VPN business ethics research – worrying findings about top VPNs

Jan Youngren
Jan Youngren | Security researcher
Last updated: December 1, 2020

The VPN industry in 2020 is booming. It’s full of services offering anything from online anonymity for journalists to Nvidia Shield access for gamers. Incidentally, these capabilities are what most reviewers look at when ranking VPNs on various top 10 lists.

With this research paper, we wanted to take a look at VPNs from a different angle. Namely, we wanted to know how honest they are in the language they use to sell their product, what rules they set for their affiliates, how they handle VAT payments, and more.

Summary

We ranked 16 VPN service providers based on 10 business ethics criteria explained below. Each category grants a maximum of 2 points (with 1 point given for half-met criteria). Here are our winners and losers.

Top 3

All three of these VPNs scored the same number of points – 18. They come the closest to our standard of ethics for VPN businesses.

  • Mullvad – 18 of 20 (90%). Mullvad has built a reputation based on privacy and ethics. They win points for every single criterion, except activism – Mullvad does not support nonprofits.
  • TunnelBear – 18 of 20 (90%). We know TunnelBear as the “fun” VPN brand, but it turns out to be among the most ethical as well. Just like Mullvad, TunnelBear wins all of the points except those awarded for supporting nonprofits.
  • NordVPN – 18 of 20 (90%). Our favorite overall provider makes the top of this business ethics list as well. The only gripe we have with NordVPN is that their website somewhat oversells the effectiveness of their product.

Bottom 3

These service providers all got below 10 points – a very low score, especially considering the high market standing of some of these VPNs.

  • CyberGhost VPN – 8 of 20 (40%). One of the richest VPNs when it comes to features and utility, CyberGhost scores quite terribly in the ethics department. At least the Romanian VPN doesn’t incentivize social media spam, requires affiliates to write ethical copy, and pays VAT as required by EU norms. But that’s about it.
  • ZenMate – 7 of 20 (35%). The few things this German VPN does right includes not incentivizing social media spam, paying VAT according to EU norms, and requiring affiliates to write ethical copy. Yet from its Privacy Policy to its promotional materials, ZenMate has a lot to improve on.
  • Ivacy VPN – 4 of 20 (20%). Ivacy VPN doesn’t use price discrimination and forbids their affiliates from using spam. That’s all of the good news. Ivacy is a universal VPN product, but it cuts a lot of corners to get there.

How we ranked VPN providers

  1. Points were given to VPN providers who don’t incentivize social media spam by users (by offering discounts or other benefits).
  2. Points were given to providers who do not use price discrimination (charging differently based on the client’s location).
  3. Points were given to VPN providers who do not contradict themselves in communicating their logging (or no logging) policy. We compared statements about logging found on VPN provider websites to see whether they contradict each other (e.g. saying “strictly no logs” on the homepage, and walking it back in the Privacy Policy).
  4. Points were given to VPN providers who forbid their affiliates from using spam (as well as VPN providers that don’t have an affiliate program).
  5. Points were given to VPN providers who require their affiliates to write ethical copy (as well as VPN providers that don’t have an affiliate program).
  6. Points were given to VPN providers who require their affiliates for the full disclosure of their affiliate relationship (as well as VPN providers that don’t have an affiliate program).
  7. Points were given to providers who respect copyrights (don’t encourage torrenting or getting better rates for/free-streaming sports events; don’t use the logos of sports federations without permission; etc.).
  8. Points were given to providers who a) pay VAT based on the rate in the customer’s EU country; b) display the amount and percentage during checkout, on the invoice, or are able to provide this information via support inquiries.
  9. Points were given to VPN providers who don’t oversell their ability to make users anonymous. We looked for statements implying that VPN encryption and IP spoofing is enough to completely erase any trace of a user’s online activities.
  10. Points were given to VPN providers who donate to nonprofit causes and organizations or offer discounts/benefits to certain groups of users.

How each VPN ranks according to our criteria

chart describing how each VPN ranks according to our criteria

The scores for each criterion have equal weight. We gave two points for passing each criterion and zero for failing. If the situation was ambiguous or the requirement was half-met, we gave the VPN one point. This way, the maximum score is 20 and the lowest possible score is 0.

Top 8 VPN providers

mullvad logo

1-3. Mullvad

  • Score: 18 of 20 (90%)
  • No points for: Support for nonprofits

It would be a surprise to not find Mullvad, probably the most privacy-friendly VPN, at the top of the list.

The Swedish provider gets the highest score in the three criteria related to affiliate rules because it’s the only one without an affiliate program. Mullvad’s website is one of the few that doesn’t oversell the effectiveness of their VPN. Additionally, this company clearly and consistently communicates its logging policy and respects copyrights. Finally, we’re also happy to find that Mullvad pays VAT and shows the percentage/amount on its invoices.

The one criteria that kept Mullvad from getting a full score is its lack of support for nonprofits. With that said, only four competitors pass this test, meaning Mullvad doesn’t stand out of the crowd here.

 

tunnelbear logo

1-3. TunnelBear

  • Score: 18 of 20 (56%)
  • No points for: Support for nonprofits

Our second top VPN, TunnelBear, is quite different, as service, from Mullvad. When it comes to business ethics, however, they meet the same criteria.

TunnelBear does have an affiliate program and manages to pass all three affiliate-related criteria (full disclosure, ethical copy, no spam). Furthermore, they pay VAT and are clear about it, showing the exact amount and percentage on each invoice. There’s no price discrimination, either, meaning you won’t be overpaying just because you’re in the wrong country.

TunnelBear also loses points because it doesn’t support nonprofits – unfortunate, but unsurprising.

 

nordvpn logo

1-3. NordVPN

  • Score: 18 of 20 (90%)
  • No points for: Overselling what NordVPN is capable of

Probably the most successful VPN on the market, NordVPN scores positively in 9 of 10 criteria, sharing the top spot with Mullvad and TunnelBear.

NordVPN has a clear logging policy, follows copyright laws, and is one of a few to offer strong support for non-profits, even running its own program. Moreover, it doesn’t incentivize social media spam and doesn’t use price discrimination. NordVPN has a principled affiliate program, requiring full disclosure, ethical copy, and no spam from their partners.

The only criteria where NordVPN failed was overselling the effectiveness of their product. NordVPN’s website claims that their service provides “complete online privacy,” which is something VPNs simply aren’t capable of. With that said, the majority of our reviewed providers suffer the same pitfall.

 

vyprvpn logo

4-5. VyprVPN

  • Score: 16 of 20 (80%)
  • No points for: Following EU VAT norms; support for nonprofits

VyprVPN, a Top 10 overall provider, has the potential to move up but ends up lower than it could due to a pair of failed criteria.

On the plus side, VyprVPN is one of the five providers that don’t oversell the level of anonymity their service offers. What’s more, it’s one of the few that scores a perfect 6/6 for setting ethics rules for their affiliates. We also appreciate that it respects copyrights and has clear logging practices.

When it comes to failings, VyprVPN joins the majority by not supporting nonprofits. Unfortunately, it also has a VAT policy that’s inconsistent with EU norms. As we were told by customer support, VyprVPN doesn’t charge any VAT tax on their product, since there is no digital services tax applicable.

 

windscribe logo

4-5. Windscribe

  • Score: 16 of 20 (80%)
  • No points for: Following EU VAT norms; support for nonprofits

Sharing the same spot with VyprVPN, Windscribe also passes and fails at the same criteria. Again, this might give the impression that these services are similar, but as our reviews show, they’re actually known for very different strengths.

Windscribe is one of the few to ask their affiliates for full disclosure, ethical copy, and to refrain from spam. Also, they don’t oversell the product’s capabilities on their website and provide visitors with a clear logging policy. Additionally, the prices are not “adapted” for each country – this provider charges the same amount around the globe.

We weren’t surprised by the lack of support for nonprofits. However, we were surprised to learn from their customer support that Windscribe “doesn’t pay VAT.”

 

protonvpn logo

6. ProtonVPN

  • Score: 15 of 20 (75%)
  • No points for: Requiring full disclosure from affiliates; requiring ethical copy
  • Half points for: following EU VAT norms

ProtonVPN is one of the few services with a great free version. And while there are some ethical issues with this otherwise solid company, it stands firmly between Windscribe and Surfshark VPN with the rest of Top 8 providers.

Starting from the pros, ProtonVPN is one of the few providers to not oversell the anonymity it provides for its potential clients. Additionally, it has clear logging policies, follows copyright laws, and strongly supports non-profits.

Where ProtonVPN fails the most, scoring 2/6, is their affiliate program. It doesn’t require affiliates to provide full disclosure or write ethical copy. ProtonVPN doesn’t pay VAT in the EU, claiming they don’t reach the revenue threshold where this would be a requirement.

 

surfshark logo

7. Surfshark

  • Score: 14 of 20 (70%)
  • No points for: Overselling what Surfshark is capable of; requiring ethical copy; respecting copyrights

Surfshark VPN is a Top 5 provider, known for its cheap prices and unlimited simultaneous connections. Unfortunately, it fails to crack one of the highest spots in our business ethics ranking, failing at three criteria.

Starting from the good, Surfshark VPN has clear logging policies, pays VAT, and supports nonprofits. Just like NordVPN, Surfshark gives a 15% discount to students, ticking off the activism box (although it has no other initiatives to speak of). We’d also like to point out that this service requires full disclosure from its affiliates and forbids them to use spam.

On the negative side, Surfshark VPN does not require affiliates to write ethical copy. Also, they fail to respect copyrights (e.g. they have a Premier League logo on their website). Finally, we found their promotional copy misleading, giving users the idea that without a VPN, even online banking cannot be safe (ignoring the existence of TLS encryption).

 

pia logo

8. Private Internet Access (PIA)

  • Score: 13 of 20 (65%)
  • No points for: Overselling what PIA is capable of; requiring full disclosure from affiliates; respecting copyrights
  • Half points for: Following EU VAT norms (claims to pay VAT, but doesn’t display amount or percentage paid)

Private Internet Access is one of the oldest and most popular VPNs out there. Therefore, we were happy to find it among the most ethical ones as well. While PIA failed in three criteria out of ten like Surfshark, we gave it half points for the fourth one, putting it a level below.

We like that Private Internet Access requires ethical copy from their affiliates, forbids spam, and is one of the few VPNs to support nonprofits. Additionally, PIA has clear logging policies and refrains from price discrimination.

Unfortunately, PIA follows EU VAT norms only partially: the company claims they do pay VAT, however, they don’t tell users the amount on invoices.

The American VPN oversells the level of anonymity their product can provide, claiming that an IP address given by them offers you the “freedom of anonymity.” PIA also don’t require full disclosure from affiliates and doesn’t seem to be very respectful of copyrights – we found a lot of unauthorized logo use on their website.

Bottom 8 VPN providers

expressvpn logo

8. ExpressVPN

  • Score: 12 of 20 (60%)
  • No points for: Overselling what ExpressVPN is capable of; following EU VAT norms; requiring full disclosure from affiliates; respecting copyrights

We are saddened to see ExpressVPN this low on our business ethics list. This came as a surprise because it’s one of the most popular and well-known services, found in almost every “best of” ranking.

ExpressVPN has a clear and non-contradictory privacy policy, supports nonprofit activism and the advocacy group Fight for the Future, including through monetary donations. What’s more, this provider requires ethical copy from its affiliates and forbids spamming. Finally, ExpressVPN doesn’t use price discrimination.

However, their website oversells what their product can do, claiming that with ExpressVPN, “no one can see what you’re doing.” This is in addition to the terrifying images used to illustrate how exposed you are without it. Furthermore, ExpressVPN doesn’t require full disclosure from its affiliates and uses sports federation logos (including the UEFA logo) to promote its product.

Finally, ExpressVPN doesn’t pay VAT – their reasoning is that there’s no such tax in the British Virgin Islands where this company is based. Sadly, VAT doesn’t really work that way.

 

ipvanish logo

9-11. IPVanish

  • Score: 10 of 20 (50%)
  • No points for: Overselling what IPVanish is capable of; requiring full disclosure from affiliates; requiring ethical copy; support for nonprofits
  • Half points for: Contradictory logging policies; following EU VAT norms

IPVanish is not a bad VPN by any means – it provides excellent security for a decent price. However, IPVanish’s reputation was tarnished by a 2016 logging scandal that won’t be forgotten soon (even though they’re under new ownership now). This story and other failed tests means it ends up in 9-11th place with ProtonVPN and HMA VPN.

On the plus side, this provider doesn’t incentivize social media spam from users, doesn’t use price discrimination, and seems to respect copyrights. Yet there’s not much more positive we can say here.

Among the biggest sins of IPVanish is the language they use to sell their product, overstating the degree of anonymity the tool can offer with phrases like “surf the web without a trace,” among others. Furthermore, this provider doesn’t require full disclosure from its affiliates, not to mention ethical copy.

While IPVanish claims to be a “zero traffic logs” provider – a statement they have backed up with an independent audit in 2017 – there is still the issue we’ve already alluded to. IPVanish got caught up in a data logging scandal in the past and it’s hard to give them full points for properly communicating their logging policy with that looming in the background.

Finally, IPVanish does pay VAT, but they won’t tell you how much of your fee it makes up even if you ask customer support directly.

 

hidemyass logo

9-11. HMA VPN

  • Score: 10 of 20 (50%)
  • No points for: Overselling what HMA VPN is capable of; using price discrimination; requiring full disclosure from affiliates; support for nonprofits; respecting copyrights

HideMyAss!, or HMA VPN, as it likes to be called nowadays, is one of the oldest and most popular providers out there. However, it has never been known as one that cares deeply about certain aspects of the VPN business, such as user privacy.

On a positive note, they’re one of the few providers that are clear about paying VAT – applying it to payments made from the EU based on the percentage applicable in each country. To continue, while their service keeps logs, they don’t claim to have a “no logs” or “zero logs” policy either. Finally, HMA VPN requires affiliates to write ethical copy and not use spam to sell their product.

While this provider joins a long list of VPNs that oversell how much anonymity they can offer, HMA VPN is one of only two services reviewed here that offer different prices in different countries. For example, the German 3-year plan is cheaper than its US counterpart by more than $20. HMA VPN also doesn’t require full disclosure from its affiliates, doesn’t support nonprofits and doesn’t show much respect for copyrights.

 

privatevpn logo

12-13. PrivateVPN

  • Score: 9 of 20 (50%)
  • No points for: Overselling what PrivateVPN is capable of; requiring full disclosure from affiliates; requiring affiliates to not use spam; requiring ethical copy; support for nonprofits;
  • Half points for: following EU VAT norms

PrivateVPN is one of the few premium services that ended up low on our list. While it looks good as a service, keeping only minimal logs, offering great prices and excellent unblocking capabilities, things turn south when the talk shifts to various business practices.

On the positive end, PrivateVPN doesn’t use price discrimination. It also has a clear logging policy and manages to follow copyright laws. Unfortunately, that’s about it, unless we mention that PrivateVPN doesn’t incentivize social media spam, which is a criterion passed by 14 of 16 reviewed VPNs.

Moving to the less positive stuff, their website oversells what PrivateVPN is capable of, inviting you to “be undetectable.” PrivateVPN also goes easy on its affiliates, not requiring full disclosure or ethical copy and not giving a clear “no” when it comes to spamming. Furthermore, this company doesn’t offer any tangible support to nonprofits, and won’t tell you how much VAT they pay.

 

purevpn logo

12-13. PureVPN

  • Score: 9 of 20 (50%)
  • No points for: Overselling what PureVPN is capable of; following EU VAT norms; requiring full disclosure from affiliates; support for nonprofits; respecting copyrights
  • Half points for: Contradictory logging policies

Despite being a decently useful tool, PureVPN doesn’t have the best reputation – something that’s reflected in this research. It ends up sharing the 12-13th place with PrivateVPN.

To begin with the positives, we found no evidence of price discrimination. What’s more, PureVPN clearly requires ethical copy and asks their affiliates to follow a no spam policy. Also, this provider says “no” to social media spam.

On the negative side, their “no-logs” audit results should be taken with a grain of salt. After all, PureVPN gave data to US authorities in 2017. Furthermore, this provider oversells what their product can do (“your privacy is guaranteed with our anonymous VPN”) and says they don’t pay VAT, apparently leaving that to their payment processor instead.

Lastly, PureVPN has no qualms using logos of sports federations (such as UEFA) to promote their services, demonstrating a lack of respect for copyrights.

 

cyberghost logo

14. CyberGhost VPN

  • Score: 8 of 20 (40%)
  • No points for: Overselling what CyberGhost VPN is capable of; incentivizing social media spam; full disclosure from affiliates; requiring affiliates to not use spam; support for nonprofits; respecting copyrights

CyberGhost is widely respected, including by us. This is a feature-rich and fast service that offers a lot of utility. So it’s sad to see it this low on our list.

Starting from the pros, this provider is a proud VAT taxpayer that also doesn’t use price discrimination. It has no contradictions in its privacy policy and requires ethical copy from its affiliates. And that’s all of the good we can tell you about CyberGhost VPN.

CyberGhost VPN is one of the two providers that incentivizes social media spam by rewarding its users based on the number of converted clients. What’s more, this VPN is yet to forbid spam as a marketing tool or ask its affiliates for full disclosure. As a matter of fact, CyberGhost forbids affiliates from disclosing their affiliate status “without the mutual written consent of both parties prior to such disclosure.”

Like many others, CyberGhost also oversells what their VPN can do, inviting potential clients to enjoy “unbreakable security.”

 

zenmate logo

15. ZenMate VPN

  • Score: 7 of 20 (35%)
  • No points for: Overselling what ZenMate VPN is capable of; using price discrimination; full disclosure from affiliates; requiring affiliates to not use spam; support for nonprofits; respecting copyrights
  • Half points for: Contradictory logging policies

ZenMate VPN passes only 3 of 10 criteria and raises questions about a fourth one.

To cut ZenMate VPN some slack, we must note that they pay VAT and show the amount on invoices. Their affiliate agreement also requires affiliates to write ethical copy. Finally, ZenMate VPN is against social media spam, which is propagated by its neighbors above and below.

First on the list of negatives, ZenMate should clarify its Privacy Policy – currently, it only indicates what data they collect via the website, forgetting to mention the service itself. In addition to that, ZenMate uses misleading phrases like “100% guaranteed no-log policy” or “Just One Click to Ensure Security and Privacy Online.”

ZenMate is one of only two services on this list to use price discrimination, charging the same amount in USD as they do in Euro. And finally, they’re not very respectful of copyrights, as evidenced by the Netflix and YouTube logos on their website.

 

ivacy vpn logo

16. Ivacy VPN

  • Score: 4 of 20 (20%)
  • No points for: Overselling what Ivacy VPN is capable of; incentivizing social media spam; contradictory logging policies; following EU VAT norms; requiring full disclosure from affiliates; requiring ethical copy; support for nonprofits; respecting copyrights

Generally speaking, Ivacy VPN, a Top 10 service, does pretty well in terms of utility. But when the talk turns to business ethics, this Singapore-based provider crumbles like House of Cards review scores after Season 4, placing it dead last on our list.

Nearly everything about Ivacy is bad, so let’s highlight those two lonely positive points first. 1) Ivacy VPN forbids spamming by their affiliates; 2) they don’t use price discrimination.

Ivacy VPN fails at 8 of 10 criteria by having contradictory logging policies, overselling the efficacy of their service, not paying VAT, and not following copyright laws, among other things.

As it stands, perhaps it would be a good idea for Ivacy VPN to make some profit using price discrimination – it’s not like the picture would change significantly.

 

3 comments
Leave a Reply

Your email address will not be published. Required fields are marked *


  1. Ana

    That table is really useful! Would be cool if you kept it up as section somewhere in the site and to have the other vpns added to it too


  2. James

    Hello, VPNpro.
    Thanks for such an interesting and powerfull research. I was quite pleased, to see the other side of the medal. I was very surprised with Tunnelbear actually.


  3. Azee

    Interesting reading, thanks

Share
Share
Thanks for your opinion!
Your comment will be checked for spam and approved as soon as possible.