VPN Transparency Project

Tag: trabia

  • X-VPN

    X-VPN

    X-VPN is a freemium VPN service that has become well-known for its simplicity and extensive server network. However, these points are overshadowed by some major concerns, making it a questionable choice for privacy-conscious users. One key issue is the existence of adware built into its app, making it a risky choice for users valuing privacy and security.

    X-VPN is owned by Free Connected Limited, a Hong Kong-based company that, upon investigation, revealed alarming links to mainland China. Given China’s notorious approach towards VPNs and digital rights, this is a significant cause for concern.

    Considering all these factors, X-VPN doesn’t come across as a trustworthy service. Its price and value for money also rank low at 6.0 out of 10, especially when there are cheaper and more reliable alternatives available.

    Privacy Practices

    Among the numerous concerns associated with X-VPN, the most unsettling is its privacy and logging policy, which received a dismal score of 2.9 out of 10. While many VPNs pride themselves on a strict no-logs policy, X-VPN has chosen a path far from it.

    Firstly, X-VPN logs a range of information that should typically be off-limits for a VPN service, especially one that purportedly values user privacy. This logged data includes device information, individual bandwidth usage, and connection timestamps, a decision we find to be unacceptable. While none of this information may be immediately identifiable, when correlated, such data can potentially be used to de-anonymize user activity.

    For mobile app users, X-VPN goes a step further, collecting VPN connection timestamps, choice of VPN protocol, and network type. Although the service has recently reduced its data retention period from 96 to 48 hours, it still raises eyebrows as to why it needs to collect this data in the first place. Top VPN providers have shown it’s entirely possible to optimize service without maintaining such logs.

    Furthermore, X-VPN’s vague privacy policy and the extent of data it collects vary by device. Across all its apps, it logs data like device information, usage, and city-level location, ostensibly for product development purposes. Even though this data can be deleted upon request, it’s unclear how straightforward this process is and whether any residual data remains.

    X-VPN’s logging practices become all the more concerning when coupled with its ties to China. Given the stringent regulation and censorship in the country, the possibility of data being accessed by third parties or government authorities can’t be ruled out.

    Lastly, X-VPN’s logging policy has not been verified by an independent audit or backed by a warrant canary. This lack of transparency and validation casts further doubt on X-VPN’s commitment to user privacy.

    In conclusion, X-VPN’s privacy policy and data logging practices not only betray the core principles of what a VPN should stand for – privacy, security, and anonymity – but also place it as a poor choice for those seeking a genuinely private and secure online experience. Users are strongly advised to consider VPNs that have clear, user-friendly, and audited no-logs policies to ensure their online activities remain private and secure.

    During the review, we also noted multiple connections to various domains such as get-xmore-links8.com, api.du-just-link.com, etc., which only compounds our concerns about its commitment to user privacy and security.

    We strongly advise against using X-VPN, particularly its free version which comes without a kill switch and is restrictive on server locations. While it does have some positives like ease of use and ability to unblock streaming platforms, its serious flaws, especially the adware issue, make it a risky choice.

    We suggest exploring other VPN services ranked higher, which offer fast speed, reliable unblocking capabilities, and most importantly, prioritize user privacy and security.

  • Private Internet Access

    Private Internet Access

    Private Internet Access (commonly known as PIA) is a capable VPN provider, now owned by Kape, which also owns CyberGhost, ZenMate and ExpressVPN.

    PIA has servers available in just about every single state in America, which is great if you want to encrypt and protect your connection but don’t want to get locked out your account for suspicious activity. Choosing a server in a remote country for instance can have some benefits but it is not always the most practical choice.

    Privacy Policy

    PIA’s privacy policy is a classic example of a company trying to paint itself in the best possible light regarding privacy and legal compliance. They talk a big game about scrutinizing legal requests and standing up for user privacy, emphasizing their commitment to the “spirit” and “letter” of the law. This is meant to reassure you, the user, that they’re on your side, ready to shield your data from the prying eyes of the law—unless absolutely necessary of course.

    But here’s the rub: when push comes to shove, the majority of companies, especially those anchored in the U.S., have a breaking point. The notion of a corporate David going toe-to-toe with the Goliath that is the federal government and emerging unscathed is, frankly, more fairy tale than fact. It’s not just about being bullied into submission; it’s about survival. Companies operate under the jurisdiction of local and federal laws, and while they might resist or push back on requests initially, the potential consequences of outright defiance—legal battles, hefty fines, or worse—make compliance the path of least resistance.

    What often goes unsaid in these polished statements is the scale and intensity of pressure a company can face behind closed doors. Yes, they might question or attempt to narrow down overly broad subpoenas, but these are tactical moves within a game where the house always wins. The promise to not participate with unconstitutional or illegal requests is noble but navigating the complex web of legal interpretations and potential repercussions makes this a tightrope walk at best.

    And let’s not gloss over the part where they say they’ll give users a chance to object to disclosures “when it is possible and a valid option.” That’s a lot of leeway packed into a few words, suggesting that this opportunity is more of an exception than a rule.

    In essence, while the statement aims to reassure you of the company’s steadfastness in protecting your privacy, the reality is often shaped by legal and political pressures that can turn those assurances into well-intentioned but ultimately hollow promises.

    Terms of Service

    As far as Terms of Service go, PIA’s is boilerplate industry standard. If you violate law they reserve the right to terminate your service. They don’t include any of the vague terms and phrases like some other providers due like “inappropriate conduct”.

    You must conduct yourself in a way that complies with law and would not violate these rules of conduct.

    Log Policy

    In the book Resistance, Liberation Technology and Human Rights in the Digital Age author Giovanni Ziccardi shares this response from Private Internet Access:

    “We absolutely do not maintain any VPN logs of any kind. We utilize shared IP addresses rather than dynamic or static IPs, so it is not possible to match a user to an external IP. These are some of the many solutions we have implemented to enable the strongest levels of anonymity amongst VPN services. Further, we would like to encourage our users to use an anonymous e-mail and pay with Bitcoins to ensure even higher levels of anonymity should it be required.” Q2: “Our company currently operates out of the United States with gigabit gateways in the US, Canada, UK, Switzerland, and the Netherlands.

    We chose the US, since it is one of the only countries without a mandatory data retention law. We will not share any information with third parties without a valid
    court order. With that said, it is impossible to match a user to any activity on our system since we utilize shared IPs and maintain absolutely no logs.”

    Torrenting

    Private Internet Access (PIA) beats around the bush when it comes to using their VPN services for BitTorrent. While their terms of service explicitly prohibit copyright infringement, their Frequently Asked Questions page delicately navigates the subject of torrenting. PIA suggests that utilizing their VPN can enhance online privacy and prevent ISPs from potentially labeling a user’s activities as suspicious. However, this stance is somewhat disingenuous, as ISPs generally do not actively monitor their customers’ web traffic. The primary concern with torrenting, particularly in the context of piracy, is the risk of receiving DMCA takedown notices, which is a more direct consequence of copyright violation than mere ISP scrutiny.

    Torrenting with PIA is a breeze, however. After I connected to a Canadian server about 1,200 miles away I fired up QBitorrent and within seconds was connectable. I was able to achieve speeds of 10Mbps down and 1.4Mbps up. Not too shabby. It’s important to remember that torrenting is a completely subjective experience and these results are only indicative of my experience. Yours may differ wildly.

    According to my research, PIA VPN predominantly uses CDNext, GTT, and M247 servers depending on where you are connecting to.

    Use of virtual servers

    While it’s not uncommon for VPN providers to use location virtualization, some do see it as dishonest and another deceitful marketing technique. During our testing, we discovered that PIA does in fact use location virtualization. For instance, 100% of the servers advertised as being in the Philippines were actually located in Singapore.

    IP                Advertised Country   Actual Country  ISP    ASN      
188.214.125.131   Philippines          Singapore       M247   AS9009

    ASN Diversity

    In the realm of Virtual Private Networks (VPNs), diversity is a key indicator of network resilience. A significant measure of this diversity can be evaluated using the Shannon Diversity Index (SDI), a concept borrowed from ecology to measure the biodiversity in a given community. In the context of VPNs, the SDI offers a quantitative assessment of the diversity of Autonomous System Numbers (ASNs) among VPN servers. Theoretically, a higher SDI correlates with increased network diversity, indicating a more resilient network structure less prone to single-point failures.

    An examination of Private Internet Access (PIA), with its SDI value of 1.8, reveals a comparatively lower network diversity in relation to other VPNs. For instance, Windscribe, Surfshark, and NordVPN have reported SDI values of 3.6, 2.88, and 2.75 respectively. This suggests a potential susceptibility in PIA’s network to failures or targeted attacks, owing to its relatively less diverse network.

    However, it is crucial to emphasize that SDI, while informative, is not the sole determinant of network performance and resilience. Several other factors, including the choice of Internet Service Providers (ISPs), geographical server distribution, total network capacity, and VPN service management practices significantly influence a VPN’s overall performance. Thus, while PIA’s SDI value may not place it at the pinnacle of network diversity, it is important to consider the holistic context when evaluating VPN performance and resilience.

    See also: