Mullvad is a small but mighty VPN provider that offers incredible speeds along with security and performance that stacks up with the best VPNs. Mullvad VPN is fast, great for torrenting, and excellent at keeping you safe online. It uses AES-256 encryption, OpenVPN and WireGuard protocols, multi-hop, and a dependable kill switch. However, Mullvad prioritizes internet privacy over entertainment. Despite its excellent privacy and security offering, the VPN is terrible when it comes to unblocking streaming services.
But when you are using Mullvad VPN, who’s networks are you really using? After my testing I concluded that Mullvad uses 48% M247, 15% 31173, 11% Tzulo, 8% DataPacket, 7% 100TB, 3% xTom, and the remaining servers use Blix, QuadraNet, and Intergrid.
Looking at the chart above, you can see that Mullvad VPN has effectively surrendered a significant degree of control over their VPN network to the British authorities. This means that M247 and DataPacket may be required by the courts to monitor, censor, or eliminate certain nodes. The UK is notorious for mandating that internet service providers keep records of every website visited by a user for a year. Furthermore, the country has proposed that social media and ISPs block posts containing “legal but harmful content.” Additionally, the so-called independent regulator Ofcom, which is not truly independent, has the power to censor anything it deems to be misinformation or disinformation, much like China and Russia.
Either the government or Ofcom could easily categorize M247 and DataPacket as ISPs, rather than web hosts. This would result in the enforcement of censorship on their global networks or a 10% global turnover fine. M247 provides internet services to UK-based businesses, making it an obvious candidate for ISP classification. DataPacket, on the other hand, could potentially be classified as offering an internet service due to their active advertising to VPN providers, although this is a weaker argument.
App Privacy
Other Security Features
Kill Switch — A kill switch acts as your last line of defense when your VPN connection unexpectedly drops. Mullvad has a built-in kill switch that can never be disabled, but it’s only available on its desktop apps. I tested it by trying to load a page when changing servers on my laptop, and it said my connection was cut off.
Split Tunneling — Split tunneling allows you to use your VPN connection and local network at the same time. The advantage is that you can use local apps while bypassing geoblocks on your browser. Mullvad only enables split tunneling on its Android and Linux apps, and are currently building a Windows version. When I tried it on my Android smartphone, I could use my local banking app while watching US Netflix through the encrypted VPN tunnel. If you’re not using Android or Linux, then you can configure your routes on your OpenVPN or WireGuard protocol to enable split tunneling.
Double VPN — Mullvad’s Bridge servers are a version of Double VPN or MultiHop. This is when your internet traffic gets redirected through 2 VPN servers instead of just 1 for extra security. It can also help you bypass firewalls on restricted networks. You can easily toggle Bridge on or off in settings. I was impressed that I didn’t notice any decrease in speed when I used them — usually, the extra encryption layers reduce your speeds. However, you can’t use Bridge servers on mobile devices, which was disappointing.
Tor compatibility — You can configure your OpenVPN connection to use the Tor network through Mullvad. Once the configuration is done, then you’ll need to configure your Tor browser to connect to Mullvad using the Shadowsocks proxy. This means that you can only connect to the Tor network through the Tor browser by using Mullvad as the exit node. Luckily, there are instructions available for this.
Hotspot Shield is a VPN service that has been around since 2008, making it one of the older players in the market. The service gained notoriety for its use by dissidents during the Arab Spring protests in the early 2010s. However, its reputation took a hit in 2016 when researchers cited Hotspot Shield in a research paper for using tracking libraries in their VPN service. A year later, the Center for Democracy and Technology accused the company of engaging in unfair and deceptive trade practices. In 2018, a researcher discovered a data leak, further eroding Hotspot Shield’s reputation. As a result, many websites stopped recommending the service.
Despite these negative events, Hotspot Shield got a fresh start in 2019 when it became part of the Pango family of products. The VPN service was then acquired by a company called Aura in July 2020. With these recent changes in ownership, we felt it was a good time to take another look at Hotspot Shield. During our research and testing, we identified both positives and negatives of the service, and we also uncovered some interesting facts about Hotspot Shield and its parent companies. While we will delve into the corporate complexities at a later time, our findings provide a comprehensive overview of Hotspot Shield and its suitability as a VPN provider.
Baked with adware
Similar to VPN 360, the Hotspot Shield app routinely pings multiple advertising domains which is immediately a red flag. Any company that injects tracking codes into their apps immediately lose credibility in my eyes, and I take all of their promises and core principles with a grain of salt. I also discovered the app pinging various subdomains from yahoo.com There are much, much better VPNs that fight to protect your privacy – for less money. Here are the most commonly accessed domains from the app:
adcolony.com
adtilt.com
unity3d.com
doubleclick.net
supersonicads.com
dewrain.life
ssacdn.com
A complicated history
The corporate structure of Hotspot Shield is complex, and it has undergone significant changes over the years. The VPN service was developed by AnchorFree in 2008, a company based in Redwood City, California. Despite being a popular VPN service, Hotspot Shield faced a setback in 2017 when the Center for Democracy and Technology accused AnchorFree of deceptive trade practices. In 2018, a security researcher discovered a bug in the Hotspot Shield client that exposed user data.
In 2019, Hotspot Shield joined Pango, a new company that offers a suite of security and privacy products. Like AnchorFree, Pango is based in Redwood City, California.
In July 2020, Pango joined Aura, a digital security company. According to Hari Ravichandran, the founder, and CEO of Aura, the goal of all this activity is to:
…build the best all-in-one digital protection platform for consumers. With the scale achieved through these transactions, we continue our journey to build and expand our integrated security platform. Our vision is fueled by our commitment to make digital security simple, user-friendly and accessible to everyone.
Shady logging practices
Sure enough, when I clicked on the VPN’s privacy policy on its website, I was redirected to Aura’s general policy for all of its products. While Hotspot Shield claims it doesn’t store any information that can be linked back to you, Aura states it logs the following:
Information about the domains you access when connected.
Usage information such as connection timestamps, frequency of use, and bandwidth used.
Device information including identifiers, operating systems, browser type, internet service provider, and network information.
Approximate location information (obtained from logging your IP address, albeit encrypted).
VPN 360 is a virtual private network (VPN) app that allows users to protect their online privacy and security by encrypting their internet connection and routing it through a private server. It is one of the security products offered by Pangu whose parent company is Aura. VPN 360 is available for both Android and iOS devices, and can be downloaded for free from the Google Play Store or the Apple App Store. VPN 360 offers both free and paid subscription options. The free version of the app has some limitations, such as slower connection speeds and a limited selection of servers. The paid subscription offers faster connection speeds, more server locations, and other additional features.
Our first major problem with VPN 360, and it’s all because of their logging policy. Their so-called “privacy policy” clearly states that they’ll hand over your information to the authorities without hesitation, and there are a ton of exceptions where they’ll collect and give up your data. Honestly, we find this policy completely unacceptable and we wouldn’t recommend trusting it, especially since VPN 360 is a paid service.
Tracking code
Similar to Hotspot Shield, the VPN 360 app routinely pings multiple advertising domains which is immediately a red flag. Any company that injects tracking codes into their apps immediately lose credibility in my eyes, and I take all of their promises and core principles with a grain of salt. I also discovered the app pinging various subdomains from yahoo.com There are much, much better VPNs that fight to protect your privacy – for less money. Here are the most commonly accessed domains from the app:
adcolony.com
adtilt.com
unity3d.com
doubleclick.net
supersonicads.com
dewrain.life
ssacdn.com
No OpenVPN or WireGuard configs
Another worrisome part of this service is the fact that the only protocols they offer are IPSec and Hydra. Hydra is a proprietary VPN protocol developed by the cybersecurity company, AnchorFree. According to AnchorFree, Hydra VPN is designed to provide “faster and more reliable connections” compared to other VPN protocols such as OpenVPN and IPSec. The fact that they do not offer WireGuard confirms the fact that I would never use this product.
Unfortunately, VPN 360 is just another one of those “free” VPN apps that’s mobile-only and barely even worth considering. Don’t waste your time with it – it’s security and privacy features are weak, its connection speeds are completely unreliable, and it doesn’t even work with Netflix. Plus, the app is absolutely riddled with ads. Seriously, there are so many other VPN options out there that are way safer and more trustworthy – go with one of those instead.
ExpressVPN was launched in 2009 by serial entrepreneurs Peter Burchhardt and Dan Pomerantz. From its inception, ExpressVPN’s commitment to privacy and security would be called in to question as several unsettling events unfolded. The service would eventually be acquired by Kape Industries (see more below) for just shy of 1 billion dollars. You have to ask yourself – what kind of company has that kind of cash sitting around, and how do they earn it? Certainly no humble privacy thinktank or nonprofit.
The notoriety of ExpressVPN began to gain prominence in 2016, when Turkish authorities confiscated one of its servers. The device was believed to be implicated in the erasure of evidence linked to the assassination of the Russian ambassador to Turkey.
The spotlight shone on ExpressVPN again in 2021, but this time due to a change in its corporate structure. The VPN provider was acquired by Kape Technologies, an Israeli company with a concerning history of generating malware and adware. The implications of this acquisition remain debatable, especially considering the parent company’s questionable past activities.
The plot thickened in the same year when Daniel Gericke, ExpressVPN’s Chief Information Officer, admitted to participating in Project Raven. In this scheme, he helped the UAE spy on American dissidents and journalists, a revelation that raised alarm bells among privacy advocates. It was discovered by Reuters that some of those individuals were later tortured by the UAE.
ExpressVPN Privacy Policy
When evaluating ExpressVPN’s privacy policy, there is one interesting bit that stands out:
Legal. Your Personal Data is controlled by and stored under ExpressVPN, and not by its ultimate holding company, Kape Technologies PLC (UK) or other related entities. Express Technologies Ltd. operates under BVI jurisdiction, in accordance with BVI laws (pursuant to Section 16 of the Terms). Consequently, any demand via legal means for Personal Data (or other types of data) is subject to BVI jurisdiction and laws. We fight vigorously to defend our rights (and those of our users) if an attempt is made to bypass the privacy protections provided for by the BVI. A parent, subsidiary, or related entity cannot be compelled to, nor would it voluntarily, provide Personal Data stored by Express Technologies Ltd.
Let’s translate this from legalese and break it down. What that essentially means is that if a law enforcement agency from outside the British Virgin Islands, such as an American agency, wants access to your account information, the request would be assessed under BVI legal standards. This does not mean gaining access to your account information is not impossible, just more difficult.
If a U.S. law enforcement agency contacted ExpressVPN for your account information, several scenarios could unfold:
Mutual Legal Assistance Treaty (MLAT): The agency might go through an MLAT or other formal channels to request assistance from BVI authorities. If BVI authorities deem the request valid under BVI law, they might compel ExpressVPN to comply.
Direct Request Refusal: If the U.S. agency approached ExpressVPN directly, the company might refuse the request based on BVI jurisdiction unless ordered by BVI courts to comply.
Challenge and Defense: ExpressVPN indicates it would fight vigorously to defend its rights and the rights of its users against attempts to bypass BVI privacy protections. While highly unlikely, this could involve legal battles where the legitimacy of the request would be tested against BVI privacy laws.
The more heinous your offense was, the more likely the British Virgin Islands are to cooperate with the United States.
App Telemetry
When evaluating a company’s commitment to privacy, one of the best representations is what data or telemetry is collected while you are using their app. It’s kind of like if you were to find out a guest went through your medicine cabinet while using your bathroom. I do applaud ExpressVPN for immediately asking whether you would like to participate in sending usage analytics – most apps leave that option buried in the settings.
However, despite turning this setting off, the iOS App Privacy Report tells an interesting story. The most contacted domains are all related to analytics and marketing:
app-measurement.com
firebaselogging-pa.googleapis.com
googleadservices.com
adservice.google.com
app.usercentrics.eu
fonts.googleapis.com
googleads.g.doubleclick.net
app.launchdarkly.com
sdk.iad-05.braze.com
Collectively, these instances draw attention to ExpressVPN’s tangled engagement with privacy, power, and politics. They suggest a need for more in-depth investigations and disclosures to make informed decisions about the use of such services. Evaluating any VPN service is no longer just about comparing features and prices; it also entails a keen understanding of the company’s ethics, allegiances, and accountability. It’s clear that trust and transparency are vital in the digital age, but the story of ExpressVPN reminds us that these values are often harder to find than we’d like.
Can you safely torrent with ExpressVPN?
In section 7 Acceptable Use Policy of the ExpressVPN Terms of Service it clearly states that you are not to upload, download, or distribute material that is copyrighted, and that they will terminate your account after repeated violations. That is not to say that ExpressVPN actively monitors for BitTorrent usage – it simply means if your account is flagged multiple times for DMCA violations they will terminate your account in order to remain legally compliant. That being said, quite often once an IP address is verified to be from a VPN the group representing the intellectual property holders will not bother to submit the DMCA notice, but your mileage may vary.
What services are available while using ExpressVPN?
Service
Blocked / Restricted
Amazon Prime
Accessible; non-US IPs blocked
Netflix
Accessible
Spotify
Accessible
Pandora
Accessible
YouTube Music
Accessible
Hulu
Accessible
Disney+
Accessible
Google Search
Captcha for non-US IPs
ChatGPT
Accessible
YouTube
Accessible
It’s also worth discussing ExpressVPN’s questionable advice regarding browser choice. Their marketing team has recommended the Chrome browser to its users, a decision that stands in stark contrast to their ostensible privacy-focused ethos. Chrome, as is well known, is a product of Google, a company with a prominent role in the realm of data collection and targeted advertising. Recommending a browser that has been at the center of various privacy controversies suggests a surprising disconnect from the fundamental principles of data protection. This discrepancy between ExpressVPN’s supposed commitment to privacy and its browser recommendation raises questions about the company’s understanding and prioritization of privacy issues. It serves as a sobering reminder that companies may not always act in the best interest of users when it comes to safeguarding digital rights and freedom.
Kape Industries
In our original article, we highlighted the evolution of Kape Technologies, formerly known as Crossrider. Initially, Crossrider was involved in the production of a browser development platform that was unfortunately exploited by third parties to distribute malware onto devices. However, in 2016, Crossrider decided to shut down its development platform. Subsequently, the company underwent a significant transformation, acquiring various VPNs starting in 2017 and ultimately rebranding as Kape Technologies in 2018.
Under the umbrella of Kape Technologies, several notable VPN services are now owned, including CyberGhost, Private Internet Access, ZenMate VPN, and recently, ExpressVPN. It is worth noting that Kape Technologies also runs VPN “review” websites, which curiously rank its own VPN services in top positions. This arrangement raises questions about the impartiality and objectivity of these rankings.
Despite the acquisition, ExpressVPN seems to be operating independently for the time being. However, the long-term impact of the ownership change remains uncertain. It will be interesting to see how ExpressVPN develops under the ownership of Kape Technologies. In our latest round of tests, ExpressVPN has performed well, surpassing its performance from the previous year. We will closely monitor the situation and update our ExpressVPN review accordingly to provide accurate observations and insights to our readers.
ExpressVPN’s ‘No Logs’ Policy Put to the Test
In December 2017, Turkish authorities seized an ExpressVPN server in an attempt to obtain customer data. However, the authorities were unable to find any logs on the server, as ExpressVPN does not keep any logs of its users’ activity.
This incident demonstrates the strength of ExpressVPN’s ‘No Logs’ policy. Even when authorities seized a server, they were unable to obtain any user data. This is because ExpressVPN does not store any logs of its users’ activity, including their IP addresses, browsing history, or connection times.
ExpressVPN is one of the few VPN providers that can make this claim. Many other VPN providers claim to have a ‘No Logs’ policy, but they have been caught logging user data in the past. This makes ExpressVPN a more trustworthy option for users who are concerned about their privacy.
TorGuard is a virtual private network (VPN) service that encrypts internet traffic and helps to secure online activity. It is designed to protect privacy and increase security, and is often used to bypass internet censorship and access blocked content. TorGuard is based in the United States and was founded in 2012. In addition to its VPN service, the company also offers proxy services and anonymous email. TorGuard claims to have servers in over 50 countries and to support a wide range of devices and platforms, including Windows, Mac, Linux, iOS, Android, and routers.
According to TorGuard’s website and privacy policy, the company does not keep logs of its users’ online activity or IP addresses. TorGuard states that it has a strict no-log policy, which means that it does not collect or store any information about its users’ online activity or IP addresses. This is intended to protect the privacy and security of TorGuard’s users. It’s worth noting that VPNs can be subject to government and law enforcement requests for user data, and a VPN company’s no-log policy may not necessarily protect users in all cases. However, in the absence of any logs, a VPN company like TorGuard would not have any information to provide to third parties if requested.
Network Overview
2019 Security Incident
According to a report by PCMag, NordVPN and TorGuard were hit by hacks involving insecure servers. The server did not contain user activity logs, but the hacker stole a Transport Layer Security key, which temporarily opened the door for a ‘man in the middle’ attack. The hackers may have also gained root access to the server, enabling them to potentially view and modify VPN traffic. NordVPN says that the attacker was able to nab the Transport Layer Security key that is used to verify that a site is actually run by NordVPN. TorGuard said that it manages its certificate authority and keys in-house and that its VPN or proxy traffic was not compromised during an isolated breach of a single VPN server and no sensitive information was compromised during this incident.
Global Coverage
TorGuard’s VPN service demonstrates a measure of global reach, with servers located in 34 countries. However, the number of servers per location is relatively modest, leading to less robust representation in each of the countries. The most prominent presence is in the United States, with 54 servers, which, although beneficial for users specifically seeking connections within this region, may not provide the most comprehensive access or optimal speeds for users desiring connections in other areas.
Upon applying the Global Diversity Index (GDI) – a scoring system designed to assess the geographical spread of VPN server locations – TorGuard achieves a score of 45 out of 100. This rating is influenced by the geographic diversity of server locations, the number of servers within these locations, and the global coverage of the service.
In constructing the GDI, several key factors are taken into account. The breadth of geographic representation is vital – providers with a greater number of countries covered generally score higher. The quantity of servers within each country is another crucial element, as a higher server count often equates to increased connection stability and potentially faster speeds. Furthermore, we consider the presence in regions typically underrepresented in VPN services, such as Africa and South America, as indicative of truly global coverage.
Thus, while TorGuard demonstrates a degree of global presence, the relative scarcity of servers within each location impacts its overall GDI score. It’s essential to reiterate, however, that the GDI score represents just one dimension of evaluating a VPN service, and users should also consider factors such as privacy policies, speed, security features, and customer support in making their choice.
