We may earn affiliate commissions for the recommended products. Learn more

Top VPNs are recording users and potentially leaking their data when they visit their website

Updated March 25, 2020

When you think about the most consumer-friendly cybersecurity tools, it’ll probably come down to antivirus programs and VPNs. Of the two, VPNs are used for their ability to get around geolocation restrictions, as well as to provide users with the utmost in security and privacy.

So it would come as a huge surprise for those users to find out that some of their favorite VPNs don’t seem to respect their users’ privacy at all.

Our research shows that VPN websites are disappointingly very similar to – and sometimes worse than – other popular websites. Of the 114 VPNs we analyzed, 102 websites had trackers on them, with 26 websites having 10 or more trackers. A lot of these trackers involve third parties that don’t have the best reputation for respecting user privacy, which can be detrimental for the user.


Even worse, they’re using session replay scripts: nearly 1 in 4 VPN websites used them to record video of how each user goes around their website, what they click, what they search for, and much more.


Luckily, the situation isn’t all bad: there are 13 websites that have absolutely no trackers on them, and 48 websites have 4 or fewer trackers on them.

But, honestly, that last accolade is simply a pat on the back. Remember, these trackers are made so that they can track your online behavior, and follow you wherever you go on the internet. Having even 1 of them on your website really defeats any argument for ultimate privacy and anonymity.

Key findings

  • 102 VPN websites have 1 or more trackers, and 26 websites have 10 or more trackers
  • There are 32 session replay scripts across the 114 VPN websites
  • 17 websites have trackers from third parties whose privacy practices are not sufficiently clear
  • 45 websites have Facebook trackers, with 39 having more than 1
  • Only 13 websites have 0 trackers on them

About this research

In order to analyze these websites, we used the freeware anti-tracker add-on Ghostery. It not only has a large list of trackers in its database, but it also conveniently provides links to these trackers’ privacy policies and various summaries of the data that’s collected and shared.

Besides looking at simply the trackers for each VPN website, we also looked through these third-party privacy policies to determine their safety or risk.

The original list contained the top 120 VPN websites, but 6 VPN websites have since gone offline. The list of VPN websites we analyzed comes from our VPNpro rankings for 2019.

The dangers of session-replay scripts

Whenever you visit a website that uses session-replay scripts, you’re probably having your session – your visit – being recorded. Session replay scripts allow website owners, marketers, sales people, and more, to see how users are interacting with their websites. We found that 26 VPN websites use session-replay scripts on their sites, with one, Avast SecureLine VPN, even using 3 different session-replay tools to record users.

The term “session-replay” comes from the ability for these tools to replay user sessions. Essentially, these tools can record all your activities when you visit their websites, including what you clicked on, what you searched for, what you entered into any forms (before you’ve even clicked on ‘submit’), and anything else you’re doing online.

And by record, we mean actually record: these session-replays are video recordings of your online behavior. Here’s footage of some video sessions you can see using one leading session-replay tool, Hotjar:

If that doesn’t sound creepy enough, Princeton security researchers found the following:

“Collection of page content by third-party replay scripts may cause sensitive information such as medical records, credit-card details, and other personal information displayed on a page to leak to the third-party as a part of the recording…This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout or registration processes.”

While some of the session-replay tools were able to redact (hide) information users entered while they were being recorded, not all tools did this. Some passwords could clearly be recorded in their research, and a lot of sensitive data could also be leaked. The researchers created a table displaying their findings, where a filled circle means that the data was excluded (redacted), a semi-filled circle indicates equivalent masking, and an empty circle means that the data is being sent directly:

Pricenton security researchers findings table

Even when there is some security put in place, the Princeton researchers found that some companies, including Yandex, Hotjar and Smartlook, all delivered playbacks of these user recordings on HTTP pages, even if the recordings took plan on HTTPS pages. Because HTTP pages are unencrypted, this presents a big opportunity for MITM (man in the middle) attacks, where a hacker can easily steal all of the recording data.

VPN websites using session-replay scripts
VPN websites using session-replay scripts

Trackers and privacy violations

But there are more problems with trackers than just the vulnerabilities and lack of privacy with session-replay scripts.

There are many different types of trackers and they offer different levels of privacy. Some trackers will collect user data, but will not share anything beyond anonymous/aggregate data, and others are pretty unclear about what they share. Some are even pretty benign, in that they collect data, but share minimally, or are pretty essential for a website to function.

But there are some trackers that are plain bad, sharing personally identifiable or pseudonymous data with third parties. We’ve identified 34 different trackers that are bad for your privacy. These trackers include Taboola, Zendesk, Adroll, BlueKai and OpenX.

OpenX’s vast data collection

Let’s take the last one, OpenX, as an example. According to their privacy policy, OpenX, which bills itself as the global leader in “programmatic advertising,” may collect your age, gender, marital status, your phone information, IP address, and even your exact GPS location:OpenX Privacy Policy tracking users

They can also share all that data with others for various purposes.

OpenX has been accused of violating consumers’ privacy in the past. The programmatic advertising company was identified as using a technique that allowed it to share data with other companies, including unauthorized third parties. Essentially, this allows multiple companies to collect user data, even without those other companies getting users’ consent under the GDPR and California’s CCPA.

BlueKai’s spotty reputation

But OpenX isn’t alone in this. Most of these riskier trackers are guilty of using the same business techniques. Take for example BlueKai, which was purchased by Oracle in 2014. BlueKai has been mentioned time and time and time again for its potential privacy violations. It’s even been named in a GDPR complaint [pdf] by Privacy International, due to the grave concerns over the”data processing activities of the data broking and adtech industry.”

Academic research [pdf] looking at BlueKai and other data brokers, the researcher mentioned three big problems with data brokers in terms of user privacy:

  1. The security of data storage is not sufficient
  2. Trackers sell data to other entities
  3. Ad brokers accidentally expose user data through their advertising services

The second issue is most damning. Since data brokers like BlueKai make money by collecting and selling user data, this presents a big privacy risk. That’s because while BlueKai’s privacy policy stipulates what it can and cannot do with user data, the data eventually will be subject to BlueKai’s customers’ privacy policies, which can be different from BlueKai’s.

Bluekai data broker analyzed in research paper

So while BlueKai may state that they respect your privacy when they collect your data, they may very well be selling that data to companies that don’t care about your privacy at all.

VPNs using risky trackers

What it means for VPN users

Overall, this isn’t very promising for people visiting VPN websites. Essentially, while you should expect a higher level of privacy and anonymity from these services – based on what these VPN companies are supposed to be providing – what you’ll actually find is much, much less.

VPN websites are using the same marketing tactics for which they often accuse the big names, like Facebook. In fact, 45 websites we analyzed are using Facebook trackers. That’s pretty much like talking out of both sides of your mouth, with one saying that Facebook is bad for your privacy, while at the same time stating that Facebook is good for your customers.

In the middle ground that lies between those two statements, users are losing out. With adtech firms and data brokers collecting and selling your user data, there doesn’t seem to be anything particularly private or anonymous about these VPN websites.

Luckily, there is an easy – but not perfect – solution:

  • use extensions and tools like Ghostery, which can help block many of these trackers and session-replay scripts
  • use privacy-by-default browsers like Brave
  • seriously limit what you’re doing on these websites, or avoid them completely. (If you have a question, simply email their customer support).

There are many more involved methods you can use to limit what kind of data you’re sharing with these websites, and all websites and browsers in general, but those options we listed above should work for VPN websites.

I’d like to end on a positive note, however, by listing the 20 VPN websites that are the most private for containing the least amount of trackers overall:

  1. 12VPN –
  2. AirVPN –
  3. ConfirmedVPN –
  4. CryptoStorm –
  5. Disconnect VPN –
  6. DotVPN –
  7. Mullvad –
  8. Proton VPN –
  9. Psiphon –
  10. Thunder VPN –
  11. VIP72 VPN –
  12. VPN.ac –
  13. Zorro VPN –
  14. Celo VPN – 1
  15. Hideman VPN – 1
  16. IVPN – 1
  17. Seed4.Me – 1
  18. VPNReactor – 1
  19. Windscribe – 1
  20. ZenVPN – 1

If you’re not seeing your favorite VPN provider here — whether that’s NordVPN, ExpressVPN, or even PIA — that’s probably because they have neither the most or riskiest trackers, nor do they have the least amount of trackers.

Here’s a quick list of your 20 favorite VPN providers, and how they fare in terms of total trackers, riskiest trackers, and session replay scripts:

VPN Provider Total no. of trackers Risky trackers Session replay scripts
NordVPN 10
Surfshark 8
ExpressVPN 10
CyberGhost 10 1
Astrill 7
TorGuard 4
Ivacy 11 1 1
PrivateVPN 7
Windscribe 1
VyprVPN 12
Proton VPN
Perfect Privacy 5
PIA 4
IPVanish 15 2
Hotspot Shield 8
PureVPN 10 1
HideMyAss 15 1
TunnelBear 5
Avast SecureLine VPN 24 3 3
Norton WiFi Privacy 36 8 1

Check out our other research:

Disclaimer:
We meticulously research our stories and endeavor to present an accurate picture for our readers.  We’re also human, and if you believe we have made a factual error (as opposed to disagreeing with an opinion), please contact us so that we may investigate and either correct or confirm the facts. Please reach out to us by using our Contact Us page.

40 comments
default-avatar.

Your email address will not be published.   Required fields are marked *


  1. Dan Snider
    Dan Snider March 28, 2020 at 9AM

    I highly recommend ProtonVPN. They are using zero trackers or replay scripts and all of their clients are open source software and have been independently audited. I’ve been a paying user ever since they first released and it’s truly a great service with good customer support. They are extremely privacy-centric and don’t store logs of your activities. They have hundreds of endpoints all over the world and really go all-in on security. Anyone using PIA or NordVPN should seriously consider using ProtonVPN instead.



  2. Alex
    Alex March 26, 2020 at 9PM

    NordVPN states on their webpage, that they don’t log anything.

    How can they say so, when you tested otherwise?

    Or are the 10 mentioned trackers not for userdata for something else?


      1. Jan Youngren
        Jan Youngren March 30, 2020 at 7AM

        Hi Alex,




  3. Joost Hoogendoorn
    Joost Hoogendoorn March 26, 2020 at 5PM

    You can add WifiMask VPN to the list of VPN’s who do not track anything.



  4. DEM
    DEM March 25, 2020 at 2PM

    Why are they called “VPN Websites”? I use software that creates a tunnel between my computer another endpoint somewhere in the world. I don’t go to a website. Please explain.


      1. Jan Youngren
        Jan Youngren March 26, 2020 at 7AM

        Hi Dem, they’re called VPN websites because this research looked exclusively at the websites of VPN providers.




  5. Rich Kotowicz
    Rich Kotowicz March 25, 2020 at 9AM

    Jan, do you want to claim, that websites of all those VPN providers should not aim to provide best possibly user experience on their websites? Just asking, because it’s not really clear from the research above. Thanks!


      1. Jan Youngren
        Jan Youngren March 26, 2020 at 7AM

        Hi Rich,




  6. Jan Youngren
    Jan Youngren March 25, 2020 at 7AM

    Hi guys – we’ve been getting a lot of comments and questions about the biggest names, like NordVPN, ExpressVPN, Surfshark, etc.



  7. Mattias
    Mattias March 25, 2020 at 6AM

    Feels like some of the biggest players aren’t covered at all, like the ones already mentioned.


      1. Jan Youngren
        Jan Youngren March 25, 2020 at 7AM

        Hi, Mattias. We’ve just updated the article with a table of most popular VPN providers.




  8. Jon
    Jon March 25, 2020 at 3AM

    Looking for NordVPN here too?? Gotta be one of the top ones based on SEO results, but not mentioned. Otherwise great.


      1. Jan Youngren
        Jan Youngren March 25, 2020 at 7AM

        We’ve updated the article with a table of most popular VPN providers.




  9. Zac Bryant
    Zac Bryant March 25, 2020 at 1AM

    Express VPN?


      1. Jan Youngren
        Jan Youngren March 25, 2020 at 7AM

        Hi Zac, the article was updated with a table of most popular VPN providers.




  10. Saige Pilgrim
    Saige Pilgrim March 24, 2020 at 10PM

    Where can we find the full list of VPNs reviewed?


      1. Jan Youngren
        Jan Youngren March 25, 2020 at 7AM

        Hi Saige, listing all 120 VPNs we analyzed would make for an extremely long article, but we’ve updated with a list of 20 most popular VPNs now.




  11. adam
    adam March 24, 2020 at 7PM

    funny how none of the VPNs with heavy advertising campaigns like nord or tunnelbear are on either the risky or safe list. Also thought there were 102 risky vpns…def don’t see all of them listed. Wonder why.


      1. Jan Youngren
        Jan Youngren March 25, 2020 at 7AM

        Listing all 120 VPNs we analyzed would make for an extremely long article, but we’ve updated the article with a list of 20 most popular VPNs now.




  12. Matthew
    Matthew March 24, 2020 at 7PM

    There is a difference between what the VPN companies do on their public facing sites vs what they do on their internal Networks for users isn’t there? That’s an important distinction.



  13. Nic
    Nic March 24, 2020 at 6PM

    Seems they didn’t want to upset the big players



  14. Gin
    Gin March 24, 2020 at 6PM

    What about Tunnel Bear?


      1. Jan Youngren
        Jan Youngren March 25, 2020 at 7AM

        We’ve updated the article with a list of 20 most popular VPNs, including Tunnel Bear.




  15. SamG
    SamG March 24, 2020 at 5PM

    Great research but it appears to be missing several popular VPN services like Nord and PIA.


      1. Jan Youngren
        Jan Youngren March 25, 2020 at 7AM

        Thank you for your interest, we’ve updated the article with a list of 20 most popular VPNs now.




  16. Tom Stevens
    Tom Stevens March 24, 2020 at 5PM

    Disappointed to not see PIA or NordVPN in this comparison.


      1. Jan Youngren
        Jan Youngren March 25, 2020 at 7AM

        Hi Tom, we’ve updated the article with a list of 20 most popular VPNs, Nord and PIA included.




  17. Gio
    Gio March 24, 2020 at 3PM

    Great article, though did I miss it or is NordVPN not mentioned anywhere? Surely that is one of the big boys but no mention of it?


      1. Louise
        Louise March 24, 2020 at 8PM

        Yeah I thought the same thing. One of the biggest out there and it’s like it doesn’t exist.



      2. JJ Jackson
        JJ Jackson March 24, 2020 at 6PM

        Who cares if their websites have session replay scripts? You should be reviewing VPN products, not VPN websites!

        There’s loads and loads of websites with session replay scripts, not sure why you are only targeting vpn websites.



      3. Jan Youngren
        Jan Youngren March 25, 2020 at 7AM

        We’ve updated the article with a table of most popular VPN providers.



      4. Hank Hill
        Hank Hill March 25, 2020 at 3AM

        I was wondering the same.



      5. lou
        lou March 25, 2020 at 1AM

        I would like to know the same….nordvpn.




  18. Roger
    Roger March 24, 2020 at 2PM

    Thanks. I don’t see Private Internet Access, a longstanding and seemingly reputable VPN service, on these lists. Did I miss it?


      1. Dude McDude
        Dude McDude March 25, 2020 at 12AM

        Same. So hopefully the admin will answer this



      2. Joe
        Joe March 24, 2020 at 11PM

        Your comment was the only reference I could find…



      3. Jan Youngren
        Jan Youngren March 25, 2020 at 7AM

        We’ve updated the article with a table of most popular VPN providers, including PIA.



      4. Dave
        Dave March 24, 2020 at 11PM

        I don’t see it either, but I believe they were recently bought by the people who own Cyber Ghost, which is on the list.



      5. Rob
        Rob March 25, 2020 at 4AM

        my question as well. I don’t see it on any of the lists. I’ve been using it for a few years now.



      6. Nick
        Nick March 25, 2020 at 12AM

        He’s saying that windscribe is safe and I red a couple months ago that they are keeping logs and sales them. Obviously he’s paid for some advertising. Sad.



Thanks for your opinion!
Jump to section