing major changes in corporate ownership. In December, ExpressVPN announced that it had officially joined Kape Technologies, a company that already owns several other VPNs and has raised privacy concerns in the past. In February, NordVPN and Surfshark announced the two companies were merging, though they'll continue to operate autonomously. We're in the process of reevaluating all of our top picks in light of these changes. We will update our reviews and, if necessary, our rankings to account for this new competitive landscape. 

The fight for encryption

My beef is also with any government or entity that aims to outlaw digital window curtains because those curtains make it harder for cops to see potential criminals in your metaphorical living room. Or any entity, elected or otherwise, that aims to give cops a spare key to your house under the pretext of safety.

My skepticism of US VPNs isn't solely because the US government can force a VPN provider to secretly monitor a user. It's that legislation and policy priorities for a growing segment of elected officials are lurching hard toward FBI Director Christopher Wray's call for tech companies to weaken encryption

Here's the elevator pitch from Wray this year: The government needs a special backdoor into encrypted communications so it can catch child predators and drug traffickers. The problem: There's no such thing as a backdoor into encryption without destroying encryption itself. It would be like putting a screen door on a submarine. 

US Attorney General William Barr, so far publicly in lock-step with Wray on the issue, also wants law enforcement to have a backdoor into encrypted communications. His cause has likewise been championed by Republican Sen. Lindsey Graham of South Carolina.

Graham is also the sponsor of the controversial EARN-IT Act. The legislation was initially pitched as a way to hold digital platforms like Facebook accountable for child predator activity, but during its winding passage through the committee system it became a bill that would grant the Attorney General sweeping authority over tech companies like Google , Facebook and Apple . Social media platforms that failed to comply with the directives of a national council headed by the Attorney General would face millions of dollars in civil penalties. In late July, the EARN-It Act cleared its last Senate committee hurdle and has since been sitting on the chamber's calendar, awaiting a hearing by the full Senate. 

Beyond the obvious threats to Fourth Amendment search and seizure protections and First Amendment free speech, one of the problems with the bill is that we've already seen what happens when a weakened security standard is created so law enforcement agencies have special privileges. In 2009, Chinese political operatives got their hands on sensitive US intelligence after a Google backdoor breach. If one person can come through the backdoor, so can others. And US tech companies' weakened secured systems would then be vulnerable to a host of actors all over the world. 

32 outdoor security cameras that take home security seriously

See all photos

The problems aren't just limited to potential constitutional violations and human error. The creation of the backdoor would likely create a cascading chain of other security flaws as engineers attempt to comply with the feds. Here's the academic take from a host of reliable authors, including security legend Bruce Schneier, who is currently a fellow at the Berkman Klein Center for Internet & Society at Harvard University

"Exceptional access would force internet system developers to reverse forward secrecy design practices that seek to minimize the impact on user privacy when systems are breached," the authors write. "The complexity of today's internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws."

The message is clear: The current legal environment suggests that the US government is moving toward an end to encryption, and is therefore not required to protect your privacy -- at least for the foreseeable future. That means until we see the expansion and development of more decentralized and uncensorable bandwidth markets (a la what the folks at Orchid are working on) even the most promising VPN with the most watertight technology is not one I want to subscribe to if it or its parent and affiliate companies are headquartered in the US.

In my VPN tests for CNET, there are two that stand ahead of the pack: ExpressVPN, one of the fastest and most secure on the market, and SurfShark, a speedy up-and-comer with unlimited device support. Both are based in the British Virgin Islands, which is generally considered a privacy-friendly country due to its lack of surveillance-sharing agreements with others.

A final note: Just because a VPN has a jurisdiction outside of the US (and its multinational intelligence rings), it doesn't mean it is exempt from Uncle Sam's prying eyes, and it is often impossible to fully track the actual ownership of a VPN company through layers of shell companies and business filings. Beyond that difficulty, it's also pretty widely accepted that if someone really wants to find your data, they will -- whether that's some random hacker who hates your guts enough to doxx you, or a government agency looking to get your data from an overseas organization. 

We'll never win the war for anonymity on the internet, but every battle for privacy is one worth fighting if it makes mass surveillance even just a little bit harder to accomplish. 

More VPN advice