Introduction To Our Review Process
Here at ProPrivacy.com, we pioneered a VPN review format and a series of procedures that are now copied by countless other lesser websites. Our aim is to make each review as comprehensive, objective, and scientific as possible.
To this end, we break down and analyze all the key elements that make or break a good VPN service. We also examine unique features and other aspects of a VPN that set it apart from its competitors, and try to assess whether these features do indeed add genuine value to a service's proposition.
Of course, with so many factors to consider, each reviewer’s final assessment is necessarily a subjective judgement call. The beauty of having such comprehensive reviews, however, is that all aspects of a service are described in detail.
This means that you, our readers, should have all the information necessary to draw your own conclusions about any VPN we have reviewed.
This article is intended to provide a detailed and transparent overview of our review process. We hope it provides readers with an insight into how we judge the quality of VPNs and can provide a template for how to assess VPN services for yourself.
Note that our review process has been improved and refined over time and that some older reviews from writers who are no longer with us may not live up to our current standards. We aim to phase out these legacy reviews over the coming months.
Following a quick summary list of the VPNs highlights, we introduce the VPN. Ideally, this quickly explains a VPN’s background and history. With newer and lesser-known VPNs, this may be a simple recap of the review’s conclusions.
VPN’s Pricing and Plans
Always a good place to start! We generally highlight the price per month if paid monthly, and the price per month if paid annually. Please Note that it is the second price, the annual price paid monthly, that we use across our website to compare services like for like.
Many VPNs these days offer a simple one-size-fits-all payment plan. Some offer a range of plans, however, each offering a different level of service. In this case, we give a rundown of what each plan offers and what it costs.
We also explain which plan we have decided to review. In general, we will try to review the most fully-featured plan available, in order to assess all the features on offer.
We next discuss any free trials and/or money back guarantees on offer, and point out any hidden limitations they may have.
Finally for this section, we list payment methods accepted by the VPN. In particular, we highlight any potentially anonymous ways to pay - these can include Bitcoin, store cards, or even cash sent by post.
Any such discussion should be accompanied with a caution that no matter how anonymously you pay, the VPN provider will always know your real Internet Protocol (IP) address. Remember: VPNs provide privacy - not anonymity.
This section starts by listing a VPN’s features, as advertised by that VPN. This includes:
- Number of counties where the VPN operates servers
- How many simultaneous connections are allowed (that is, how many devices you can use the VPN with at once)
- VPN protocols supported
- Whether P2P (torrenting) is allowed
- Any non-standard, unusual, or unique features
This is followed by some brief observations about the above features, followed by an examination of any non-standard features that the reviewer feels need further explanation or assessment.
Note that things such as VPN logs, jurisdiction, support options, technical security, software features such as kill switches and DNS leak protection, and whether the VPN can unblock Netflix or BBC iPlayer are discussed in detail later in the review. They are therefore not listed here.
Each non-standard feature is given its own sub-heading. The feature is explained, and the reviewer assesses how useful it really is. Examples include “double VPN,” Tor over VPN, support for unusual VPN protocols, smart DNS, port forwarding, and support for anti-censorship and obfuscation technologies.
This section primarily gives as detailed a look as possible at the provider’s logging policy, plus an analysis of how the country in which the VPN is based may affect users’ privacy.
When looking at the country in which a VPN is based, relevant privacy laws, surveillance laws, data retention laws, and general levels of government surveillance (legal or otherwise) are assessed. Note that some countries with quite intrusive surveillance laws for Internet Surveillance Providers (ISPs) and telecoms operators do not apply those laws to VPN services. This is noted where possible.
It is worth stressing that surveillance laws can be very difficult to assess. They are often deliberately vague and riddled with grey areas that have never been tested in court. This situation is made dramatically more difficult when dealing with countries whose language the reviewer does not speak. Not only are the laws themselves rarely translated, but most online debate about them is in a foreign language.
In addition to this, governments often go to great lengths to hide the amount of surveillance they really perform. Our reviewers nevertheless take a great deal of time and effort to find out what they can about the situation.
Reviewers also perform research to uncover other facts relevant to a VPN’s privacy. This can include comments made by staff during interviews on other websites, evidence of data breaches, and evidence that a VPN has succeeded or failed to protect its users’ privacy in the past. We may also contact a VPN’s support for more information.
One legal aspect that we have not addressed in the past, but which we plan to address in all future reviews (where possible), is who the payment processor is. Many VPNs use third-party companies to process credit card and other payments (including cryptocurrency payments). Where these companies are based can have privacy implications.
If you choose a particular VPN because it is based outside any of the Five Eyes countries, for example, then you may not be pleased to know that your payments are processed by a US company and are therefore subject to NSA scrutiny.
It is worth stressing that buying a VPN subscription is not illegal throughout most of the world, or even regarded as being in any way "suspicious." As privacy fanatics, though, we believe in informing our readers about all potential privacy issues.
It is common for websites to track visitors using tools such as Google Analytics. This is understandably popular, as it provides a great deal of insight into how visitors interact with websites. This allows website owners to improve the design of their websites, which, of course, helps to improve profits.
Such tracking, however, is highly invasive to the privacy of website visitors. This is even worse when the tracking is performed by third parties such as Facebook. These uniquely identify and follow you around as you surf the web in order to build up a detailed profile of you. This profile is then used to target you with highly personalized ads.
Website tracking by a VPN does not in any way compromise the privacy of your VPN sessions. We do, however, feel that extensive website tracking by companies that promise to care about your privacy is very bad form. It also does little to inspire trust in a provider, in a business where trust is everything.
All new reviews (this is a new feature, and so is not present in legacy reviews) will include a section on how extensive a VPN's website tracking is. This is easily determined using the Privacy Badger browser add-on from the Electronic Frontier Foundation (EF). The information is easily presented using a screenshot of Privacy Badger accompanied by the reviewer's thoughts on the results.
This VPN does quite a lot of website tracking...
... while this one doesn't
It is worth noting that if you are concerned about website tracking in general, you can to take your own measures to help prevent it.
Is the VPN Secure?
We used to combine this section with Privacy, but now usually separate them out into separate sections to give each subject the full consideration it requires. In this section we discuss technical security, and in particular, the VPN encryption used.
- OpenVPN is the only VPN protocol we know to be fully secure. IKEv2 is also considered secure but is largely untested.
- Just about every VPN offers OpenVPN. This allows us to compare like for like across VPNs.
- The care a provider takes over the details of its OpenVPN encryption is a strong indicator of the care it takes over security in general.
With OpenVPN security, the devil is in the detail. What is even more shocking than the number of VPNs who cannot be bothered to get it right, is the number of VPNs out there who are simply unable to provide these details.
Of necessity, discussion on VPN protocols and the nitty-gritty OpenVPN encryption is highly technical.
Alternatively, our handy OpenVPN encryption chart uses a traffic-light system to give an at-a-glance assessment of the VPN’s security that even the most tech-phobic out there should easily understand.
Also relevant to a VPN’s technical security is whether it prevents IP leaks and whether its software features a kill switch. These points will be addressed in more detail later in the review but should get also get a mention here.
A brief discussion about our overall impressions when visiting the provider's website. Does it look nice? Is much genuinely useful information provided? Is information easy to find? Is it easy to understand? Does it provide useful resources and setup guides? Anything else concerning the website will be found here too.
This section describes what support options are in place. Does the VPN offer live chat Support? If so, how many hours per day is this staffed? If not, then how long does it take to receive a reply via email?
We always contact support and try to throw some difficult questions at them! We then report on how well they did.
Note that we don’t expect frontline live chat staff to have highly detailed technical knowledge. That would be unfair. We do, however, expect difficult questions to be passed onto someone more knowledgeable, and answered in a reasonably timely manner (taking office hours of where the VPN is based into consideration).
A brief description of the signup process, including a note on how much personal information is requested/required.
The Desktop Client(s)
Ideally, this takes a detailed look at all custom VPN clients offered by the provider for Windows, MacOS, and Linux. In practice, not all our reviewers currently have access to all these platforms. Plans are afoot to improve this situation in future, but for the time being, reviewers examine all the software they can.
Clients are tested inside Virtual Machines (VMs) with clean-install operating systems. This prevents issues such TAP conflicts occurring and makes it easier to spot irregularities - such as the client installing with unsigned drivers.
The typical format is to publish a screenshot of every window/tab used by the software, highlighting anything of interest in the nearby text. Where possible and appropriate, we test each feature.
We test the software in a Virtual Machine (VM). If the client has a kill switch, we run a couple of simple tests on it. Disconnecting then reconnecting the host machine’s internet connection is a good way to simulate if a kill works for a standard VPN drop-out.
Kill switches can be either reactive or firewall based. Reactive kill switches detect that the connection to the VPN server has dropped, then shut down your internet connection to prevent leaks. There is a danger, however, that an IP leak could occur during the micro-seconds it takes to detect the VPN dropout and to shut down your internet connection,
Firewall-based kill switches solve this problem by simply routing all internet connections through the VPN interface. If the VPN is not running then no traffic can enter or leave your device. Firewall-based kill-switches are therefore better than reactive ones, but any kill switch is better than none!
Now... firewall based kill switches themselves come in two types. The first kind is implemented in the client and will therefore not work if the client crashes. The second kind modifies the Windows or OSX firewall rules so that even if the VPN software crashes, traffic will not be able to enter or exit your device. The only problem with method this is that it could, at least in theory, cause conflicts if you use a third-party firewall.
There is no easy way to tell whether a purely app-based kill switch is reactive or firewall based (other than asking the VPN Provider). We can, however, test to see if it is a system-level firewall-based kill switch by force-closing all VPN software and drivers to simulate a crash. If the internet connection is still not available, then it is a system-level kill switch.
Performance (Speed, DNS, WebRTC, and IPv6 Tests)
ProPrivacy.com has recently introduced a groovy new speed test system that provides a scientific and objective way to measure and compare VPN speed performance. Each test result is accompanied by any observations the reviewer may have.
Average global download speed results are our baseline measure for how fast a VPN is.
Note that this live chart is only useful for our top-ranking VPNs. A screenshot accurate at the time the review was written may have to suffice for other VPNs.
DNS lookup time is a good measure of how fast users perceive their connection to be as it affects web page loading times. Faster lookup time= faster web page loading (i.e. lower is better).
VPN connection time measures long it takes between hitting the "connect" button in your VPN client, and the VPN connection to be established. It is probably the least important of these speed measurements, but no-one enjoys hanging around.
Where possible, all new reviews will use the new speed test format and provide analysis of the various measurements achieved. For various technical reasons, however, we may sometimes need to fall back on our older speed test format.
IP leak tests
We also run basic test IP leak tests by visiting ipleak.net. These include IPv4 and IPv6 DNS leak tests and Ipv4 and IPv6 WebRTC leak tests.
Basically, though, if we can see our real IP address or an IP address belonging to our real ISP when using the VPN, then that's not good. Connecting to an overseas VPN server can help make IP leaks stand out.
The example above shows a bad case of IPv6 leaks. The IPv4 DNS result correctly shows that I am connected to a VPN server in the US, but the website can see my real UK IPv6 address via both a regular DNS leak and WebRTC. Fail!
We are planning at some point to transition to using a battery of much more comprehensive open source IP leak detection tools developed by ExpressVPN. For the time being, however, ipleak.net provides a good battery of basic tests.
These tests are performed in private/incognito mode to prevent caching issues confusing the results. They are also performed in an unmodified browser that supports WebRTC, so that we can test for WebRTC leaks (Firefox, Chrome or Opera).
We acknowledge that there is currently an issue with our IPv6 tests (both DNS and WebRTC). This is because some of our reviewers do not have IPv6 capability, and are therefore unable to perform these tests. We have been developing workarounds for this problem, however, and soon hope to have a definitive solution in place. Please note that Private Use RFC IPs are local IPs only. They cannot be used to identify an individual, and so do not constitute an IP leak.
We also do quick BBC iPlayer and US Netflix tests. These simply involve logging into UK and US VPN servers, respectively, then visiting those websites to see if we can access the services. Sometimes it is necessary to ask VPN's support to find out if they have special servers which not blocked.
Here you'll find a quick discussion about all platforms supported by the VPN. These can be via either custom software or manual setup. Platforms typically include desktop platforms (e.g. Windows, MacOS, and Linux), mobile platforms (e.g. iOS, Android), routers (usually DD-WRT routers), and browser extensions.
If custom mobile apps are available and the reviewer has access to the relevant platform, we will give them an in-depth look with screenshots here.
It is increasingly common for providers to offer “VPN” browser extensions. These are nearly always proxy extensions, not true VPN extensions. They can nevertheless be useful, and we give any such features the once-over with screenshots here.
VPN Review Conclusion
- A list of things the reviewer liked, rather than a list of features advertised by the provider
I wasn’t so sure about:
- A list of things that confused the reviewer
- And of “features” that we are not convinced are really that useful
- Also of points that were not great, but were not bad enough to deserve being listed under…
- Stuff that is a deal-breaker
We finish with a quick summary of the high and low points of the service, in which the reviewer expresses their personal opinions about his or her time using the VPN.