X

Beware, That VPN May Not Be What You Think It Is

These VPN red flags should send you running.

Rae Hodge Former senior editor
Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.
Rae Hodge
4 min read
Warning signs

Here's how to spot a VPN that's not as good as it seems.

Getty

There are some excellent, well-tested virtual private networks we recommend you try. But if you're exploring the competitive market of VPNs on your own, you're likely to find some shoddy VPNs companies that scatter hints of their dubiousness everywhere they go. Learning to identify a few of these red flags can save you hours of research and a hefty annual subscription cost for supposedly getting connected to the internet more securely. 

CNET Tech Tips logo
CNET

Is the price too good to be true? Has the company been caught keeping logs? How are your connection speeds?

To save you time, here are a few of the biggest red flags to watch out for when taking your new VPN out for a test drive. And on the flip side, here are three things to look for in a VPN.

Read more: Best iPhone VPN of 2022

Free VPNs aren't usually free

There's no such thing as a free lunch. Maintaining the hardware and expertise needed for large VPN networks isn't cheap. As a VPN customer, you either pay for a premium service with your dollars, or you pay for free services with your usage data when it's collected by the free VPN and bargained away to advertisers or malicious actors.

As recently as August 2019, 90% of apps flagged as potentially unsafe in Top10VPN's investigation into free VPN ownership still posed a privacy risk to users. Free VPNs can also leave you open to quiet malware installation, pop-up ad barrages and brutally slow internet speeds.

Read more: Best Free VPN 2022: Try These Risk-Free Services for a Privacy Boost

Some VPNs have been caught snitching 

If a VPN is caught keeping or sharing user activity logs, I won't recommend it. While most VPN services claim they don't track or keep logs of user activity, that claim can sometimes be impossible to verify. In other instances, the claim falls apart publicly when a VPN company hands over internet records to law enforcement.

The latter has happened in a few cases. EarthVPN, Hide My Ass VPN and PureVPN have all been clocked by privacy advocates for handing over logs to authorities, as has IPVanish

To be clear, it is entirely possible to be grateful for the arrest of reprehensible scumbags while ardently advocating for consumer privacy interests. My beef isn't with any VPN company helping cops catch a child abuser via usage logs; it's with any VPN company that lies to its customers about doing so. The lie that helps law enforcement in the US catch a legitimate criminal is the same lie that helps law enforcement in China arrest a person watching footage of the 1989 Tiananmen Square protests.

Ideally, the VPN you choose should have undergone -- and published the results of -- an independent third-party audit of its  operations, including its use of activity logs.

Read more: All the VPN Terms You Need to Know

Watch this: Top 5 Reasons to Use a VPN

Weak encryption is everywhere

Another red flag to watch for when choosing a VPN is shoddy encryption standards. Users should expect AES-256 encryption or better from VPN services. Nearly every web browser and app already uses AES, often touted as "military-grade" encryption, after it was adopted by the US government in 2002. If your VPN only offers PPTP and L2TP encryption, look elsewhere.

While you're snooping around for encryption details, keep an eye out for one of our favorite phrases, "Perfect Forward Secrecy." Those three little words can have a hefty impact on your privacy: If one of your VPN's servers is ever breached, Perfect Forward Secrecy ensures that any keys used to decrypt private internet traffic quickly become useless -- giving you more security.

Read more: How We Evaluate and Review VPNs

Extremely slow speeds? No thanks

With just a little bit of elbow grease, any moderately skilled internet jerk can throw together a service that looks like a VPN but is actually little more than a proxy service reselling your internet bandwidth. Not only can that slow your internet speed, it could potentially leave you on the legal hook for whatever they do with that resold bandwidth.

Hola's case was the most famous. The company was caught in 2015 quietly stealing users' bandwidth and reselling it to whatever group wanted to deploy its user base as a botnet. Hola CEO Ofer Vilenski admitted it'd been had, but contended this harvesting of bandwidth was typical for this type of technology.

Read more: How to Set up a VPN on our iPhone or Android Phone: Yes, You Need One

"We assumed that by stating that Hola is a (peer-to-peer) network, it was clear that people were sharing their bandwidth with the community network in return for their free service," he wrote.

Nearly all VPNs slow your browsing speed, some by as much as half. But a brutal crawl can be a sign of something worse than a simple lack of servers. So if being pressed into service as part of a botnet isn't your cup of tea, double-check those suspiciously slow speeds and the reputation of the VPN you're paying for.

For more VPN buying advice, here's how to pick the right VPN for your work-from-home setup. Plus, why we don't recommend US-based VPNs, and three things a VPN can't help you with.