Top VPNs are recording users and potentially leaking their data when they visit their website

Jan Youngren
Jan Youngren | Security researcher
Last updated: December 1, 2020

Updated March 25, 2020

When you think about the most consumer-friendly cybersecurity tools, it’ll probably come down to antivirus programs and VPNs. Of the two, VPNs are used for their ability to get around geolocation restrictions, as well as to provide users with the utmost in security and privacy.

So it would come as a huge surprise for those users to find out that some of their favorite VPNs don’t seem to respect their users’ privacy at all.

Our research shows that VPN websites are disappointingly very similar to – and sometimes worse than – other popular websites. Of the 114 VPNs we analyzed, 102 websites had trackers on them, with 26 websites having 10 or more trackers. A lot of these trackers involve third parties that don’t have the best reputation for respecting user privacy, which can be detrimental for the user.

Even worse, they’re using session replay scripts: nearly 1 in 4 VPN websites used them to record video of how each user goes around their website, what they click, what they search for, and much more.

Luckily, the situation isn’t all bad: there are 13 websites that have absolutely no trackers on them, and 48 websites have 4 or fewer trackers on them.

But, honestly, that last accolade is simply a pat on the back. Remember, these trackers are made so that they can track your online behavior, and follow you wherever you go on the internet. Having even 1 of them on your website really defeats any argument for ultimate privacy and anonymity.

Key findings

  • 102 VPN websites have 1 or more trackers, and 26 websites have 10 or more trackers
  • There are 32 session replay scripts across the 114 VPN websites
  • 17 websites have trackers from third parties whose privacy practices are not sufficiently clear
  • 45 websites have Facebook trackers, with 39 having more than 1
  • Only 13 websites have 0 trackers on them

About this research

In order to analyze these websites, we used the freeware anti-tracker add-on Ghostery. It not only has a large list of trackers in its database, but it also conveniently provides links to these trackers’ privacy policies and various summaries of the data that’s collected and shared.

Besides looking at simply the trackers for each VPN website, we also looked through these third-party privacy policies to determine their safety or risk.

The original list contained the top 120 VPN websites, but 6 VPN websites have since gone offline. The list of VPN websites we analyzed comes from our VPNpro rankings for 2019.

The dangers of session-replay scripts

Whenever you visit a website that uses session-replay scripts, you’re probably having your session – your visit – being recorded. Session replay scripts allow website owners, marketers, sales people, and more, to see how users are interacting with their websites. We found that 26 VPN websites use session-replay scripts on their sites, with one, Avast SecureLine VPN, even using 3 different session-replay tools to record users.

The term “session-replay” comes from the ability for these tools to replay user sessions. Essentially, these tools can record all your activities when you visit their websites, including what you clicked on, what you searched for, what you entered into any forms (before you’ve even clicked on ‘submit’), and anything else you’re doing online.

And by record, we mean actually record: these session-replays are video recordings of your online behavior. Here’s footage of some video sessions you can see using one leading session-replay tool, Hotjar:

If that doesn’t sound creepy enough, Princeton security researchers found the following:

“Collection of page content by third-party replay scripts may cause sensitive information such as medical records, credit-card details, and other personal information displayed on a page to leak to the third-party as a part of the recording…This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout or registration processes.”

While some of the session-replay tools were able to redact (hide) information users entered while they were being recorded, not all tools did this. Some passwords could clearly be recorded in their research, and a lot of sensitive data could also be leaked. The researchers created a table displaying their findings, where a filled circle means that the data was excluded (redacted), a semi-filled circle indicates equivalent masking, and an empty circle means that the data is being sent directly:

Pricenton security researchers findings table

Even when there is some security put in place, the Princeton researchers found that some companies, including Yandex, Hotjar and Smartlook, all delivered playbacks of these user recordings on HTTP pages, even if the recordings took plan on HTTPS pages. Because HTTP pages are unencrypted, this presents a big opportunity for MITM (man in the middle) attacks, where a hacker can easily steal all of the recording data.

VPN websites using session-replay scripts
VPN websites using session-replay scripts

Trackers and privacy violations

But there are more problems with trackers than just the vulnerabilities and lack of privacy with session-replay scripts.

There are many different types of trackers and they offer different levels of privacy. Some trackers will collect user data, but will not share anything beyond anonymous/aggregate data, and others are pretty unclear about what they share. Some are even pretty benign, in that they collect data, but share minimally, or are pretty essential for a website to function.

But there are some trackers that are plain bad, sharing personally identifiable or pseudonymous data with third parties. We’ve identified 34 different trackers that are bad for your privacy. These trackers include Taboola, Zendesk, Adroll, BlueKai and OpenX.

OpenX’s vast data collection

Let’s take the last one, OpenX, as an example. According to their privacy policy, OpenX, which bills itself as the global leader in “programmatic advertising,” may collect your age, gender, marital status, your phone information, IP address, and even your exact GPS location:OpenX Privacy Policy tracking users

 

They can also share all that data with others for various purposes.

OpenX has been accused of violating consumers’ privacy in the past. The programmatic advertising company was identified as using a technique that allowed it to share data with other companies, including unauthorized third parties. Essentially, this allows multiple companies to collect user data, even without those other companies getting users’ consent under the GDPR and California’s CCPA.

BlueKai’s spotty reputation

But OpenX isn’t alone in this. Most of these riskier trackers are guilty of using the same business techniques. Take for example BlueKai, which was purchased by Oracle in 2014. BlueKai has been mentioned time and time and time again for its potential privacy violations. It’s even been named in a GDPR complaint [pdf] by Privacy International, due to the grave concerns over the”data processing activities of the data broking and adtech industry.”

Academic research [pdf] looking at BlueKai and other data brokers, the researcher mentioned three big problems with data brokers in terms of user privacy:

  1. The security of data storage is not sufficient
  2. Trackers sell data to other entities
  3. Ad brokers accidentally expose user data through their advertising services

The second issue is most damning. Since data brokers like BlueKai make money by collecting and selling user data, this presents a big privacy risk. That’s because while BlueKai’s privacy policy stipulates what it can and cannot do with user data, the data eventually will be subject to BlueKai’s customers’ privacy policies, which can be different from BlueKai’s.

Bluekai data broker analyzed in research paper

So while BlueKai may state that they respect your privacy when they collect your data, they may very well be selling that data to companies that don’t care about your privacy at all.

VPNs using risky trackers
VPNs using risky trackers

What it means for VPN users

Overall, this isn’t very promising for people visiting VPN websites. Essentially, while you should expect a higher level of privacy and anonymity from these services – based on what these VPN companies are supposed to be providing – what you’ll actually find is much, much less.

VPN websites are using the same marketing tactics for which they often accuse the big names, like Facebook. In fact, 45 websites we analyzed are using Facebook trackers. That’s pretty much like talking out of both sides of your mouth, with one saying that Facebook is bad for your privacy, while at the same time stating that Facebook is good for your customers.

In the middle ground that lies between those two statements, users are losing out. With adtech firms and data brokers collecting and selling your user data, there doesn’t seem to be anything particularly private or anonymous about these VPN websites.

Luckily, there is an easy – but not perfect – solution:

  • use extensions and tools like Ghostery, which can help block many of these trackers and session-replay scripts
  • use privacy-by-default browsers like Brave
  • seriously limit what you’re doing on these websites, or avoid them completely. (If you have a question, simply email their customer support).

There are many more involved methods you can use to limit what kind of data you’re sharing with these websites, and all websites and browsers in general, but those options we listed above should work for VPN websites.

I’d like to end on a positive note, however, by listing the 20 VPN websites that are the most private for containing the least amount of trackers overall:

  1. 12VPN – 0
  2. AirVPN0
  3. ConfirmedVPN0
  4. CryptoStorm0
  5. Disconnect VPN – 0
  6. DotVPN0
  7. Mullvad0
  8. ProtonVPN0
  9. Psiphon – 0
  10. Thunder VPN0
  11. VIP72 VPN0
  12. VPN.ac0
  13. Zorro VPN0
  14. Celo VPN1
  15. Hideman VPN1
  16. IVPN1
  17. Seed4.Me1
  18. VPNReactor – 1
  19. Windscribe1
  20. ZenVPN – 1

What about the most popular VPNs?

If you’re not seeing your favorite VPN provider here — whether that’s NordVPN, ExpressVPN, or even PIA — that’s probably because they have neither the most or riskiest trackers, nor do they have the least amount of trackers.

Here’s a quick list of your 20 favorite VPN providers, and how they fare in terms of total trackers, riskiest trackers, and session replay scripts:

VPN ProviderTotal no. of trackersRisky trackersSession replay scripts
NordVPN1000
Surfshark800
ExpressVPN1000
CyberGhost1001
Astrill700
TorGuard400
Ivacy1111
PrivateVPN700
Windscribe100
VyprVPN1200
ProtonVPN000
Perfect Privacy500
PIA400
IPVanish1520
Hotspot Shield800
PureVPN1001
HideMyAss1501
TunnelBear500
Avast SecureLine VPN2433
Norton WiFi Privacy3681

Check out our other research:

Disclaimer:
We meticulously research our stories and endeavor to present an accurate picture for our readers.  We’re also human, and if you believe we have made a factual error (as opposed to disagreeing with an opinion), please contact us so that we may investigate and either correct or confirm the facts. Please reach out to us by using our Contact Us page.

40 comments
Leave a Reply

Your email address will not be published. Required fields are marked *


  1. Dan Snider

    I highly recommend ProtonVPN. They are using zero trackers or replay scripts and all of their clients are open source software and have been independently audited. I’ve been a paying user ever since they first released and it’s truly a great service with good customer support. They are extremely privacy-centric and don’t store logs of your activities. They have hundreds of endpoints all over the world and really go all-in on security. Anyone using PIA or NordVPN should seriously consider using ProtonVPN instead.


  2. Alex

    NordVPN states on their webpage, that they don’t log anything.
    How can they say so, when you tested otherwise?
    Or are the 10 mentioned trackers not for userdata for something else?

    Can you please explain?

    cheers, Alex


    1. avatar
      Jan Youngren Author

      Hi Alex,

      we’ve looked at the VPN websites, and not the services (apps) themselves.


  3. Joost Hoogendoorn

    You can add WifiMask VPN to the list of VPN’s who do not track anything.


  4. DEM

    Why are they called “VPN Websites”? I use software that creates a tunnel between my computer another endpoint somewhere in the world. I don’t go to a website. Please explain.


    1. avatar
      Jan Youngren Author

      Hi Dem, they’re called VPN websites because this research looked exclusively at the websites of VPN providers.

      People visit websites when they first shop around for a VPN, or looking to change VPN providers. These websites can track a lot of information about the users, and it seems antithetical to the stated purpose of a VPN, which is usually absolute privacy and anonymity.

      Again, we’ve looked at the websites, and not the services (apps) themselves.


  5. Rich Kotowicz

    Jan, do you want to claim, that websites of all those VPN providers should not aim to provide best possibly user experience on their websites? Just asking, because it’s not really clear from the research above. Thanks!


    1. avatar
      Jan Youngren Author

      Hi Rich,

      I don’t make any claims, except listing the VPN websites with the most and least trackers.

      Our claims are connected to those VPn websites with sessoin replay scripts and “risky” trackers, which we think aren’t best for user privacy.

      I see that your stated claim is that VPN websites NEED trackers in order to “provide best possibly user experience on their websites”. As you can see, there are quite a few VPN websites (with good UX) that have zero or just 1 tracker.

      So, therefore, I think it’s possible at least to minimize trackers and maintain good user experience.


  6. avatar
    Jan Youngren Author

    Hi guys – we’ve been getting a lot of comments and questions about the biggest names, like NordVPN, ExpressVPN, Surfshark, etc.

    The reason they weren’t included is simple: we analyzed 120 VPN providers’ websites, and listed only the best and riskiest ones in terms of trackers (since the article would be really long if we listed all VPNs we analyzed). Most likely, your favorite VPN provider wasn’t listed because they didn’t fall in either category.

    So to help you find the information you’re looking for, we’ve updated the article now to include those specific, popular VPNs.


  7. Mattias

    Feels like some of the biggest players aren’t covered at all, like the ones already mentioned.


    1. avatar
      Jan Youngren Author

      Hi, Mattias. We’ve just updated the article with a table of most popular VPN providers.


  8. Jon

    Looking for NordVPN here too?? Gotta be one of the top ones based on SEO results, but not mentioned. Otherwise great.


    1. avatar
      Jan Youngren Author

      We’ve updated the article with a table of most popular VPN providers.


  9. Zac Bryant

    Express VPN?


    1. avatar
      Jan Youngren Author

      Hi Zac, the article was updated with a table of most popular VPN providers.


  10. Saige Pilgrim

    Where can we find the full list of VPNs reviewed?


    1. avatar
      Jan Youngren Author

      Hi Saige, listing all 120 VPNs we analyzed would make for an extremely long article, but we’ve updated with a list of 20 most popular VPNs now.


  11. adam

    funny how none of the VPNs with heavy advertising campaigns like nord or tunnelbear are on either the risky or safe list. Also thought there were 102 risky vpns…def don’t see all of them listed. Wonder why.


    1. avatar
      Jan Youngren Author

      Listing all 120 VPNs we analyzed would make for an extremely long article, but we’ve updated the article with a list of 20 most popular VPNs now.


  12. Matthew

    There is a difference between what the VPN companies do on their public facing sites vs what they do on their internal Networks for users isn’t there? That’s an important distinction.


  13. Nic

    Seems they didn’t want to upset the big players


  14. Gin

    What about Tunnel Bear?


    1. avatar
      Jan Youngren Author

      We’ve updated the article with a list of 20 most popular VPNs, including Tunnel Bear.


  15. SamG

    Great research but it appears to be missing several popular VPN services like Nord and PIA.


    1. avatar
      Jan Youngren Author

      Thank you for your interest, we’ve updated the article with a list of 20 most popular VPNs now.


  16. Tom Stevens

    Disappointed to not see PIA or NordVPN in this comparison.


    1. avatar
      Jan Youngren Author

      Hi Tom, we’ve updated the article with a list of 20 most popular VPNs, Nord and PIA included.


  17. Gio

    Great article, though did I miss it or is NordVPN not mentioned anywhere? Surely that is one of the big boys but no mention of it?


    1. avatar
      Jan Youngren Author

      We’ve updated the article with a table of most popular VPN providers.


    2. Hank Hill

      I was wondering the same.


    3. lou

      I would like to know the same….nordvpn.


    4. Louise

      Yeah I thought the same thing. One of the biggest out there and it’s like it doesn’t exist.


    5. JJ Jackson

      Who cares if their websites have session replay scripts? You should be reviewing VPN products, not VPN websites!
      There’s loads and loads of websites with session replay scripts, not sure why you are only targeting vpn websites.

      This is such an alarmist write-up!


  18. Roger

    Thanks. I don’t see Private Internet Access, a longstanding and seemingly reputable VPN service, on these lists. Did I miss it?


    1. avatar
      Jan Youngren Author

      We’ve updated the article with a table of most popular VPN providers, including PIA.


    2. Rob

      my question as well. I don’t see it on any of the lists. I’ve been using it for a few years now.


    3. Nick

      He’s saying that windscribe is safe and I red a couple months ago that they are keeping logs and sales them. Obviously he’s paid for some advertising. Sad.


    4. Dude McDude

      Same. So hopefully the admin will answer this


    5. Joe

      Your comment was the only reference I could find…


    6. Dave

      I don’t see it either, but I believe they were recently bought by the people who own Cyber Ghost, which is on the list.

Share
Share
Thanks for your opinion!
Your comment will be checked for spam and approved as soon as possible.