A Critique of the Commercial VPN Ecosystem

As the digital age progresses, the importance of data privacy and internet freedom has become a critical concern for internet users worldwide. Data breaches and censorship have driven many towards virtual private network (VPN) services as a means of maintaining privacy and evading potential restrictions. Consequently, the commercial VPN industry has experienced a significant surge, transforming into a 15-billion-dollar industry expected to grow 20% by 2028[1].

VPNs, originally designed to facilitate private data transmission over public networks, are now extensively marketed as privacy-preserving tools. They promise to cloak not only users’ data traffic but also personal information from third parties, including Internet Service Providers (ISPs) and governments. VPNs are also advertised as a means to bypass internet censorship and geo-filtered content. As a result, they have become preferred solutions for many individuals over more complex but free services like Tor, due to their alleged performance and perceived usability.

However, the VPN landscape is far from transparent. Despite claims of robust infrastructure and user privacy, the reality is that the VPN ecosystem is shrouded in opacity. There is an absence of practical tools or independent research systematically verifying the security and privacy assertions made by VPN providers. It has been observed that some VPN providers sell customer data to third-party data brokers or manipulate customer traffic, raising grave concerns about their actual operations.

Moreover, the lack of independent and peer-reviewed evaluation of VPN services leaves users with limited, potentially biased information sources when choosing a VPN service. Many review websites are supported by affiliate programs, further muddying the waters.

This alarming lack of transparency and potential for misleading practices in the VPN industry is precisely why this website was developed. Our goal is to promote transparency in the world of VPNs, providing reliable, independent, and comprehensive evaluations of VPN service claims. Our work aims to highlight and address issues surrounding transparency, marketing, and security in the commercial VPN ecosystem, providing users with the clear and unbiased information they need to make informed choices about their online privacy and security.

An Empirical Analysis of the Commercial VPN Ecosystem, 2018

Full paper: https://dl.acm.org/doi/epdf/10.1145/3278532.3278570

“An Empirical Analysis of the Commercial VPN Ecosystem” is a meticulously crafted research paper that aims to expose the inner workings of VPN services and their adherence to best security practices. The paper presents an exhaustive study of 62 different VPN services, investigating their operational dynamics, and analyzing them against a set of predefined security metrics. The research spans various critical aspects of VPN usage, including user authentication methods, tracking libraries and permissions, censorship resistance capabilities, network security, and data leakage possibilities. Moreover, the paper brings to light the alarming lack of transparency in many VPN services and the prevalence of misleading claims that could potentially exploit user trust.

The primary objective of this research was to provide a comprehensive and empirical evaluation of the commercial VPN ecosystem. The authors strived to illuminate the often opaque practices of VPN providers, contributing to a more transparent and accountable VPN market. To this end, they employed a multi-faceted methodology that combined data collection from various sources, including VPN client apps, VPN servers, and VPN websites. The analysis incorporated both static and dynamic testing methods to evaluate the VPN services, thereby ensuring a robust and thorough assessment. The research culminates in a set of proposed guidelines for a standardized security assessment for VPN services, intended to foster improved security practices within the VPN industry.

VPN Network Infrastructure

This section explores the infrastructure of VPN (Virtual Private Network) services, revealing a high level of centralization and overlap among providers. The researchers found that many VPN services share similar or even identical server infrastructure, implying that they either have partnerships with each other or outsource their infrastructure to the same hosting providers.

The study analyzed 767 VPN vantage points, identifying 748 distinct IP addresses associated with 529 different CIDRs (Classless Inter-Domain Routing), suggesting that many VPN providers may not own their own unique server infrastructure.

Specifically, two providers, Boxpn and Anonine, were found to share four vantage points, each registered by a different company according to WHOIS records. Even when the matching condition was relaxed to the CIDR-level, their vantage points were typically located within the same IP blocks.

This analysis raises questions about whether these VPN services are part of the same company, or if they are simply reselling infrastructure provided by a third-party. The information available on their websites does not provide definitive answers to these questions.

Further, the researchers identified 40 VPN services with VPN vantage points in the same CIDR block. Many of these IP blocks belong to well-known hosting providers like Digital Ocean, LeaseWeb, and Softlayer. This means that these IP blocks can be easily blacklisted and blocked by web services that aim to discriminate against VPN users.

This situation is problematic for the VPN ecosystem for several reasons:

  1. Centralization: VPNs are supposed to decentralize internet access, but if many of them use the same server infrastructure, it negates the purpose. The concentration of infrastructure among a few providers could potentially create a single point of failure, which goes against the principles of decentralization and redundancy that underpin robust and secure internet access.
  2. Transparency and Trust: Many users may not be aware of this overlap in infrastructure. They may believe they are choosing between distinct services when in fact, they are simply choosing different interfaces to the same underlying infrastructure. This lack of transparency could undermine trust in VPN providers.
  3. Privacy and Security: If multiple VPN providers share the same infrastructure, users’ privacy and security could be compromised. If one provider has a security vulnerability, it may affect others on the same infrastructure.
  4. Access and Blocking: Shared IP blocks could lead to widespread access issues. If an IP block is blacklisted due to the behavior of one provider, all the other providers sharing that block could also be blocked.

In conclusion, the high level of centralization and overlap among VPN providers as revealed by this study is a significant issue. It undermines the principles of decentralization, transparency, and security that VPNs are supposed to uphold. Users need to be aware of these issues in order to make informed choices about their VPN providers.

Marketing and Affiliate Strategies

This passage examines the marketing and affiliate strategies of VPN services, highlighting several areas of concern in terms of transparency and deceptive practices. The VPN industry often brands itself as a means of providing security, anonymity, and internet freedom, making various claims about server counts, supported tunneling protocols, and encryption standards to attract users.

One of the key points is the use of jargon and baseless claims. For example, the term “military-grade encryption” is often used as a marketing term to refer to AES-256 bit encryption, despite the lack of any official standard or accreditation that would justify the term “military-grade.” Such marketing terminology can be misleading for consumers who may not have a deep understanding of encryption technologies and standards.

Furthermore, the study found that a significant number of VPN services use popular social media platforms for marketing and affiliate programs for outreach through review websites. The affiliate programs often have separate login portals and commissions vary based on the credibility and popularity of their affiliate partners. This highlights the lack of transparency in the operation and marketing of VPN providers.

The study also evaluated the transparency practices of VPN services, specifically looking for links to privacy and acceptable usage policies on their websites. It found that 25% of the VPN services did not have a link to their privacy policy and 42% did not provide terms of service. The length and content of the privacy policies varied greatly, further highlighting the lack of standardization and transparency in the industry.

In terms of logging policies, only 45 VPN services explicitly claimed a “no-logs” policy. The information about logging was often either embedded in the privacy policies or used as a branding feature on the VPN homepage, making it difficult for users to understand the actual practices.

In conclusion, this passage suggests that the VPN industry is rife with deceptive practices, unverified claims, and a lack of transparency. While some services make genuine efforts to be transparent, there is a significant number of VPN providers that do not meet basic transparency standards, potentially due to the lack of regulation in the VPN industry. This situation can lead to confusion and misinformation among consumers, making it difficult for them to make informed choices about which VPN service to use.


The commercial VPN industry, while offering potential privacy solutions for Internet users, is mired in opacity and questionable practices, as evidenced in prior research. Our own findings largely align with this perspective, indicating that VPN providers can potentially manipulate traffic, and in certain cases, resort to incentivizing users to pay for subscriptions through traffic manipulation. While our ability to detect such activities is limited, it’s crucial to acknowledge that our results likely represent a conservative estimation of the actual scenario. The prevalence of affiliate marketing further obscures the transparency of these services, making unbiased evaluations hard to find.

Furthermore, we found that VPN providers often exploit ‘virtual’ vantage points to falsely advertise their physical presence in various countries, a practice that is not always disclosed to users. This, coupled with common issues of poor default configurations resulting in data leakage, highlights the need for continued scrutiny in the VPN industry.

Despite these challenges, we remain dedicated to offering clear and comprehensive evaluations of VPN services. Recognizing the current limitations, we stress the importance of ongoing research in this area. As a part of our commitment to fostering transparency, we will make our findings publicly available through our website and continue to update our VPN test suite, thus empowering individuals to independently evaluate VPN services and make informed decisions. We hope these tools will contribute significantly to the global conversation about VPN reliability and privacy.

Zhan Shu


Zhan Shu is a young Chinese native and tech blogger, driven by her passion for human rights and privacy advocacy. With a background in computer science, Zhan uses her expertise to explore the intersection of technology and digital freedom. Through her blog, she raises awareness about censorship, surveillance, and the latest privacy tools, courageously pushing for change in the face of the Great Firewall’s challenges.

See also: