ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

VPN Pays for Third Party Audit: Is this the Future?

The last few years have been a bumpy ride for the Virtual Private Network (VPN) industry. News has emerged about VPNs selling bandwidth, injecting adverts, selling user data, providing poor security, and at times even lying about what encryption they provide. Here at ProPrivacy.com, we are all too aware of the problems. That's why we carefully review VPNs and inform consumers about their flaws (as well as their attributes). 

Just last week, news broke about a complaint that the independent advocacy group Center for Democracy and Technology (CDT) has made about the US-based VPN, Hotspot Shield. CDT has filed a 14-page complaint with the Federal Trade Commission because it feels that Hotspot Shield has been violating Section 5 of the FTC Act’s prohibition against unfair and deceptive trade practices. 

The issue is explained in the ProPrivacy.com review of Hotspot Shield. As CDT states,

“ProPrivacy’s review highlights exactly what Hotspot Shield does wrong.”

Joseph Jerome from CDT also told me, 

“You, as someone in the weeds on VPNs, might understand what they're doing, but the average consumer won't.”

Food for Thought

That got me thinking. CDT is right to complain to the FTC. Why? Because despite the fact that ProPrivacy.com’s review of Hotspot Shield is freely available for anyone to read, Hotspot Shield’s privacy policy is still confusing. Consumers shouldn’t require reviews like ours to decipher the contents of a VPN firm’s privacy policy: it should be explained in plain English from the beginning so that subscribers know exactly what they are getting.

Unfortunately, consumers aren’t always aware of what's going on under the hood of a VPN. A Commonwealth Scientific and Industrial Research Organisation (CSIRO) report from earlier this year analyzed poor reviews (one or two stars) of VPNs on the Google Play Store (that had more than 500K installs and an overall rating of 4-stars). It found that,

“Only less than 1% of the negative reviews relate to security and privacy concerns, including the use of abusive or dubious permission requests and fraudulent activity.”

Csiro 150X150

That is a startling statistic. It demonstrates just how vulnerable VPN consumers are to the erroneous privacy claims made by VPNs. What's more, it isn't just VPN privacy policies that must be precise and honest, but the entire of a VPN's code and infrastructure that must be tested in order to ascertain that it is actually delivering the promises it makes. Sadly, VPNs aren't currently regulated so consumers are at risk.

Now, a VPN firm called TunnelBear has decided to take matters into its own hands in order to add even more transparency to its already respected service. 

The TunnelBear Third Party VPN Audit

TunnelBear is a VPN firm based in Toronto, Canada, that has just announced the results of a third party audit. In its blog post about the audit, TunnelBear explains that due to a rise in concerns over the practices of commercial VPNs, it decided to employ an independent security firm to audit its service:

“While we can’t restore trust in the industry, we realized we could go further in demonstrating to our customers why they can, and should, have trust in TunnelBear.”

The firm that TunnelBear employed to do that audit is called Cure53. In its blog post, TunnelBear candidly admits that not all of Cure53's findings were positive:

“If you’ve already looked at the results, you’ve seen that the 2016 audit found vulnerabilities in the Chrome extension that we weren’t proud of. It would have been nice to be stronger out of the gate, but this also reinforced our understanding of the value of having regular, independent testing. We want to proactively find vulnerabilities before they can be exploited.”

All the vulnerabilities that were discovered during the course of the initial audit were rapidly fixed by TunnelBear’s development team. During the follow-up audit, Cure53 found that TunnelBear had managed to plug all of the major security issues that it discovered:

“The results of the second audit clearly underline that TunnelBear deserves recognition for implementing a better level of security for both the servers and infrastructure as well as the clients and browser extensions for various platforms.”

This is fantastic news for TunnelBear’s customers. However, it also raises alarms about other VPNs. By its own admission, TunnelBear had hoped to “be stronger out of the gate.” Sadly, however, what we hope for isn’t always what we get. 

When it comes to properly auditing the hundreds of lines of code that make up a VPN - especially because cryptography is involved - there are few people that can properly do the job. What’s more, funding an audit like the one that TunnelBear paid for (out of its own pocket) is far from cheap.

Big Bill

A Sign of Things to Come?

The good news is that other audits do already happen. In May, the results of an audit of OpenVPN encryption proved that the leading VPN protocol was secure. That report was published by the Open Source Technology Improvement Fund (OSTIF). It was paid for by contributions from many individuals and firms within the VPN industry (including ProPrivacy.com). 

The OSTIF report proved the validity of OpenVPN as a form of encryption. It demonstrated that VPNs that implement OpenVPN (to the latest standards) are providing their users with strong privacy and security. However, what that audit couldn’t do was verify third party VPNs' custom clients implementation or client-side infrastructure and security. That's something that each VPN must seek to do for itself - if it wants to prove that every single part of its code is free of vulnerabilities.

Passed Audit Vpn

Not Doing Enough

AirVPN, a well known and highly trusted VPN provider, told me that it employs white hat hackers to test its infrastructure on a regular basis:

"Our service is based on OpenVPN. About OpenVPN we co-financed an extensive audit, in addition to the normal peer reviews by security experts and community on free and open source software. 

"Our software client, an OpenVPN wrapper and frontend, is free and open source software too (released under GPLv3). Source code is available in GitHub.

"We do not release any bloatware, so the remaining parts of the infrastructure needing stress and attack tests are on our side. Our infrastructure is frequently attacked by professional and authorized persons (skilled hackers) in search of vulnerabilities and, of course, the Air staff carefully analyzes the reports of such attacks. We do not advertise this activity or consider it a marketing tool, because this is the ordinary and normal behavior in the IT industry, especially when exposing services on a public network."

Cure53 Penetration Tests

However, Mario Heiderich from Cure53 told me that, for VPNs not to advertize the testing they have done is counterintuitive:

"VPN providers should be loud about it, should offer transparency, should publish reports and prove to their users that they have the best in mind for them."

In addition, Heiderich told me that "having their client code on Github or the like might help - yet lots of software has critical bugs despite being open source, so there is no guarantee of any kind." That important point highlights the importance of this kind of audit. After all, there is a difference between having Open Source VPN code and having open source code that has been thoroughly independently verified.

Good... Great... Better

Don't get me wrong, in terms of transparency, AirVPN is leaps and bounds ahead of the vast majority of VPNs on the market. However, what TunnelBear has done definitely goes a step further. It demonstrates an unusually determined approach to highlighting the trustworthiness of the service.

Good Better

Here at ProPrivacy.com, we applaud TunnelBear for having made the leap to pay for its own in-depth and public audit. TunnelBear can now brag more confidently about its security levels than just about any other VPN. This is a position that other VPNs will no doubt wish to emulate. As far as we are concerned, this is something that all top-end VPNs should want to do.

VPNs should be completely honest and transparent about every part of their service. TunnelBear has gone that extra mile and proven that there is a way to improve the VPN industry’s reputation. We hope that more VPNs decide to follow this excellent example.

Consumers Must Act!

Cure53 informs me that 38 days (the length of time that TunnelBear says its two audits took) of auditing costs approximately $45,000. As such, it seems highly unlikely that the majority of commercial VPNs will go ahead and follow suit.

What's more, until consumers start heeding warnings such as the ones we make here at ProPrivacy.com, they will continue to have their privacy compromised by VPNs intent on making a quick buck. Consumers need to take action by steering away from VPNs with poor privacy policies and staying clear of VPNs that make false claims on their websites. It's time for users to ditch lousy VPNs in favor of trusted and recommended services!

Opinions are the writer's own.

Title image credit: TunnelBear home page

Image credits: hvostik/Shutterstock.com, Stuart Miles/Shutterstock.com, mstanley/Shutterstock.com

Written by: Ray Walsh

Digital privacy expert with 5 years experience testing and reviewing VPNs. He's been quoted in The Express, The Times, The Washington Post, The Register, CNET & many more. 

3 Comments

Lakew Kifle
on August 23, 2017
Hey very nice technology I appreciate you god bless you?
Roy
on August 18, 2017
This is disturbing I hope my VPN provider which is FrootVPN doesn't change for the worst. They are the best VPN around for me and its fast and secure
https://cdn.proprivacy.com/storage/images/2022/06/ray-walshpng-avatar_image-small_webp.webp
Ray Walsh replied to Roy
on August 18, 2017
I'm not sure what you mean by "change for the worst". A VPN is unlikely to change for the worst: if it is bad in terms of privacy and security it likely is already bad without you realizing. Security audits like the one discussed in the article are extremely positive and would allow your VPN (or any VPN) to find issues it already has and plug them. This is how the IT industry works in general: people write software and then it is checked for vulnerabilities. Later it is checked again. Often times, software that was thought to be secure is found to have a vulnerability (known as a zero-day because it was previously unknown). It is for this reason, and because new hacking methods etc arise, that keeping any platform secure is an ongoing process. As such, any software - including VPNs - should always be getting better and better, not worse! The good thing is that - as tunnelbear has proven - VPNs are beginning to want to do more and more to prove to consumers that they are a worthy VPN service for your investment. As more VPNs invest in this type of third party audit, the easier for consumers it will become to be able to tell which ones they can trust and which ones they can't. In the long run, this should lead to a mass culling of lousy VPN services, and a general improvement within the ones that want to stick around.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service