VPN Transparency Project

Tag: clouvider

  • X-VPN

    X-VPN

    X-VPN is a freemium VPN service that has become well-known for its simplicity and extensive server network. However, these points are overshadowed by some major concerns, making it a questionable choice for privacy-conscious users. One key issue is the existence of adware built into its app, making it a risky choice for users valuing privacy and security.

    X-VPN is owned by Free Connected Limited, a Hong Kong-based company that, upon investigation, revealed alarming links to mainland China. Given China’s notorious approach towards VPNs and digital rights, this is a significant cause for concern.

    Considering all these factors, X-VPN doesn’t come across as a trustworthy service. Its price and value for money also rank low at 6.0 out of 10, especially when there are cheaper and more reliable alternatives available.

    Privacy Practices

    Among the numerous concerns associated with X-VPN, the most unsettling is its privacy and logging policy, which received a dismal score of 2.9 out of 10. While many VPNs pride themselves on a strict no-logs policy, X-VPN has chosen a path far from it.

    Firstly, X-VPN logs a range of information that should typically be off-limits for a VPN service, especially one that purportedly values user privacy. This logged data includes device information, individual bandwidth usage, and connection timestamps, a decision we find to be unacceptable. While none of this information may be immediately identifiable, when correlated, such data can potentially be used to de-anonymize user activity.

    For mobile app users, X-VPN goes a step further, collecting VPN connection timestamps, choice of VPN protocol, and network type. Although the service has recently reduced its data retention period from 96 to 48 hours, it still raises eyebrows as to why it needs to collect this data in the first place. Top VPN providers have shown it’s entirely possible to optimize service without maintaining such logs.

    Furthermore, X-VPN’s vague privacy policy and the extent of data it collects vary by device. Across all its apps, it logs data like device information, usage, and city-level location, ostensibly for product development purposes. Even though this data can be deleted upon request, it’s unclear how straightforward this process is and whether any residual data remains.

    X-VPN’s logging practices become all the more concerning when coupled with its ties to China. Given the stringent regulation and censorship in the country, the possibility of data being accessed by third parties or government authorities can’t be ruled out.

    Lastly, X-VPN’s logging policy has not been verified by an independent audit or backed by a warrant canary. This lack of transparency and validation casts further doubt on X-VPN’s commitment to user privacy.

    In conclusion, X-VPN’s privacy policy and data logging practices not only betray the core principles of what a VPN should stand for – privacy, security, and anonymity – but also place it as a poor choice for those seeking a genuinely private and secure online experience. Users are strongly advised to consider VPNs that have clear, user-friendly, and audited no-logs policies to ensure their online activities remain private and secure.

    During the review, we also noted multiple connections to various domains such as get-xmore-links8.com, api.du-just-link.com, etc., which only compounds our concerns about its commitment to user privacy and security.

    We strongly advise against using X-VPN, particularly its free version which comes without a kill switch and is restrictive on server locations. While it does have some positives like ease of use and ability to unblock streaming platforms, its serious flaws, especially the adware issue, make it a risky choice.

    We suggest exploring other VPN services ranked higher, which offer fast speed, reliable unblocking capabilities, and most importantly, prioritize user privacy and security.

  • Surfshark

    Surfshark

    Surfshark VPN is one of the most popular VPN services in 2022. Its competitive price and unlimited simultaneous connections make it a very attractive VPN option for all kinds of users. But does this VPN live up to give the actual value for money that it claims? Surfshark also offers thousands of servers worldwide, excellent connection speeds, and next-gen AES encryption. However, users have been questioning its jurisdiction and whether it’s as private as showcased.

    Surfshark offers some really useful features like SmartDNS, the fast WireGuard protocol, P2P-optimized servers, and provides a selection of easy-to-use intuitive apps and platforms.

    So, when you’re connected to Surfshark – who’s servers are you really using? After completing my testing I have concluded that Surfshark uses 20% their own servers, 17% CDNext, 17% M247, 14% CDN77, 13% Host Royale, and the remaining few are Host Universal, Clouvider, and Hydra Communications.

    Surfshark Network Overview

    M247
    CDNext
    CDN77
    Host Royale
  • ExpressVPN

    ExpressVPN

    ExpressVPN was launched in 2009 by serial entrepreneurs Peter Burchhardt and Dan Pomerantz. From its inception, ExpressVPN’s commitment to privacy and security would be called in to question as several unsettling events unfolded. The service would eventually be acquired by Kape Industries (see more below) for just shy of 1 billion dollars. You have to ask yourself – what kind of company has that kind of cash sitting around, and how do they earn it? Certainly no humble privacy thinktank or nonprofit.

    Contents

    The notoriety of ExpressVPN began to gain prominence in 2016, when Turkish authorities confiscated one of its servers. The device was believed to be implicated in the erasure of evidence linked to the assassination of the Russian ambassador to Turkey.

    The spotlight shone on ExpressVPN again in 2021, but this time due to a change in its corporate structure. The VPN provider was acquired by Kape Technologies, an Israeli company with a concerning history of generating malware and adware. The implications of this acquisition remain debatable, especially considering the parent company’s questionable past activities.

    The plot thickened in the same year when Daniel Gericke, ExpressVPN’s Chief Information Officer, admitted to participating in Project Raven. In this scheme, he helped the UAE spy on American dissidents and journalists, a revelation that raised alarm bells among privacy advocates. It was discovered by Reuters that some of those individuals were later tortured by the UAE.

    ExpressVPN Privacy Policy

    When evaluating ExpressVPN’s privacy policy, there is one interesting bit that stands out:

    Legal. Your Personal Data is controlled by and stored under ExpressVPN, and not by its ultimate holding company, Kape Technologies PLC (UK) or other related entities. Express Technologies Ltd. operates under BVI jurisdiction, in accordance with BVI laws (pursuant to Section 16 of the Terms). Consequently, any demand via legal means for Personal Data (or other types of data) is subject to BVI jurisdiction and laws. We fight vigorously to defend our rights (and those of our users) if an attempt is made to bypass the privacy protections provided for by the BVI. A parent, subsidiary, or related entity cannot be compelled to, nor would it voluntarily, provide Personal Data stored by Express Technologies Ltd.

    Let’s translate this from legalese and break it down. What that essentially means is that if a law enforcement agency from outside the British Virgin Islands, such as an American agency, wants access to your account information, the request would be assessed under BVI legal standards. This does not mean gaining access to your account information is not impossible, just more difficult.

    If a U.S. law enforcement agency contacted ExpressVPN for your account information, several scenarios could unfold:

    1. Mutual Legal Assistance Treaty (MLAT): The agency might go through an MLAT or other formal channels to request assistance from BVI authorities. If BVI authorities deem the request valid under BVI law, they might compel ExpressVPN to comply.
    2. Direct Request Refusal: If the U.S. agency approached ExpressVPN directly, the company might refuse the request based on BVI jurisdiction unless ordered by BVI courts to comply.
    3. Challenge and Defense: ExpressVPN indicates it would fight vigorously to defend its rights and the rights of its users against attempts to bypass BVI privacy protections. While highly unlikely, this could involve legal battles where the legitimacy of the request would be tested against BVI privacy laws.

    The more heinous your offense was, the more likely the British Virgin Islands are to cooperate with the United States.

    App Telemetry

    When evaluating a company’s commitment to privacy, one of the best representations is what data or telemetry is collected while you are using their app. It’s kind of like if you were to find out a guest went through your medicine cabinet while using your bathroom. I do applaud ExpressVPN for immediately asking whether you would like to participate in sending usage analytics – most apps leave that option buried in the settings.

    However, despite turning this setting off, the iOS App Privacy Report tells an interesting story. The most contacted domains are all related to analytics and marketing:

    • app-measurement.com
    • firebaselogging-pa.googleapis.com
    • googleadservices.com
    • adservice.google.com
    • app.usercentrics.eu
    • fonts.googleapis.com
    • googleads.g.doubleclick.net
    • app.launchdarkly.com
    • sdk.iad-05.braze.com

    Collectively, these instances draw attention to ExpressVPN’s tangled engagement with privacy, power, and politics. They suggest a need for more in-depth investigations and disclosures to make informed decisions about the use of such services. Evaluating any VPN service is no longer just about comparing features and prices; it also entails a keen understanding of the company’s ethics, allegiances, and accountability. It’s clear that trust and transparency are vital in the digital age, but the story of ExpressVPN reminds us that these values are often harder to find than we’d like.

    Can you safely torrent with ExpressVPN?

    In section 7 Acceptable Use Policy of the ExpressVPN Terms of Service it clearly states that you are not to upload, download, or distribute material that is copyrighted, and that they will terminate your account after repeated violations. That is not to say that ExpressVPN actively monitors for BitTorrent usage – it simply means if your account is flagged multiple times for DMCA violations they will terminate your account in order to remain legally compliant. That being said, quite often once an IP address is verified to be from a VPN the group representing the intellectual property holders will not bother to submit the DMCA notice, but your mileage may vary.

    What services are available while using ExpressVPN?

    ServiceBlocked / Restricted
    Amazon PrimeAccessible; non-US IPs blocked
    NetflixAccessible
    SpotifyAccessible
    PandoraAccessible
    YouTube MusicAccessible
    HuluAccessible
    Disney+Accessible
    Google SearchCaptcha for non-US IPs
    ChatGPTAccessible
    YouTubeAccessible

    It’s also worth discussing ExpressVPN’s questionable advice regarding browser choice. Their marketing team has recommended the Chrome browser to its users, a decision that stands in stark contrast to their ostensible privacy-focused ethos. Chrome, as is well known, is a product of Google, a company with a prominent role in the realm of data collection and targeted advertising. Recommending a browser that has been at the center of various privacy controversies suggests a surprising disconnect from the fundamental principles of data protection. This discrepancy between ExpressVPN’s supposed commitment to privacy and its browser recommendation raises questions about the company’s understanding and prioritization of privacy issues. It serves as a sobering reminder that companies may not always act in the best interest of users when it comes to safeguarding digital rights and freedom.

    Kape Industries

    In our original article, we highlighted the evolution of Kape Technologies, formerly known as Crossrider. Initially, Crossrider was involved in the production of a browser development platform that was unfortunately exploited by third parties to distribute malware onto devices. However, in 2016, Crossrider decided to shut down its development platform. Subsequently, the company underwent a significant transformation, acquiring various VPNs starting in 2017 and ultimately rebranding as Kape Technologies in 2018.

    Under the umbrella of Kape Technologies, several notable VPN services are now owned, including CyberGhost, Private Internet Access, ZenMate VPN, and recently, ExpressVPN. It is worth noting that Kape Technologies also runs VPN “review” websites, which curiously rank its own VPN services in top positions. This arrangement raises questions about the impartiality and objectivity of these rankings.

    Despite the acquisition, ExpressVPN seems to be operating independently for the time being. However, the long-term impact of the ownership change remains uncertain. It will be interesting to see how ExpressVPN develops under the ownership of Kape Technologies. In our latest round of tests, ExpressVPN has performed well, surpassing its performance from the previous year. We will closely monitor the situation and update our ExpressVPN review accordingly to provide accurate observations and insights to our readers.

    ExpressVPN’s ‘No Logs’ Policy Put to the Test

    In December 2017, Turkish authorities seized an ExpressVPN server in an attempt to obtain customer data. However, the authorities were unable to find any logs on the server, as ExpressVPN does not keep any logs of its users’ activity.

    This incident demonstrates the strength of ExpressVPN’s ‘No Logs’ policy. Even when authorities seized a server, they were unable to obtain any user data. This is because ExpressVPN does not store any logs of its users’ activity, including their IP addresses, browsing history, or connection times.

    ExpressVPN is one of the few VPN providers that can make this claim. Many other VPN providers claim to have a ‘No Logs’ policy, but they have been caught logging user data in the past. This makes ExpressVPN a more trustworthy option for users who are concerned about their privacy.

    See Also

  • NordVPN

    NordVPN

    NordVPN is a Virtual Private Network (VPN) service provider that was founded in 2012 by four childhood friends in Panama. The company is now headquartered in Cyprus, with offices in the United States, the United Kingdom, and Lithuania. NordVPN is one of the most well-known VPNs in the market, and this is due to their extensive advertising on various platforms, including YouTube. NordVPN’s ads feature catchy taglines and famous personalities, making them one of the most recognizable VPN brands in the market.

    But just because NordVPN is based in Panama, that doesn’t mean their servers are. After testing around 6,700 servers used by NordVPN, I concluded that NordVPN servers predominantly use Datacamp Limited, M247, Clouvider, and Hydra Communications. It is worth noting that NordVPN does own and operate about 10% of their servers which are operated under the business name Tefincom.

    NordVPN Privacy Policy

    The privacy policy and terms of service are one key way a VPN provider can put their money where their mouth is. Afterall, a service can make whatever claims they want, but the truth lies in their policies. NordVPN has one of the worst privacy policies and acceptable use policies I’ve ever seen. First, in their ToS they stipulate that you are not to use NordVPN for anything that that they as a company would find inappropriate or offensive.

    • communicate, transmit, store, make available, share anything that is illegal, abusive, harassing, or otherwise objectionable (objectionable means anything which interferes with the rights of Nord, its users, or other third parties, or causes conditions that are dangerous, hazardous, and detrimental to others, or anything that most users and/or Nord would find to be offensive or inappropriate);

    Further, it goes on to suggest that using their service to bypass georestrictions is also against their ToS:

    • attempt to circumvent any technological measure and/or arrangement implemented by Nord and/or its licensors, or by the owner of the resource or the source of the material that the technological measure protects;

    • violate general ethical or moral norms, good customs, and fair conduct norms;

    Their privacy policy isn’t much better. It states that they will retain your billing information for ten years, and even worse, will retain your data if they receive a court order or subpoena:

    (ii) Nord also may retain information associated with you (e.g., payments data) in order to fulfill its obligations as required by applicable laws, regulations, court orders, subpoenas, or other legal processes for archival purposes.

    Lack of transparency

    One of the most well-known players in the VPN industry, has faced its fair share of controversy over the past few years. While it maintains a significant user base and performs admirably in various audits, numerous concerns have emerged about the company’s privacy practices, integrity, and security.

    One of the most glaring concerns revolves around a data breach that occurred in 2019. An attacker managed to gain access to a server by exploiting an insecure remote management system left by the data center provider. This incident, which went undisclosed by NordVPN until highlighted by a third party, is a clear violation of trust, raising valid concerns over the VPN provider’s transparency.

    Moreover, NordVPN’s relationship with Tesonet, a data-mining, analytics, SEO, and targeted marketing company, has been under scrutiny. Despite vehement initial denials, NordVPN finally admitted to this association, only to downplay its relevance. This admission further exacerbates concerns over user privacy, considering Tesonet’s activities.

    Adding fuel to the fire, NordVPN has been discovered to be based out of Lithuania, a country with mandatory data retention laws. This revelation contradicts the company’s claim of being registered in Panama, a known privacy-friendly jurisdiction, thus eroding trust.

    NordVPN’s partnership with Hola VPN, which was involved in forming a data mining botnet, and its alleged theft of technology from Hola VPN further draws into question the company’s ethics. It’s important to note that Hola VPN has been widely criticized for its own practices, which makes its association with NordVPN disconcerting.

    Several troubling practices have also surfaced relating to NordVPN’s marketing and sales techniques. The company has been accused of engaging in price discrimination, making it difficult for users to cancel auto-renewal, and reducing features for those who cancel auto-renewal. There are also reports of NordVPN sharing data with Facebook and leaking sensitive customer data.

    Adding to these controversies, NordVPN has been accused of blackmailing competitor TorGuard and has faced criticism from a UK-based watchdog for misleading marketing. It also reportedly sent cease-and-desist copyright claims to Njalla, further tarnishing its reputation.

    NordVPN’s wide-ranging sponsorship deals, which include football teams and numerous YouTubers, have also been called into question. Many believe these partnerships are incentivised by high affiliate commissions, which may be influencing the integrity of VPN reviews and recommendations.

    Despite the series of security audits that NordVPN has undergone, these revelations and practices suggest that trust and transparency are far from guaranteed. It’s crucial for users to conduct their due diligence and weigh the potential risks before choosing a VPN provider. The issues surrounding NordVPN serve as a sobering reminder that not all VPNs deliver on their promises of privacy and security.

    NordVPN, Surfshark, Denial

    NordVPN’s credibility was further strained when it was discovered that the company had ties to Surfshark, another popular VPN service. This discovery was unexpected and raised concerns given Surfshark’s track record.

    Surfshark has its share of controversies, which include system-level changes that persisted even after uninstallation, exposing user IPs and making them vulnerable. The company’s TrustDNS app has been implicated in data collection for advertising and marketing purposes. There’s also the issue of weak security, including the installation of risky root certificates on user devices.

    The link between NordVPN and Surfshark was initially and extensively denied by both entities. However, they eventually acknowledged their relationship, adding another layer to NordVPN’s complicated narrative. The merger between these two was officially announced, which startled users who were relying on these services for anonymity and security.

    These revelations not only shed light on NordVPN and Surfshark’s questionable practices but also underscore the need for users to question the transparency of VPN services. It’s essential to keep in mind that the practices of these companies can directly impact user privacy and security. Therefore, users must stay informed about the operations of their chosen VPN services.

    In the end, the core of the VPN business relies on trust, and the denial and eventual admission of the connection between NordVPN and Surfshark is a blatant breach of that trust. It highlights the need for vigilance and constant scrutiny of companies that promise to protect our digital rights and freedom.

    Related Posts