Can I let you in on a little secret?
When it comes to protecting your privacy, most VPNs fail.
Many popular, highly-rated VPN services will leak your IP address or DNS requests, thereby exposing your data to third parties. But there are even bigger problems. Some VPNs will infect your computer with malware, install hidden tracking libraries on your devices, steal your private information, leave your data exposed to third parties, and even steal your bandwidth.
As you will see below, many of the popular VPNs are not safe to use – especially if you are using a VPN to protect your privacy online.
VPNs can look perfect on the surface, yet still be an absolute privacy and security disaster when you take a closer look.
To combat the growing confusion and deception in the VPN market, we created the VPN Warning List (which is a work in progress). This warning list contains information that I personally find to be troubling with various VPNs and the overall VPN market.
Disclaimer: This list does not necessarily reflect the latest information on every VPN service and/or app. VPNs are constantly updating their software, however, a history of bad practices may be a sign of trouble. You can decide for yourself. Everything on this list is based on information that is well sourced and freely available online.
VPN Warning List
VPNs located in 5 Eyes countries
Always consider the legal jurisdiction of your VPN provider. The following five countries are working together in an alliance to collect, share, and analyze mass surveillance data: United States, United Kingdom, Australia, Canada, and New Zealand.
In reviewing and testing Betternet, I found a number of alarming items, such as Betternet giving third parties access to your data that’s collected through their VPN. An academic research paper listed Betternet as #4 on the Top 10 most malware-infected Android VPN apps. They were also busted for embedding 14 different third-party tracking libraries into their Android VPN app, while promising users “privacy and security”. We have all the details in our Betternet review.
With the growing interest in VPNs, there are even fake VPNs services popping up. When I say “fake” what I mean is that there are no servers, no software, and no VPN – instead it’s just someone trying to steal your money while pretending to be a VPN. One example of this was MySafeVPN, which was sending out scam emails and defrauding customers who paid money, expecting there to be an actual VPN service.
Free VPN Apps for Android and iOS
In general, you should be cautious when downloading any VPN app on your mobile device. A study of Android VPN apps found that 84% will leak your IP address, 82% will attempt to access your sensitive data, 75% utilize third-party tracking, 38% contain malware, and 18% don’t even encrypt your data (leaving you completely exposed). But this is no surprise. Over the years all kinds of apps have proven to be a security and privacy nightmare, for both Android and iOS. We also have a guide on how to secure your Android device.
Free VPNs in general
Free VPN services have proven to be a privacy and security disaster. Free VPNs make money by recording and selling your data, hitting you with ads, and/or redirecting your browser to e-commerce and third-party websites. Many of the most popular free VPNs in the Google and Apple stores are loaded with malware. As the saying goes, “If something is free, then you are the product.” (See the Free VPNs guide for a discussion on the dangers and risks of free VPNs.)
Hide My Ass (HMA VPN)
Hide My Ass (HMA) is a based in the United Kingdom – which is a bad location for privacy due to mandatory data retention and mass surveillance. Making matters worse, HMA has a troubling history of turning over customer data to law enforcement agencies around the world.
Hola VPN was caught stealing user bandwidth and fraudulently reselling it through their sister company Luminati. Hola users act as endpoints for the entire network. This means other people are using your bandwidth and IP address when you use Hola, and you can be busted for their activities. (This is also discussed in the Free VPNs guide.)
Hotspot Shield VPN
Additionally, Hotspot Shield has also been in the news because their VPN was found to leave users vulnerable to having their location exposed. Hotspot said they are working on a fix. See our Hotspot Shield VPN review for more info.
Ivacy is a Hong Kong VPN provider that has some troubling issues. Their refund policy previously limited you to 500 MB of bandwidth and 30 sessions. Some bloggers have also accused Ivacy of falsifying their VPN server locations, meaning that you’re not getting the locations you paid for. Many people believe that Ivacy and PureVPN are under the same company and using the same network infrastructure.
Opera “Free VPN”
Opera’s browser now includes what it calls a “free VPN” which they say is “better for online privacy” (see here). First, this is not a VPN at all. Security experts have shown that this is just a web proxy, which uses API requests. Second, Opera’s privacy policies include statements about data collection (including usage data) and how this is shared with third parties (see here). Check out our Opera VPN review for more info.
Our PureVPN review uncovered many problems. In previous testing, we have identified IPv6 leaks, IPv4 leaks, and DNS leaks with their VPN applications. PureVPN was also caught handing over customer data to the FBI (US authorities) despite claiming to have a “zero log policy”.
There are many free VPNs offered in the Google Play or Apple stores using variations of the “VPN Master” name. Through testing I have found that these VPN Master apps are full of dangerous malware, despite having high ratings and millions of users. I even found that one of these free VPN apps called “VPN Master Free unlimed proxy” (sic) is owned and operated by a Chinese data collection company called TalkingData.
VPNSecure is based in Australia – a 5 eyes country that is not good for privacy. VPNSecure was also identified in an academic paper for leaking IPv6 and DNS requests, which leaves its users exposed to “surveillance and malicious agents.” The same paper also noted that VPNSecure has a number of egress points in residential ISPs. This suggests that users are unknowingly being used as endpoints in a P2P-like bandwidth network – i.e. user bandwidth is being stolen (although the paper could not confirm this). (See here for more info.)
Windscribe is a new addition to this list. It was found to be leaving overseas servers completely unencrypted, which is a very foolish practice that leaves Windscribe users exposed. In July 2021, news broke that Ukrainian authorities seized Windscribe servers, which were left unencrypted. This gave the police Windscribe’s private key, which could potentially allow them to decrypt VPN traffic.
Windscribe admitted that it was not following “industry best practices” and vowed to correct the situation and properly secure their servers. But the damage has been done. See our article on the Windscribe security incident for details.
Conclusion: Use a safe and reliable VPN service
This list illustrates one fact that’s often repeated on this site: using no VPN is better than using a bad VPN.
Even if you didn’t find your VPN on this Warning List, be careful. Many popular and highly-rated VPNs have problems, such as IP leaks and non-working features. That’s why we recommend testing your VPN regularly for any leaks or problems. In fact, we have a VPN test guide to help you do just that.
The best VPN services
We also have a guide on the best VPN services here.
These are the VPNs that performed well in all of our tests, and are located is safe jurisdictions (outside of the 5 Eyes). Here are the top picks:
Stay safe and secure online.