Top VPNs are recording users and potentially leaking their data when they visit their website
Updated March 25, 2020
When you think about the most consumer-friendly cybersecurity tools, it’ll probably come down to antivirus programs and VPNs. Of the two, VPNs are used for their ability to get around geolocation restrictions, as well as to provide users with the utmost in security and privacy.
So it would come as a huge surprise for those users to find out that some of their favorite VPNs don’t seem to respect their users’ privacy at all.
Our research shows that VPN websites are disappointingly very similar to – and sometimes worse than – other popular websites. Of the 114 VPNs we analyzed, 102 websites had trackers on them, with 26 websites having 10 or more trackers. A lot of these trackers involve third parties that don’t have the best reputation for respecting user privacy, which can be detrimental for the user.
Even worse, they’re using session replay scripts: nearly 1 in 4 VPN websites used them to record video of how each user goes around their website, what they click, what they search for, and much more.
Luckily, the situation isn’t all bad: there are 13 websites that have absolutely no trackers on them, and 48 websites have 4 or fewer trackers on them.
But, honestly, that last accolade is simply a pat on the back. Remember, these trackers are made so that they can track your online behavior, and follow you wherever you go on the internet. Having even 1 of them on your website really defeats any argument for ultimate privacy and anonymity.
Key findings
- 102 VPN websites have 1 or more trackers, and 26 websites have 10 or more trackers
- There are 32 session replay scripts across the 114 VPN websites
- 17 websites have trackers from third parties whose privacy practices are not sufficiently clear
- 45 websites have Facebook trackers, with 39 having more than 1
- Only 13 websites have 0 trackers on them
About this research
In order to analyze these websites, we used the freeware anti-tracker add-on Ghostery. It not only has a large list of trackers in its database, but it also conveniently provides links to these trackers’ privacy policies and various summaries of the data that’s collected and shared.
Besides looking at simply the trackers for each VPN website, we also looked through these third-party privacy policies to determine their safety or risk.
The original list contained the top 120 VPN websites, but 6 VPN websites have since gone offline. The list of VPN websites we analyzed comes from our VPNpro rankings for 2019.
The dangers of session-replay scripts
Whenever you visit a website that uses session-replay scripts, you’re probably having your session – your visit – being recorded. Session replay scripts allow website owners, marketers, sales people, and more, to see how users are interacting with their websites. We found that 26 VPN websites use session-replay scripts on their sites, with one, Avast SecureLine VPN, even using 3 different session-replay tools to record users.
The term “session-replay” comes from the ability for these tools to replay user sessions. Essentially, these tools can record all your activities when you visit their websites, including what you clicked on, what you searched for, what you entered into any forms (before you’ve even clicked on ‘submit’), and anything else you’re doing online.
And by record, we mean actually record: these session-replays are video recordings of your online behavior. Here’s footage of some video sessions you can see using one leading session-replay tool, Hotjar:
If that doesn’t sound creepy enough, Princeton security researchers found the following:
“Collection of page content by third-party replay scripts may cause sensitive information such as medical records, credit-card details, and other personal information displayed on a page to leak to the third-party as a part of the recording…This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout or registration processes.”
While some of the session-replay tools were able to redact (hide) information users entered while they were being recorded, not all tools did this. Some passwords could clearly be recorded in their research, and a lot of sensitive data could also be leaked. The researchers created a table displaying their findings, where a filled circle means that the data was excluded (redacted), a semi-filled circle indicates equivalent masking, and an empty circle means that the data is being sent directly:
Even when there is some security put in place, the Princeton researchers found that some companies, including Yandex, Hotjar and Smartlook, all delivered playbacks of these user recordings on HTTP pages, even if the recordings took plan on HTTPS pages. Because HTTP pages are unencrypted, this presents a big opportunity for MITM (man in the middle) attacks, where a hacker can easily steal all of the recording data.
Trackers and privacy violations
But there are more problems with trackers than just the vulnerabilities and lack of privacy with session-replay scripts.
There are many different types of trackers and they offer different levels of privacy. Some trackers will collect user data, but will not share anything beyond anonymous/aggregate data, and others are pretty unclear about what they share. Some are even pretty benign, in that they collect data, but share minimally, or are pretty essential for a website to function.
But there are some trackers that are plain bad, sharing personally identifiable or pseudonymous data with third parties. We’ve identified 34 different trackers that are bad for your privacy. These trackers include Taboola, Zendesk, Adroll, BlueKai and OpenX.
OpenX’s vast data collection
Let’s take the last one, OpenX, as an example. According to their privacy policy, OpenX, which bills itself as the global leader in “programmatic advertising,” may collect your age, gender, marital status, your phone information, IP address, and even your exact GPS location:
They can also share all that data with others for various purposes.
OpenX has been accused of violating consumers’ privacy in the past. The programmatic advertising company was identified as using a technique that allowed it to share data with other companies, including unauthorized third parties. Essentially, this allows multiple companies to collect user data, even without those other companies getting users’ consent under the GDPR and California’s CCPA.
BlueKai’s spotty reputation
But OpenX isn’t alone in this. Most of these riskier trackers are guilty of using the same business techniques. Take for example BlueKai, which was purchased by Oracle in 2014. BlueKai has been mentioned time and time and time again for its potential privacy violations. It’s even been named in a GDPR complaint [pdf] by Privacy International, due to the grave concerns over the”data processing activities of the data broking and adtech industry.”
Academic research [pdf] looking at BlueKai and other data brokers, the researcher mentioned three big problems with data brokers in terms of user privacy:
- The security of data storage is not sufficient
- Trackers sell data to other entities
- Ad brokers accidentally expose user data through their advertising services
The second issue is most damning. Since data brokers like BlueKai make money by collecting and selling user data, this presents a big privacy risk. That’s because while BlueKai’s privacy policy stipulates what it can and cannot do with user data, the data eventually will be subject to BlueKai’s customers’ privacy policies, which can be different from BlueKai’s.
So while BlueKai may state that they respect your privacy when they collect your data, they may very well be selling that data to companies that don’t care about your privacy at all.
What it means for VPN users
Overall, this isn’t very promising for people visiting VPN websites. Essentially, while you should expect a higher level of privacy and anonymity from these services – based on what these VPN companies are supposed to be providing – what you’ll actually find is much, much less.
VPN websites are using the same marketing tactics for which they often accuse the big names, like Facebook. In fact, 45 websites we analyzed are using Facebook trackers. That’s pretty much like talking out of both sides of your mouth, with one saying that Facebook is bad for your privacy, while at the same time stating that Facebook is good for your customers.
In the middle ground that lies between those two statements, users are losing out. With adtech firms and data brokers collecting and selling your user data, there doesn’t seem to be anything particularly private or anonymous about these VPN websites.
Luckily, there is an easy – but not perfect – solution:
- use extensions and tools like Ghostery, which can help block many of these trackers and session-replay scripts
- use privacy-by-default browsers like Brave
- seriously limit what you’re doing on these websites, or avoid them completely. (If you have a question, simply email their customer support).
There are many more involved methods you can use to limit what kind of data you’re sharing with these websites, and all websites and browsers in general, but those options we listed above should work for VPN websites.
I’d like to end on a positive note, however, by listing the 20 VPN websites that are the most private for containing the least amount of trackers overall:
- 12VPN –
- AirVPN –
- ConfirmedVPN –
- CryptoStorm –
- Disconnect VPN –
- DotVPN –
- Mullvad –
- Proton VPN –
- Psiphon –
- Thunder VPN –
- VIP72 VPN –
- VPN.ac –
- Zorro VPN –
- Celo VPN – 1
- Hideman VPN – 1
- IVPN – 1
- Seed4.Me – 1
- VPNReactor – 1
- Windscribe – 1
- ZenVPN – 1
What about the most popular VPNs?
If you’re not seeing your favorite VPN provider here — whether that’s NordVPN, ExpressVPN, or even PIA — that’s probably because they have neither the most or riskiest trackers, nor do they have the least amount of trackers.
Here’s a quick list of your 20 favorite VPN providers, and how they fare in terms of total trackers, riskiest trackers, and session replay scripts:
VPN Provider | Total no. of trackers | Risky trackers | Session replay scripts |
NordVPN | 10 | ||
Surfshark | 8 | ||
ExpressVPN | 10 | ||
CyberGhost | 10 | 1 | |
Astrill | 7 | ||
TorGuard | 4 | ||
Ivacy | 11 | 1 | 1 |
PrivateVPN | 7 | ||
Windscribe | 1 | ||
VyprVPN | 12 | ||
Proton VPN | |||
Perfect Privacy | 5 | ||
PIA | 4 | ||
IPVanish | 15 | 2 | |
Hotspot Shield | 8 | ||
PureVPN | 10 | 1 | |
HideMyAss | 15 | 1 | |
TunnelBear | 5 | ||
Avast SecureLine VPN | 24 | 3 | 3 |
Norton WiFi Privacy | 36 | 8 | 1 |
Check out our other research:
- Chinese company secretly behind 24 popular apps seeking dangerous permissions
- Free antivirus apps requesting huge amounts of dangerous permissions they don’t need
- How to beat Google Play’s algorithm and get 280 million installs
- Hidden VPN owners unveiled: 101 VPN products run by just 23 companies
- Study: how the world’s top websites track your online behavior
Disclaimer:
We meticulously research our stories and endeavor to present an accurate picture for our readers. We’re also human, and if you believe we have made a factual error (as opposed to disagreeing with an opinion), please contact us so that we may investigate and either correct or confirm the facts. Please reach out to us by using our Contact Us page.