Category: VPNs

  • ZoogVPN

    ZoogVPN, based in Greece, began as just a mere idea in 2010 after it’s creators were dealing with censorship and barriers themselves.1 The service formally launched in 2013 and since then has acquired mixed reviews. Unfortunately, while my speed tests were fast and had low latency, that’s where to good news ends. The Windows version of their app is slow and clunky and it was reported by a reddit user (albeit 3 years ago) that the killswitch functionality in the Windows application does not work properly.2 According to top10vpn.com, the killswitch feature on their macOS version will leak your IP address.3

    It cannot be understated that DNS leaks are a huge privacy concern. The last thing you would ever want to have happen to you is to a connect to a VPN that you paid for and entrusted with your privacy, and then were betrayed because of poor software.

    Interestingly, their CEO, Yaroslav Savenkov, has previously worked for data and marketing firms4 which may be considered a red flag for some users. After all, using a VPN to encrypt and transport your data means you trust the provider with your data.

    On a positive note, the VPN service passed the DNS leak test; however it revealed that ZoogVPN configures their servers to use Google DNS. While not a huge privacy concern in and of itself, I’d expect a better alternative from a company committed to privacy.

    Footnotes
    1. https://www.safetydetectives.com/blog/zoogvpn-interview/ [archive] ↩︎
    2. https://www.reddit.com/r/VPNTorrents/comments/jsbksg/zoogvpn_users_be_careful/ ↩︎
    3. https://www.top10vpn.com/reviews/zoogvpn/ ↩︎
    4. https://dataforseo.com/blog/how-we-built-an-efficient-247-support-team [archive] ↩︎
  • DuckDuckGo

    DuckDuckGo, renowned for its stance on user privacy, has recently unveiled a new service bundle dubbed “Privacy Pro.” This package integrates a VPN with personal information removal services and identity theft protection into DuckDuckGo’s browser app. However, this expansion into the already saturated VPN and browser market brings to light concerns about the company’s strategic direction and brand identity.

    Expanding Too Far from Core Services?

    DuckDuckGo has built its reputation on offering a privacy-centric search engine, standing in stark contrast to data-hungry competitors like Google. Over the years, they’ve added an email forwarding service and a web browser to their repertoire, maintaining a focus on protecting user data. The introduction of “Privacy Pro” marks another expansion, but this time, it just feels ‘meh.’

    The new bundle attempts to address several privacy concerns, including VPN services, personal information removal, and identity theft protection. While these additions might seem like a natural extension of their privacy protection mission, they somewhat dilute the brand’s impact. The market is flooded with similar offerings, making it increasingly difficult to stand out without a clear and focused brand proposition.

    Questionable Partnerships Raise Eyebrows

    My primary concern isn’t just the expansion, but also the choice of partnerships that underpin the new VPN service. DuckDuckGo has chosen to use i3d.net servers, a company owned by gaming giant Ubisoft. This is a perplexing choice, considering Ubisoft’s 10% ownership by CCP linked Tencent,1 who also has a stake in Reddit.2 Tencent is a company whose involvement in privacy-related controversies is well-noted. This connection is particularly alarming for privacy advocates who might expect DuckDuckGo to partner with entities that align more closely with its foundational privacy principles.

    Technical Performance and User Experience

    On a more positive note, the user interface of DuckDuckGo’s VPN service is commendably simple and efficient, catering well to those who prioritize ease of use. Performance-wise, the VPN impresses with high download speeds, peaking at 436Mbps during my tests. This indicates that while there may be concerns about the backend, users will not likely experience any compromise in performance.

    Final Thoughts

    Despite the technical strengths, DuckDuckGo’s venture into this crowded market segment with questionable partnerships might not resonate well with its user base, which primarily seeks uncompromised privacy. If DuckDuckGo wishes to truly enhance its offerings, perhaps a more robust expansion into email services or further development of their existing tools would be more in line with user expectations and their brand identity.

    In conclusion, while “Privacy Pro” aims to offer comprehensive privacy tools, the actual value and alignment with DuckDuckGo’s core principles remain under scrutiny. As a long-time advocate for privacy, I find the lack of a focused brand strategy and questionable server partnerships to be major concerns, overshadowing the potential benefits of the new features. DuckDuckGo will need to tread carefully to maintain the trust and loyalty of its privacy-conscious users.

    1. Crecente, B. (2018, March 20). Vivendi sells all of its Ubisoft shares to Tencent and others. Rolling Stone. https://web.archive.org/web/20180320211254/https://www.rollingstone.com/glixel/features/vivendi-sells-all-of-its-ubisoft-shares-to-tencent-and-others-w518120
      ↩︎
    2. Kelly, K. J. (2019, February 15). Condé Nast’s hold on Reddit slips but Newhouse family has cushion. New York Post. https://nypost.com/2019/02/14/conde-nasts-hold-on-reddit-slips-but-newhouse-family-has-cushion/
      ↩︎
  • Betternet

    Betternet is a freemium VPN service that comes from the family of Pango services, alongside Hotspot Shield, VPN360 and Ultra VPN. This is an important detail that users must understand when putting faith into a VPN service to not just conceal, but protect their true identity. Further, Pango has a questionable track record and should generally be considered not trustworthy.

    Terms of Service

    Remember when I said Pango wasn’t trustworthy? It’s because their Terms of Service straight up says they’ll snitch on you to law enforcement if they deem it necessary or appropriate We already know from their Privacy Policy that they keep aggregated logs of websites their users go to. See the picture we’re painting here? They are not a privacy company.

    if you post any User Content that is prohibited by this Agreement, then we may—but have no obligation to—take any remedial action that we, in our sole discretion, deem necessary and/or appropriate under the circumstances, such as, without limitation, suspending or terminating your account, removing your User Content, and/or reporting you to law enforcement authorities, either directly or indirectly.

    Torrenting/P2P

    One of the most common reasons people use VPNs is to use p2p/torrent services without revealing their IP address. This is usually not an issue if your VPN provider is registered in a foreign country, as they can usually disregard DMCA violation notices. Unfortunately, Betternet is registered in the United States which means they are obligated under law to take action against your account if they receive a DMCA notice. Generally speaking this just means they’ll terminate your account but depending on the severity or specifics of the matter, it could become a legal and/or criminal situation.

    Connection Info

    Frequently, VPN services oversell their services to increase profit margin, or sometimes just straight up throttle their servers. After a speed test using speed.cloudflare.com and fast.com I observed reliable speeds of 200Mbps down and 40Mbps up with a latency of 66ms. Obviously these results are subjective and may not reflect global results, but it’s an indication of their server quality.

    Logging Policy

    While Betternet’s logging policy is not the worst I’ve ever seen, there are a few potential red flags that users should be aware of. Most notably, in their Privacy Policy, they state that they log:

    the domains that have been accessed by our users, but on an anonymized basis such that we do not know which user accessed which domain, nor the full URL that would indicate which web pages were visited.

    First and foremost, if you didn’t know that VPN providers can see which domains you are visiting, well… Now you know. That’s not the alarming part though. The alarming part is that they log this information to “monitor, support and optimize our VPN services.”

    App Telemetry

    I was pleasantly surprised to see that aside from core services, the only third party connection the app made was to Google Firebase for usage analytics. There were no hard coded tracking or advertising scripts. The most popular connections were

    • *.cloudfront.com – where the core services are hosted
    • *.apple.com – required for App Store services
    • firebaseinstallations.googleapis.com – tracks app usage and does include analytics
  • GooseVPN

    GOOSE VPN is a VPN (Virtual Private Network) provider founded in 2016 in the Netherlands. The company’s mission is to make online privacy accessible and affordable for everyone. It is recognized for its features such as unlimited device connectivity and robust customer support available in multiple languages, including English, Dutch, French, German, Portuguese, Turkish, and Moroccan. Additionally, GOOSE VPN offers a 30-day money-back guarantee, allowing users to try its services without financial risk​​​

    ​GOOSE VPN has established a network of over 59 servers, primarily in Europe and the USA, with additional servers in diverse locations like Russia, Ukraine, Israel, India, and Egypt. The company prides itself on being the only VPN from the European Union and adheres to strict EU privacy requirements. This commitment to transparency and compliance with EU standards is a key aspect of their service offering​​​​.

    GooseVPN P2P Policy

    The terms of service for GooseVPN do not explicitly mention how they handle DMCA violations or copyright infringement issues. This lack of specific mention could mean that their policies on these matters are not detailed in the document you provided, or they might be covered under more general clauses related to illegal activities and the use of their services.

    In cases like this, where specific terms or policies are not clearly outlined, it’s advisable to contact the service provider directly for more detailed information, especially on sensitive issues like DMCA violations and copyright infringement.

    Goose VPN No Log Policy

    GooseVPN’s terms of service state that they maintain a 100% no-log policy, which implies that they do not keep logs or save user information under normal circumstances. However, it also specifies that in compliance with the rules of public bodies, if a user of GooseVPN is suspected of criminal activities (such as terrorism), the company can start keeping a log on that specific user. Additionally, it is mentioned that GooseVPN does not support any other organization which supports any type of copyright claims​​.

    This means that while GooseVPN generally does not log user activities or information, they may do so in exceptional circumstances, particularly if required by law in cases of suspected criminal activities. The terms do not specifically address how they handle DMCA notices or copyright infringement directly, but their stance of not supporting organizations that handle copyright claims suggests a general non-cooperation in such matters unless legally compelled.

    GooseVPN Privacy Policy

    Being based in the Netherlands, GOOSE VPN is subject to the General Data Protection Regulation (GDPR), a comprehensive set of privacy laws that apply throughout the European Union. The influence of GDPR is evident in various aspects of their privacy policy and plays a significant role in ensuring trust between GOOSE VPN and its customers.

    Personal Data Protection: GDPR mandates strict standards for collecting and processing personal data. GOOSE VPN’s policy reflects this by clearly defining personal data and detailing the legal basis for its use, such as user consent and the necessity for contract fulfillment. This transparency aligns with GDPR’s requirement for clear communication about data processing.

    User Consent and Rights: Under GDPR, individuals have enhanced rights regarding their personal data. GOOSE VPN’s policy acknowledges these rights, including the right to access, rectify, erase, and transfer personal data, and to withdraw consent for data processing. This empowers users and builds trust, as they have control over their data.

    Data Minimization and Retention: GDPR emphasizes the principle of data minimization, meaning only necessary data should be collected and retained. GOOSE VPN’s commitment to not retaining data longer than necessary and not monitoring or saving users’ internet activities during VPN use demonstrates compliance with this principle.

    Data Security: GDPR requires organizations to implement appropriate technical and organizational measures to secure personal data. GOOSE VPN’s use of SSL encryption and server hardening measures are examples of complying with these security obligations, thereby enhancing user trust in their commitment to data security.

    Accountability and Transparency: GDPR demands accountability from data controllers, necessitating clear, transparent privacy policies. GOOSE VPN’s detailed privacy policy, which outlines data use, sharing, retention, and user rights, aligns with this requirement. This transparency is crucial for building trust, as customers are more likely to trust a company that is open about its data practices.

    Regular Policy Updates: GDPR requires policies to be kept up to date. GOOSE VPN’s practice of updating their privacy policy and communicating changes reflects this obligation and demonstrates their ongoing commitment to compliance and user privacy.

    See also:

  • vpnify

    vpnify is a cross platform VPN service provided by Neonetworks solution ltd. According to an investigative report by top10vpn.com, the company’s director is a Chinese citizen with an address in China’s Anhui Province. Looking at their website, they openly admit to collecting identifiable data:

    When you access the Service by or through a mobile device, this Usage Data may include information such as the type of mobile device you use, your mobile device ID, the IP address of your mobile device, and your mobile operating system. This data is solely used for bugtracking and fixing.

    Further down the page, they list an incredibly broad list of reasons why they would disclose your personal data:

    -To comply with a legal obligation
    -To protect and defend the rights or property of vpnify
    -To prevent or investigate possible wrongdoing in connection with the Service
    -To protect the personal safety of users of the Service or the public
    -To protect against legal liability

    Surprisingly, the download speed and latency turned out to better than I expected. The closest server I was able to connect to physically was in New York City, about 800 miles away. I maintained 278Mbps down with a ping of 46ms. It would appear that the servers are not being overutilized or throttled, but without further testing, this is mostly anecdotal.

    See also:

  • SkyVPN

    SkyVPN is a freemium and ad-supported VPN service provided by Hong Kong based SkyVPN, Inc. They are part of an ever growing list of free VPNs owned and operated by pop up corporations with strong links to China which is a huge privacy and security concern.

    The app features numerous outbound connections to third party services which are always a massive privacy concern. Some of the hosts most frequently connected to were:

    • adcolony.com
    • adtilt.com
    • applovin.com
    • pangle.io
    • tapjoy.com
    • doubleclick.net
    • byteoversea.com
    • googleapis.com
    • moatads.com

    Some third party connections are inevitable, specifically to services like payment processors or the iOS app store, but the above connections demonstrate a clear attempt to monitor and track the individual using their app.

    Speeds

    Speed loss and increased latency are common amongst all VPN services, but severe drop in speed or spike in latency is an indication that the service is being oversold or intentionally throttled. Since with SkyVPN you can only select your country of choice, the proximity of the selected server is random. I was able to connect to New Jersey which is about 1,200 miles away. While the latency was decent, the download speed was throttled to 18Mbps. For contrast, while connected to a ProtonVPN server in New York City, I was able to maintain 274Mbps down with similar latency. So, obviously your mileage will vary, and the speed required will depend heavily on your VPN usage.

    See also:

  • Norton

    Speed Test

    Speed is a pivotal attribute when evaluating VPN services, yet it’s vital to recognize its inherent subjectivity, largely influenced by factors such as user hardware, geographic location, local infrastructure, and the quality of the servers employed by the VPN provider. In our testing, when connected randomly to a server in Oregon via Amazon EC2, we achieved an impressive 420 Mbps download speed and a latency of 32ms. While this performance is commendable, Norton’s lack of allowing users to select server locations only at the country level, rather than more specific locales, might be limiting. Such a broad selection mechanism can inadvertently connect users to geographically distant servers, potentially compromising both speed and latency. Thus, while our experience was positive, it’s conceivable that other users might encounter varied and less optimal outcomes due to this lack of granularity in server selection.

    Privacy Policy

    In assessing the Privacy Statement of Gen Digital Inc., it becomes evident that there are intricate concerns related to the VPN service they offer. Traditionally, Virtual Private Networks (VPNs) are employed to bolster online privacy, acting as a protective shield for users against potential eavesdroppers and malicious entities. However, the privacy policy of Gen Digital Inc. elucidates extensive data collection procedures that might be incongruent with the foundational principles of VPNs. Specifically, the policy highlights the collection of “Device Data,” which encompasses critical identifiers such as MAC addresses, mobile device IDs, and even unique installation identifiers (Privacy Statement, 2. Categories of Personal Data We Collect). Furthermore, the “Geolocation Data” clause indicates the potential for capturing precise user location information (Privacy Statement, 2. Categories of Personal Data We Collect). This level of detailed tracking might be antithetical to the primary objective of VPN users: anonymity. Compounding this concern is the company’s disclosure mechanisms. The data sharing stipulations with “partners, distributors, resellers, and advertisers” (Privacy Statement, 4. When and Why We Disclose Your Personal Data) introduce multifaceted vulnerabilities. Each additional sharing point potentially escalates the risk of data breaches or misuse. In essence, the comprehensive data collection and sharing policies of Gen Digital Inc., as delineated in their Privacy Statement, could be viewed as counterintuitive to the fundamental ethos of VPN services.

    Telemetry

    Upon analyzing the telemetry of Norton VPN, there are concerns regarding the volume and nature of domains the service connects to. For a virtual private network, the primary objective is user privacy and data security. However, connections to domains such as app-measurement.com, typically associated with Google Analytics, indicate that Norton VPN might be engaging in extensive user interaction tracking. While it’s understandable that some domains, like stats.norton.com or mobilesecuritycore-detection.norton.com, are linked directly to Norton for service functionalities, the rationale behind connections to others is less clear.

    Specifically, connections to domains like api2.appsflyer.com and attr.appsflyer.com suggest potential involvement in advertising or campaign tracking. Furthermore, interactions with firebaselogging-pa.googleapis.com and googleadservices.com imply a connection to Google’s data infrastructure. This raises questions about the type and extent of data Norton VPN shares or collects. The ideal VPN service would minimize its external connections to preserve user anonymity. However, the extensive list of domains associated with Norton VPN could challenge its reliability as a secure and private service.

    See also:

  • OstrichVPN

    OstrichVPN

    OstrichVPN

    Ostrich VPN is a freemium VPN app developed by GeWare Technology Limited.

    VPN Protocols

    The absence of WireGuard as an option in the “auto” function of a VPN service could be a significant drawback for users who prioritize both speed and security. WireGuard is often considered the industry standard for modern VPN protocols due to its lightweight nature, high performance, and strong encryption algorithms. It uses state-of-the-art cryptography and is easier to audit because of its compact codebase, making it generally more secure and faster than its predecessors like OpenVPN and IPSec. Many leading VPN services have adopted WireGuard because it offers a great balance between speed and security, making it a go-to choice for those looking to maintain fast connections without compromising on privacy.

    In contrast, the VPN service defaulting to VMess for its “auto” function might raise some eyebrows. VMess is primarily used as part of the V2Ray project and is less universally adopted than WireGuard. While VMess also aims to offer a secure and private connection, its less widespread use means that it hasn’t been as thoroughly vetted by the community and security experts as WireGuard has. Moreover, the other protocol options like WebSocket, IKEv2, and OpenUDP each have their own sets of pros and cons but generally do not offer the same level of streamlined security and performance as WireGuard. Users who are not aware of these nuances might unknowingly compromise on both speed and security by going with the default “auto” setting.

    Speed

    Speed tests for VPN services are highly contextual, influenced by a myriad of factors including user location, the quality of the local Internet infrastructure, server distance, and even the hardware being used. Therefore, while speed test results are valuable, they should be taken as a frame of reference rather than an absolute measure of performance for all users. In our case, being based in Seattle, the closest “high-speed” server available for our test was in New York City. Despite the considerable geographic distance, the service performed exceptionally well in our tests, delivering a download speed of 191 Mbps with an average latency of 78.5ms and zero packet loss.

    These results are quite impressive, suggesting that the servers were neither overutilized nor significantly throttled at the time of testing. The high download speed and low latency indicate a well-optimized network capable of providing a robust and smooth Internet experience. However, it’s worth noting that these results are specific to our testing conditions and may not be directly translatable to all users. Factors like network congestion, individual ISPs, and even the time of day can affect performance, but our tests suggest that this VPN service is capable of delivering high speeds and low latency under optimal conditions.

    App Telemetry

    In the multifaceted landscape of Virtual Private Network (VPN) offerings, Ostrich VPN presents itself as an entity worthy of investigation. Initially, the application appears to fulfill its core objective effectively, establishing connections primarily to its own domain, i.ostrichvpn.net. This suggests an alignment with the foundational purpose of ensuring user privacy and security. However, the analysis takes a more complex turn as additional domains come into view.

    The application establishes links to third-party domains such as google.com and firebaseinstallations.googleapis.com. While not overtly indicative of privacy risks, these connections introduce questions regarding supplementary functionalities that might extend beyond the core service offering of the VPN. Moreover, the app exhibits connections to Apple’s ecosystem through domains such as amp-api-edge.apps.apple.com and buy.itunes.apple.com. These links could be a nod to in-app purchase capabilities or other transactional elements integrated within the app. The presence of these additional domains doesn’t necessarily tarnish the privacy credentials of Ostrich VPN but adds a layer of complexity to its operational profile. In summary, Ostrich VPN secures a “B” rating on our privacy evaluation scale, revealing that the nexus between app functionality and user privacy is often more intricate than initially apparent.

    Privacy Policy

    Ostrich VPN’s Privacy Policy covers a wide array of data collection and usage scenarios that potential users should scrutinize closely for privacy implications. Here are some key takeaways:

    Data Collection and Usage:

    1. Account and Identity Information: Ostrich VPN collects your name, username, email, and even identity verification information. This extensive set of personal identifiers could be a concern for users who prioritize anonymity.
    2. Billing and Payment Information: This policy does not elaborate on how this sensitive financial information is secured or who exactly has access to it.
    3. Usage and Device Information: While Ostrich VPN claims not to log any information that associates your identity with your VPN browsing activity, they do collect data like bandwidth usage, device types, and even location information based on your IP address or GPS. The retention period for this data is not specified.
    4. Third-Party Data: Information may also be collected from third parties, including potentially from ‘reputable members of the security industry,’ which could include personal data.

    Third-Party Sharing and Advertising:

    1. Affiliates and Service Providers: Data is shared with third parties for processing payments, analytics, and even advertising. The security measures for this data sharing are not explicitly detailed.
    2. Advertising Networks: They serve ads to users and share limited personal data with third-party advertising networks. If you’re using a VPN, this could be a red flag, as one of the primary uses for a VPN is to avoid tracking.

    Contradictions and Ambiguities:

    1. Data Minimization and Retention: The policy claims to retain your data for as long as needed to provide services or as long as you have an account. However, it does not specify what ‘as long as needed’ means, which could be indefinite.
    2. International Data Transfers: While it mentions that data could be transferred internationally, it does not specify the countries involved or the legal safeguards in place.
    3. Legal Compliance and Law Enforcement: The policy mentions they may share your information to comply with legal processes, but it doesn’t specify under what conditions they would consider a request to be valid.

    In summary, while Ostrich VPN provides some level of privacy assurance by not logging your VPN browsing activity, the extensive data collection and third-party sharing raise concerns. Users should be aware of these issues, especially those who prioritize strict privacy measures.