Wirecutter's new extensive review of VPN services, thoughts?

Discussion in 'privacy technology' started by cb474, Dec 14, 2019.

  1. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    https://thewirecutter.com/reviews/best-vpn-service/

    Wirecutter recently did a very extensive review of VPN services and put a lot of consideration to who takes privacy and security seriously. I thought it was interesting that they like TunnelBear and Mullvad the most.

    They make a big deal out of the fact that TunnelBear has had multiple third party security audits and made the results public. They ding IVPN for having only had a limited security audit, of their claim to not log user activity. And they were not happy that ProtonVPN would only show them a non-public security audit if they agreed to sign an NDA, which would pretty much make it impossible to write a review about it.

    I'm disappointed by ProtonVPN's way of handling this. I expect more transparency from them. If TunnelBear can do it, what's the problem for ProtonVPN?

    Anyway, just curious what people think about this review and it's approach to analyzing the quality of VPNs.

    *

    Also, as an aside, does it bother anyone that the the logo for TunnelBear is a bear jumping out of a tunnel (I guess) that looks a lot more like a bear jumping out of a honey pot? And in their apps they represent their servers on a global map with this tunnel/honey pot icon? Is this supposed to be a joke? Or is it just an incredibly bad oversight (how much the end of the tunnel coming out of the ground looks a lot more like a honey pot, than a tunnel)? It doesn't really seem funny to me and I find it rather off-putting. Honestly, when I first saw it, even though they have "tunnel" in their name and it should be obvious, I immediately thought, why do that have a honey pot in their logo? They should have made the "tunnel" part of their logo grey, instead of literally the shade of yellow most commonly seen on actual pots of honey.
     
    Last edited: Dec 14, 2019
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,911
    Location:
    Here
    Very interesting review. Thank you for sharing.
    I like how they focused on trusting your VPN provider and not only on speed, number for servers and similar.
    TunnelBear is a nice surprise for me, but I knew that Mullvad and IVPN are taking privacy seriously. I hope that ProtonVPN will publish results of their audit also.
     
  3. longshots

    longshots Registered Member

    Joined:
    Oct 20, 2017
    Posts:
    196
    Location:
    Australia
  4. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    I really have no idea what your point is with the "pants on our heads" comment.

    I was not suggesting people should use TunnelBear or that they are the "best" (obviously something dependent on what one's particular needs are).

    I will say that the review you link to is a year old and a lot can change in a year, so you can't really directly compare Wirecutter's review from this November, to Cloudwards review from a year before. TunnelBear has been constantly developing and adding features.

    But more importantly what is interesting about Wirecutter is that they reviewed 53 VPNs and approached them very rigorously from the point of view of privacy and security first and who you can trust (to the extent you can trust anyone). This is why they put such a high premium on VPNs that have had third party security audits and that made the results of those audits public. In fact, they decided they would not recommend any service that has not had a third party security audit and made it public. That's a pretty high standard that eliminates a lot of VPN services, but it also makes sense. They also refused to recommend a service that does not have public facing leadership. Why should you trust a service that you have no idea who even runs the company?

    Also they talked to many academic security experts about what to look for. They interviewed privacy advocates, like EFF, about how to sort of VPNs. And they interviewed the leadership of three highly regarded companies, TunnelBear, Mullvad, and IVPN and also took into consideration their willingness to be interviewed, in their review.

    I've just never seen a review of VPNs that is this thorough, rigorous, and technical. Not even close. So whatever one thinks of their final recommendation, it's interesting to consider the review and wealth of information in provides.

    On the other hand, the Couldwards review you link to is for the most part like many reviews that just looks at the features and speed of the various VPN services, does not especially place a premium on privacy and security (but treats them like just another feature), and ranks services accordingly.

    As Wirecutter points out, this is a really backwards way to rate VPN services. Someone can offer all the greatest features and speeds in the world, but if they are not trustworthy and are really lying and logging you and have software full of bugs (that a third party audit might fine), what's the point? It would totally defeat the purpose of using a VPN service. And, as Wirecutter points out, this sort of thing has happened more than once. Popular VPN services with great features have been found to be selling information to data mining companies, handing information over to the police, logging traffic when they said they wouldn't, and just out and out lying and misleading people.

    So I really don't put much value on Cloudward's review. Whereas it makes a lot of sense to take the approach Wirecutter does: First weed out services based on high standards of trustworthiness and technical proficiency (like third party security audits, public facing leadership, privacy policies that are not contradicted by marketing claims, minimum encryption standards, kill switch technology) and only then look at which service has the best convenience features and speed, once it meets high standards on trustworthiness, privacy, and security.
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,143
    Also, given the VPNs that it's recommending, it's a pretty good bet that its ranking depends on how much each one paid it. If you're curious, use https://archive.org/ to get versions of various VPN review sites over the past few years. Then compare the VPN rankings. You'll see just a few common patterns. Which probably reflect relative promotional budgets for the various VPNs. Some VPNs, such as IVPN and Mullvad, are typically missing, because they don't pay for placement.
     
  6. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    Yeah, I was going to mention that the Cloudwards review is littered with affiliate links, which undermines their credibility. But then I noticed that the TunnelBear link in the Wirecutter review is also an affiliate link, so it's hard to say Wirecutter is more credible in that regard. Wirecutter is pretty clear on their website that they are supported by affiliate links. They say it right at the top of their webpage--at least, I suppose, they are disclosing this explicitly, which most "review" sites don't.

    I guess to their credit, Wirecutter links to Mullvad, even though presumably they are not getting paid for that. Although it's a weird link. It's "wclink.co/link/26146/137932/4/97837?merchant=Mullvad." Instead of just directly "mullvad.net." I guess wclink.co is a wirecutter domain, but still, something is going on there.

    It is odd that Wirecutter goes to great lengths to explain the research they did on VPNs, how they did it, and who they talked to, to justify their credibility and how they are making an honest attempt at disinterested objectivity. But then they use affiliate links, which is pretty much the biggest conflict of interest possible. They're getting paid by the service they're recommending (at least TunnelBear).

    It is also notable that in their extensive discussion of how to look for signs that you can trust a company, that they do not discuss the pernicious and ubiquitous use of affiliate links as a problem. Afterall, Mullvad has a section of their FAQ discussing what's wrong with affiliate links, https://mullvad.net/pt/help/policy-reviews-advertising-and-affiliates/. And IVPN prominently features their lack of affiliate as one of the benefits of their service, on their "Why IVPN" page: https://www.ivpn.net/why-ivpn. "We also reject behavioral and individually targeted advertising, as they are detrimental to privacy."

    It seems more than a bit self-serving that Wirecutter does such a good job discussing the limits and benefits of VPN services, but just happens to leave out the one significant problem, in which they are themselves implicated.

    When one reads the Wirecutter review, it does seem like they were trying to be serious. They provide a lot of really good information and discussion that you don't see elsewhere. But given that it is a site mosly devoted to recommending products and they get their money through affiliate links, it does make their whole business model suspicious. Even with the best of intentions, this kind of thing tends to in more and less subtle ways affect people's thinking. It's too bad Wirecutter isn't just supported in general as part of the New York Times and in this way more as a fundamentally journalistic effort.
     
  7. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,118
    It appears they aren't the only ones.

    https://twitter.com/windscribecom/status/1187454499750850561?s=21

    https://twitter.com/windscribecom/status/1189209885268946944?s=21
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,143
    Windscribe looks interesting. I'd never really noticed them. Thanks.
     
  9. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    Wow, I didn't realize that review sites would just come straight out and proposition companies for a payment in exchange for placement in their top choices. I thought it might be a little more subtle (e.g. "Hey we've written a review of your service and placed you in our top rank. It would be great it you wanted to place an ad with us.") Kudos to Windscribe for posting an image of the solicitation email they got from Three Spring Media. Those of use out here in userland don't always get to see those things.
     
  10. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    PS. Yeah, Windscribe does look like a good service. They cover all the bases. And they have an interesting browser extension that includes anti-fingerprinting code, amongst many other features.

    On the other hand, their privacy policy does mention that they have an affiliate program, https://windscribe.com/privacy. So their claim in twitter that they don't advertise is a bit bogus. Also their Secure.link program is some sort of affiliate system for people to use to link to other websites and get paid (I don't quite understand it), https://windscribe.com/affiliate. So it seems like they are in the marketing business.

    And when you click on "about us," https://windscribe.com/about, you are given no information about who runs the company or where it is located. Some of that information is buried in the FAQ (they say they are in Ontario, Canada, but provide no actual address). As the Wirecutter review points out, having no public facing leadership (or public facing staff of any kind, as it appears for Windscribe) and no clear business location is a good reason not to trust a company.

    So I guess I'm skeptical of Windscribe, after an initial positive impression. A good example of why one should not fall for being impressed with lots of great looking features.
     
  11. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    1,749
    well said. in vpn business, the rule of thumb is:
    the more the bells and whistles, the less the security and privacy.
     
    Last edited: Dec 17, 2019
  12. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    Thanks.

    I do think that Mullvad and IVPN and ProtonVPN are all pretty fully featured. And TunnelBear, which seems reasonably trustable has a lot of features. So I think it's probably hard to come up with any good rule of thumb.

    You just have to do your research and be on the look out for problem signs. Probably the best rule of thumb is not to trust anybody, until you've really looked into and researched a company a lot. And I think, whatever one thinks of TunnelBear, the Wirecutter review does provide a good example of the sort of things one should look for, to find a legitimate seeming company (publically available third party security and privacy audit, public facing leadership, address where company is located, transparency report by company, privacy policy and terms of service that do not contradict the marketing claims of the company, opensource software, and so on).

    And if you really have serious safety reasons to need to be anonymous, don't trust anybody. Use multiple different VPN services for multihop. Pay for the second hop with cash or properly anonymized Bitcoin. Use Tor on top of it. All the things Mirmir writes about so well.
     
  13. sabazi

    sabazi Registered Member

    Joined:
    Dec 1, 2019
    Posts:
    7
    Location:
    United States
    Has anyone here tried Tunnelbear, and if so, have you tested their speeds, especially in comparison to other providers?

    When I was deciding to switch providers over the past few weeks, I pretty much rejected Tunnelbear for these reasons:
    (1) recently acquired by McAfee -- I generally trust smaller, ostensibly independent & privacy-oriented providers more than large corporate enterprises (see Snowden revelations regarding the likes of Microsoft, Apple, etc). Also, there's:
    https://www.reuters.com/article/usa...cies-and-silicon-valley-idINDEE9620GH20130704

    (2) had not really read much about Tunnelbear in the past, so not sure what kind of track record they have (it's not a name that has been as highly recommended on this board as others, generally speaking, for example; and I don't think they've been included in any of the torrentfreak surveys in the past)

    (3) based in Canada--I don't know it for a fact, but I suspect that given high-profile domestic security incidents that have occurred in recent years, the likelihood of surveillance of VPN companies based there is higher than perhaps in other jurisdictions, and the potential for pressure to be brought to bear on revealing info about users could be greater.

    Also, a few years ago when Canada passed a law that some said was meant to crackdown on pirating, Tunnelbear started blocking P2P file-sharing, even if it might have been used for unquestionably legitimate purposes. They have reportedly modified their policy since then and now allow P2P, although I have not verified this.
     
  14. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    I was intrigued by TunnelBear, after seeing the Wirecutter review. And as explained in my posts above, I appreciated many of the points Wirecutter makes about how to select a VPN service, especially their focus on the importance of third party security audits that are made public and a public facing leadership from the service.

    But I was ultimately not so interested in TunnelBear, because of their location in Canada and because they use affiliate links, which in fact is what Wirecutter was positing in their article recommending TunnelBear. For a review that went to such lengths to discuss how to evaluate whether you can trust both the reviewing site itself and a VPN service, having the affliliate link in the review was such a huge conflict of interest. It totally turned me off to both Wirecutter and TunnelBear.

    As I point out above, Wirecutter discusses all sorts of trust problems with companies, but conveniently ignore the affiliate link issue, even though the other service they recommend, Mullvad, explictly explains why they are against affiliate links on their website. It is not plausible that Wirecutter is unaware of this issue. They just ignored it, because it was inconvenient for their business model.

    So I guess with other choices avaible, like Mullvad, IVPN, and ProtonVPN, I'm not convinced TunnelBear is the best option. Yes, it's nice that they have a publically published security audit. But for me it doesn't outweight the different benefits of these other services.
     
  15. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    632
    Location:
    usa
    Somehow, I'm not interested in TunnelBear, but...
    I have my issues with all those reviews praising KillSwitch and here is why.
    I have been using at least 8 VPN service providers that "advertise" their KillSwitch.
    It's all good until you really need that KillSwitch and it does not work.
    WHY?
    All those VPN providers have a simple answer (it's not publicly announced) - The KillSwitch ONLY(!!!) works with Windows own FIREWALL.
    But I have and use BitDefender Total Security and its Firewall.
    SORRY! Our KillSwitch does not work with BitDefender's Firewall.
     
  16. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    It seems like it's asking for a lot to expect VPN providers to make their apps compatible with every possible third party firewall software for Windows. It doesn't seem realistic. In any case, you don't have to use their killswitch. You should be able to configure the firewall yourself, to only allow traffic through the VPN servers. This is what I've done in Linux.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.