Choosing the best VPN provider

If you’re looking to improve your privacy online, a Virtual Private Network (VPN) is a crucial tool to make your online traffic more anonymous and less exploitable. However, there are many different VPN providers on the market. Many of them even claim to be the best while providing the exact same kind of service as others. So how can you choose between them or know what is the best VPN for your privacy needs?

Online privacy should not be taken for granted as a guaranteed right. In reality, privacy on the internet is an evolving struggle in which our personal data is increasingly collected and used. This is often being done without our knowledge, or with dubious consent practices. What we need are adaptive privacy technologies, and VPNs should be no different. Thankfully there are now fundamentally different types of VPN architectures designed to enhance user privacy through decentralized infrastructures.

In this guide, we will first explain the different types of VPNs available. We will then work through the important privacy features you should look for in deciding which VPN provider is the best for the online protection you need. Nym’s opinion is that the best VPN provider is determined by how well your privacy and data are protected against all possible threats.

How does a VPN protect online privacy?

A VPN is a third party service that encrypts and reroutes your internet traffic through their server(s) before accessing the public web. As your data passes through the VPN server, your IP address is replaced with the VPN’s. This adds some anonymity and privacy to whatever you’re doing online.

As we will see, the degree of your privacy and the security of your data ultimately depends on the VPN service being used. This article will answer some of the big questions users should have about VPNs and privacy:

• What is the business model of a VPN?
• How is your data encrypted?
• How many servers does the VPN use?
• How is your traffic data and metadata stored by the VPN?
• Are their servers secured against attacks and breaches?
• Will the VPN hand your traffic data over to third parties?

Different VPN architectures

Not all VPNs are built the same: they have different architectures, or physical infrastructures facilitating the way user data is routed. Here are the main things to consider.

Single or multi-hop routing?

Most VPNs on the market are single-server (or single-hop) services. This means that your data is routed through only one relay server or node before accessing the public web. The more hops your traffic makes, the harder it will be to track it, and thus the more private your activities online will be.

Newer VPN models are multi-hop services, routing your traffic through multiple servers. In general, multi-server is an important but uncommon architecture for mainstream VPNs because of their increased operational costs and organization. Some traditional VPNs do offer a double VPN option with advanced and more expensive plans. The important question is whether these multiple servers are independent of one another or not. If two servers are operated by the same company, however, they remain linkable through the central company, thus making the job of user tracking much easier.

Centralized servers

Centralization concerns how your data is handled once in the hands of the VPN provider. Most VPN services own and operate their own servers, or they rent them from third-party services. Whatever the case, your data will pass through, and potentially be logged or recorded by, these companies. These logs will likely be stored in a single physical space, as will be the financial records linking your payment to their VPN service. Note that all single-server VPNs are by definition centralized regardless of their logging policies.

Why is this a problem? Because the centralized data storage of millions of users’ IP addresses, traffic data, and payment records is a prime target for cyber criminals or government agencies looking to acquire mass amounts of user data for their own purposes. For users to ensure their own privacy, this requires finding innovative decentralized solutions for better privacy and security.

Decentralized VPNs (dVPNs)

To address this risk of data centralization, new types of VPNs have been designed to use decentralized networks of independent relay servers. dVPNs are multi-hop by default (usually only 2 hop). But unlike the pricier double VPN options of some mainstream VPNs, there are no centralized servers where user data is logged. This bypasses the risks of central points of attack and failure, significantly increasing the security of user data against data breaches, traffic analysis, and metadata leakage. They can also be more affordable, and allow users to pay for specifically needed bandwidth.

VPN business models: Free vs. paid VPNs

Finally, we need to consider what the business model of a VPN provider is. A VPN company can make money in two ways: users pay subscription fees for their service, or the VPN earns its revenue in other ways. Subscription fees at least create some sort of dedication to their users’ privacy, since they want to keep them. But how can a free VPN service remain financially operable?

While there are a few reliable and free VPNs available dedicated to user privacy, these are the exception rather than the rule. In short, if the product is free, you are probably the product. Most free VPN providers earn revenue by collecting user traffic data and selling it wholesale to data brokers. In addition, they also earn ad revenue from third parties by analyzing your data to target advertising to you, injecting ads into your online traffic. Unless you absolutely need to use a specific non-profit and privacy-focused free VPN, avoid free VPNs at all costs.

Privacy features to look for in a VPN

When shopping for a VPN for privacy, there is a tendency to go for big-name companies, popular products, and big promises. But anyone seriously concerned about their privacy should carefully consider and research what privacy features a VPN does or does not provide. Here are some key things to look out for:

Encryption

Encryption prevents your data from being read by third parties while it is in transit between your device and a designated second-party online (a website, a correspondent, etc.). Most web services provide end-to-end encryption for their users through HTTPS. Following this new standard, VPN services add another encryption stage between the user and their server. Before your data even leaves your device, it is encrypted through a VPN tunnel so that it cannot be read if intercepted en route.

There are many different encryption protocols that a VPN service can use, with some being stronger than others. Encryption strength is measured in terms of the length of the key: for serious security, look for a minimum of 128-bit encryption, though 256-bit provides substantially stronger security. Wireguard is currently the best VPN encryption protocol in terms of speed, optimization, and security, and OpenVPN is an industry standard.

dVPNs and double VPN options further multiply encryption levels: double VPNs encrypt user data twice (once by each server), and a mixnet VPN like NymVPN uses a more robust, multi-layered, onion-like encryption protocol through Sphinx for virtually unbreakable protection.

No-log policy

In the light of the risks posed by the centralization of user data, many VPN providers operating single servers promise what are called “no-log” or “zero-log” policies. These are assurances to users that the VPN will not keep records of your internet traffic as it passes through their server. Remember that this is an issue because the VPN provider can see both your IP address and the destination of your traffic, and can thus potentially link the two together. Even with this policy commitment, most traditional VPNs likely keep metadata logs for operational purposes.

The problem with these policies is that users must ultimately trust that the company will abide by them, especially under pressure from law enforcement or government requests for targetted or mass records of users. Read up on whether you can still be tracked while using a VPN.

VPN services that provide no explicit policy log or record keeping should be avoided at all costs. And some VPNs, including the large majority of free services, deliberately log user traffic in order to sell their users’ data for revenue to third parties like data brokers. This is their business model. If privacy is your concern, the better option is to go with a dVPN which cannot keep centralized logs by design.

DNS leak protection

A DNS leak occurs when your traffic is sent to your ISP rather than directly to the VPN. DNS (short for Domain Name System) is the internet protocol that translates a human-centric web address (such as “nymvpn.com”) to a numeral IP address. Your Internet Service Provider (ISP) usually provides this DNS translation service so you can get where you want to go on the public web. While using a VPN, however, sometimes an improper VPN configuration can let certain DNS requests go through your ISP first, and thus unprotected. This can open users to hackers seeking to exploit your data in transit. This can be prevented by using VPN providers who run their own DNS servers. Unfortunately, even dVPNs struggle with DNS leaks, but it’s an ongoing research and development effort to prevent them.

Multi-server network

As we saw, mainstream VPNs are single-server routing systems. If you’re looking for increased privacy, look for VPNs that provide multi-server options. Even better, choose a dVPN service that is multi-hop by default and without additional charges. Also check where in the world a VPN’s servers are located, since users might want to select a particular country through which to route their data. This can be important for avoiding censorship restrictions or for accessing location-based content (e.g., while streaming).

Foreign-based servers

Ultimately, data that is routed through one or more foreign-based servers will be more difficult to track than a single-server based in one’s own country. This is because VPN providers are more easily subject to regulations in their own state jurisdictions (including surveillance and government disclosure demands). However, with political systems of mass surveillance, many government agencies are now internationally cooperting, so it’s also important to consider which centralized VPN services are part of the Five Eyes data-sharing alliance (which is in reality upwards of 14 eyes or countries).

Split tunneling

Split tunneling is a specialized VPN feature that allows users to configure what traffic passes through the VPN and what bypasses it. This is an important tool to deal with the latency issues that VPN multi-hop routing might cause. Users can configure what traffic (like web browsing or email) use the more secure VPN route and which activities (like gaming) bypass the VPN altogether. There are even many other possible ways to configure split-tunneling with a VPN (such as selecting only particular apps to use or bypass it).

Killswitch

A killswitch is a crucial modern VPN feature. If your VPN connection drops, even for a second, your data in transit might be at risk. A killswitch disables your internet connection immediately if the VPN connection is interrupted. However, not all VPNs have killswitches.

Ad/malware blocking

Some VPNs provide additional ad or malware blocking tools, such as prohibiting attempts from known advertisers and malicious IPs from connecting with your device while the VPN is activated.

Performance considerations in choosing a VPN

At Nym, we know that maximizing privacy features is crucial, but that this is sometimes at the cost of performance. So here are the key performance issues to keep in mind when choosing a VPN provider.

Internet speed

Since VPNs require an additional hop (or more) for your internet traffic, you should consider how fast you need your connection or particular traffic to be. Users can sometimes experience latency while using a VPN. For example, for gaming, users might choose a single-hop over a multi-hop VPN. Keep in the mind that split tunneling configurations can preserve needed privacy for certain activities while optimizing speed for others.

Users can also test the speed of a VPN provider by using one of the available speed test tools online. We advise to first connect without the VPN to establish a baseline before testing the connection with the VPN to see the difference in speed. The downside to comparing different VPN services is that it requires installing individual VPNs. Third party performance reviews online can be more helpful.

Device support

It’s important to check whether a VPN is compatible with the device(s) you need it for. Some VPNs might provide only desktop support, but not have a mobile app to protect the data on your smartphone, or be compatible with router installation to protect all the devices using your home network.

Cost

Like all products, VPN services range in price depending on the security and privacy features they provide. These can range from many “free” VPN services (again, a huge privacy risk) to VPNs providing international multi-hop server networks and advanced features. Not all users will need these advanced features, but if you are concerned with your privacy in general, choosing a dVPN is currently the best VPN architecture on the market.

Location-based services

VPNs can be useful in gaining access to location-based content, such as a country’s particular streaming services. However, some VPNs might be blocked by certain web services, preventing you from accessing their contents while using the VPN. Some countries might even block the use of certain VPNs altogether. So if you’re looking to bypass censorship restrictions, choosing certain VPN providers not currently on national ISP blacklists is another factor.

How to verify a VPN’s privacy record

With advancements in encryption on the public web, traffic and metadata logging and analysis is really the biggest privacy risk we face. But this can be avoided by choosing a VPN provider whose decentralized design takes data logging out of the equation and which makes traffic analysis exceedingly difficult. But if you’re intent on vetting a big name provider that isn’t decentralized, here are some research steps you can take to get a better idea of their privacy records.

What is their privacy policy?

Look for and read the VPN provider’s privacy policy on their logging practices. If they do not commit to not keep logs of user traffic, turn the other way. If they do promise no- or zero-logs, check whether they mention metadata, since many VPN providers will likely keep metadata logs for operational purposes. Regardless, it is worth repeating: these kinds of policies require our trust: and why trust when we can choose a decentralized service that is structurally incapable of centrally logging user traffic by design?

Where is the company based?

VPN providers are ultimately accountable to the laws of particular countries where their businesses and servers are located. While there is absolutely nothing illegal about using a VPN, a VPN provider can be targeted for censorship, blacklisting, or surveillance, significantly affecting user experience and privacy. Afterall, countries internationally have very different privacy protections for users, and some have none at all.

Some countries might blacklist certain VPN companies through their national ISPs. Other countries have legislation in place which grants exceptional authority to governmental surveillance. In these cases, nationally-based VPNs have little recourse if and when government authorities demand access to servers and user data in the name of national security. It’s true that a VPN provider might not actually keep traffic logs to give up, but why trust this promise when there are decentralized options?

Have they leaked data before?

Data breaches are regular occurrences across the whole web, wherever valuable digital data is centralized. VPN providers are no exception, with their potential logs of mass user traffic logs and financial records. Knowing whether a VPN provider has a history of data leaks requires some research. You can start by simply searching the VPN service provider’s name with “data leaks” and “data breaches.” This will give you some indication of whether companies have had their servers breached by cyber attacks in the past.

Have they been involved in court cases?

Many VPN services can be compelled by court order to hand over traffic logs (though they may not reveal anything about users if no logs, or minimal logs, are kept). Some VPNs have been or are being sued by privacy groups for violating the privacy of their users in making available or selling user data to third parties. Researching the legal history behind a company can give you a good picture of their true privacy commitments beyond their promotional guarantees.

Do they use third-party security audit reports and transparency reports?

To provide clients with increased confidence regarding their no-logs policies, some companies have their databases audited by third-party security firms. This can provide some public confirmation that the privacy commitments of the company are followed through on, and that there is no user traffic data on drives that would be at risk. Companies can also employ pin testers to audit the security of their databases against cyber attacks and data breaches.

Are they using outdated and vulnerable VPN protocols like PPTP?

Point-to-Point Tunneling Protocol (PPTP) is an early and outdated encryption protocol which is no longer used by most reputable VPN providers, and which can pose security risks for users. Check whether the VPN provider is using state-of-the art protocols like WireGuard and industry standard ones like OpenVPN or IKEv2/IPsec.

Do they have a diskless, RAM-only server infrastructure?

Most traditional VPN run their servers on hard drives or solid state drives. This means that user data is recorded and retained on disk. Privacy focused VPN providers can use diskless (or RAM-only) servers. This means that when the server is powered off, all data on the Random Access Memory (RAM) server is erased without the possibility of recovery. This can greatly diminish the risks posed by data breaches, and can even increase performance speeds for user traffic.

Need the best VPN provider for privacy? Go Nym

All things considered, if genuine online privacy is your concern, then paying for a dVPN is the way to go. There are simply too many risks with traditional VPNs and their centralization of user data.

But multi-hop routing can cause latency issues. For this reason, NymVPN has been designed to give users a choice for how much protection they need online, when, and for what kinds of traffic:

• You can select between a 2-hop dVPN mode for faster connection with more robust privacy than any traditional single-server VPN on the market can provide
• Or an unparalleled 5-hop mixnet VPN mode for highly sensitive traffic (like private email apps or crypto transactions).

NymVPN is currently starting its alpha testing phase, and research and development are on track to adding key privacy features like a killswitch and split tunneling before its full launch.

Whatever VPN provider or type of VPN you’re considering, don’t choose blindly. Not all services with the same name provide the same quality of privacy protection, and some provide the complete opposite. If you truly need online anonymity, sincerely consider how decentralized networks can help.