In December of 2019, the i2Coalition – a leading voice for web hosting companies, data centers, domain registrars, cloud infrastructure providers, managed services providers, and other central internet technologies – launched the VPN Trust Initiative (VTI).
The future of the VPN industry
VTI is an industry-led consortium of market-leading VPN businesses committed to improving the VPN industry for consumers and VPNs alike, by establishing a set of transparent guidelines for the delivery of VPN services in alignment with expertly-informed industry best practices.
VTI essentially wants to cultivate an environment of self-regulation for the VPN industry that allows consumers to quickly and easily ascertain whether a VPN service is up to par. The message promoted by VTI is that VPNs are not all created equal:
VPNs essentially ensure data flows between endpoints are private and secure. And while some VPNs successfully protect users, others may - either accidentally or intentionally - expose users to greater risk. VPN services that do not meet the demands or expectations of users can put both professional and personal security at risk.
Now, the member-led coalition has published a set of best practices aimed at establishing these core VPN principles. As a result of following these best practices, members of the coalition will command increased trust from consumers, setting themselves apart from the large number of cowboy VPN services that exist on the market – services that studies have revealed to fail in providing privacy and security in many key areas.
In the last few years, the number of VPN service providers has skyrocketed. From the societal point of view, this is a positive turn, giving people freedom of choice on how and by whom their data should be handled. However, industry growth has also brought a lack of clarity. VPN providers operate in different ways, and not necessarily all of them apply the best standards when developing their service. VTI understood that and sought to create a set of principles: guidelines on which the services could rely. We hope that these principles will help the industry to become more trustworthy, transparent, and secure.
Five key principles
The five key principles published this week are a step in the right direction for improving trust in the VPN industry as a whole. And, while it will essentially make members of the VTI – such as ExpressVPN, NordVPN, Hide.me, VyprVPN, Surfshark, IPVanish, and Ivacy – stand out from the rest of the market, it should also allow newer and perhaps inferior services to pull up their bootstraps to improve their services. So what are the five principles that have been announced?
The first principle revolves around security – an integral part of any VPN service. The security principle states that “VPNs will use the necessary security measures including strong encryption and authentication protocols to appropriately address the risks". Also, it asks VPN service providers to:
- Suspend compromised authenticators in the event of a security incident
- Use token-based authentication when possible
- Never store usernames and passwords in plain text
- Help prevent keys from being shared between users
These are a strong set of parameters for the implementation of reliable and robust security by any VPN, a good start.
Next, VTI focuses on advertising best practices. It instructs VPN providers to use clear and transparent language. It also asks them to ensure they always make accurate claims that aren’t misleading. Again, this is an important set of standards, because studies have previously revealed some VPN providers to knowingly deceive consumers regarding the levels of security they can expect to receive, whether that be because of inferior or badly implemented encryption– or critical data leaks occurring due to the app.
The privacy principle calls for all VPN providers to clearly state what logs they keep, why they keep them, and for how long. VPNs are also asked to “keep as little data as they deem necessary to provide the service, and only produce data to law enforcement when legally required." This requirement seems a little lackluster, considering that VPNs can be zero-logs services that inevitably have no records whatsoever to hand over to the authorities.
With that said, it is possible that in some instances VPN providers based in countries that have strict mandatory data requirements may need to keep some logs, and in these cases, the principle makes it clear that those services need to be forthright regarding those requirements and the potential risks it may cause for consumers.
The final two principles revolve around disclosure and transparency and social responsibility. They call for VPN providers to drive forward trust within the industry by taking steps towards providing greater clarity regarding their procedures. This is done by publishing transparency reports, explaining which third-parties they may work with and why, and by supporting freedom of expression and contributing to open source initiatives that are central to the VPN industry.
Overall, this is a solid set of foundations that will allow the VPN industry to improve its image in the eyes of consumers and technologists alike. There is no doubt that the many discrepancies between the ever-increasing number of consumer-facing VPNs available on the market lead to confusion.
A lack of principles like those set forth by VTI has made it possible for lackluster services to promulgate themselves largely unopposed, and in many instances, this is causing serious risks to consumers who are sucked in.
VTI principles begin to create an environment of self-regulation that stands to vastly improve accountability within the sector. As a result of this, VPNs become harder to target by government authorities, keen on seeing the back of them, because of the vast privacy benefits that they provide to key members of civil society. Whether that be activists, journalists, or political dissidents fighting for a better world.
Privacy online isn't just a privilege - it's a basic human right for every single person on the planet. The VTI Principles represent a major step forward for the industry and we're proud to play our part.