When your VPN is a matter of life or death, don't rely on reviews

If you believe that the only thing standing between you and death, abuse, persecution, or imprisonment is the VPN you're using, you must read this article now.
Written by David Gewirtz, Senior Contributing Editor
Man working from home using a VPN

There are VPN users who use VPNs (virtual private networks) just so they can safely surf the internet from a coffee shop, hotel, or airport. Before the COVID-19 pandemic, I mostly fell into that category. There are VPN users who, as mentioned, mostly use flagship VPNs to spoof their location so they can watch blacked-out sports events or get Star Trek Discovery via Netflix instead of Paramount+.

And then there are the people I'm writing this article for: the folks for whom VPN usage is a life-or-death thing. These people are citizens in nations with oppressive regimes trying to communicate with the outside world, people who are researching health or sexuality information that could cause them to be discriminated against (or worse), people who are trying to hide their location from abusive partners or stalkers, people who are dissidents (which is not a pejorative, but a word used to describe people who are fighting totalitarian regimes and oppressive government policies), and so on.

Also: How to find and remove spyware from your phone

It's for these people, who I'll call the life-and-deathers, for whom this article is being written. And if you fit into this category, listen up. What I'm about to say could save your life.

VPNs generally do a few key things. They encrypt your internet traffic between your computer and a destination on the internet. If you're using a corporate VPN, it creates a secure tunnel between your machine and your company's network.

VPN services, with familiar names like ExpressVPN, Surfshark, and NordVPN, create secure tunnels between your machine and their servers -- but the connection from their servers to whatever destination server you're accessing is secured by whatever base protocol you're using to communicate to that final server.

VPN services also purport to hide your IP address from the internet and allow you to spoof your geographical location. This is a service absolutely necessary to those concerned about their safety. Unfortunately, it is a service primarily marketed as a way for users to bypass geographic entertainment restrictions.

There are ethical and unethical reasons people use VPNs. I'm writing this to help protect ethical users, not to encourage or facilitate unethical use.

Follow the money

You may have noticed that VPN reviews are hugely prevalent all over the internet. 

This is because:

(A) There's a lot of interest in VPNs, especially now that people are working from home more often.

(B) Because VPN vendors pay so-called objective media outlets to promote them. This is worthy of some detailed discussion.

For most of modern history, when a company wanted to promote a product in the media, they'd use one of two mechanisms. They'd either buy ads, or they'd hire a PR firm.

The benefit of advertising is that the advertiser has complete control over the message. As long as they can afford to pay for placement, they can say (within reason) whatever they want. Ads are delineated on the page, so consumers can easily tell the difference between them and legitimate reporting.

PR is the practice of trying to convince a writer (like me) to write about a product. The benefit (to the vendor) is that PR is generally free. If I choose to write about a product because I think it's worthy in some way, the vendor isn't paying for that coverage. But... the vendor also has absolutely no control over what I might say, nor whether or not the product ever gets coverage.

There is some gray area here. While writers often purchase the items they review, many reviewers often receive the things they review for free. Companies want the attention of reviewers and their audiences. Companies can also withhold access, favoring those they know will speak positively or give their products glowing reviews. For example, I never get early access to Apple products because I've been critical of the company.

Done right, at least historically, marketing has been a mix of good advertising and good PR.

But the internet has changed that. It's now possible to track what people read, what they click on, and what they buy. That technological capability gave rise to a new form of marketing: affiliate marketing. With affiliate marketing, when you click on a link that leads you to buy a product, the seller can see your entire track of interaction. This means the seller can know where you were when you clicked that link. If you click a link on ZDNet and then buy a product on Amazon, Amazon knows that the sale came from an article on ZDNet.

If you click on a link on ZDNet (or just about any other website) that has an affiliate code and then buy from Amazon, Amazon also pays a percentage of the sale back to the originating site. The idea is that the affiliate payment encourages sites to cover products.

And it works -- very, very well. Sites get a lot of revenue (sometimes more than from advertising) from affiliate links. Many sites have full-time affiliate relationship managers who do deals with vendors for a percentage of the sales price -- and then encourage editors to write about those products.

Done right; there's no harm in this practice. But what does "done right" mean?

Done right means that editorial decisions drive coverage, not business decisions. For example, here at ZDNet, I choose what I want to cover. I get to say what I want to say about a product based on my professional experience. The commerce teams don't have any input into my objective editorial opinion. If I write a more negative review because readers deserve to be aware of product limitations, no one tells me to hide those limitations.

In our case, once I write an article, the affiliate team reads those articles and will sometimes add affiliate links. I have no insight into what deals they have or how much they make. And here's how that applies to VPNs.

I cover a lot of VPN services. I know, generally, that many of the VPN services have affiliate relationships with our commerce team. But I have zero visibility into those deals. As such, I choose the VPNs to cover and what I say entirely based on my editorial judgement. There's no bias due to business relationships.

ZDNet does financially benefit from the fact that I cover VPNs, but not from any specific VPN.

But that's not the case for all online sources of VPN reviews.

VPN companies who own VPN review sites

Last week, I discussed ExpressVPN's week of rough news. One detail: ExpressVPN was bought by Kape Technologies for nearly a billion dollars. That sale price, alone, should show you how much these VPN service companies are raking in.

See also: Trust, but verify: An in-depth analysis of ExpressVPN's terrible, horrible, no good, very bad week.

But it's worse. A year earlier, Kape (which also owns VPN vendors Private Internet Access, CyberGhost, and ZenMate) bought a company called Webselenese. This company owns the VPN review site VPNMentor. So which VPNs does VPNMentor recommend as its best of 2021? It's own: ExpressVPN in first place, CyberGhost in second, and Private Internet Access in third. That's not suspicious at all (he says sarcastically):

Source: VPNMentor.com

How valuable are reviews to VPN companies? Consider how much Kape spent on Webselenese. That amount: $149 million. If you're going to spend $149 million to control the review conversation, there's got to be a lot of money at play.

But Kape isn't the only VPN company that owns its own reviews sites. Let's spend a moment exploring J2 Global.

J2 Global launched in 1995 as the provider of the JFax faxing service. The internet was barely a thing back then, and faxing was big. Over the next decade and a half or so, J2 stayed pretty much in its lane, offering fax services under a variety of brands. Then, in 2012, it started a media acquisitions spree. In 2012, it bought publisher Ziff-Davis.

For the record, the ZD in ZDNet harkens back to the Ziff-Davis brand, but ZDNet was spun out as a separate company and hasn't been affiliated with Ziff-Davis for more than 20 years. In some ways, in fact, we're now direct competitors.

The J2 acquisition of Ziff-Davis bought the company a bunch of very familiar tech publications, including PCMag, Spiceworks, ExtremeTech, IGN, and Mashable. Then, in 2019, J2 scooped up VPN vendors SaferVPN, IPVanish, and StrongVPN.

Where VPNMentor is clearly biased in its coverage, I have to give it to PCMag.com. Of the ten best VPN services it lists on its "best of 2021" page, its parent company does not own one.

Source: PCMag.com

Even so, we've now identified that many of the top VPNs are owned by the same companies that own the top VPN review sites. Conclusion: If you're putting your life on the line, you might not want to trust these sites for unbiased reviews.

What should you do?

Even unbiased reviews like those I produce aren't enough to rely upon if you're a VPN life-and-deather. I put in about a week of testing per VPN, and I test from here in central Oregon. I can't travel all around the world and test how safe and secure a given VPN service is when used, for example, in the UAE instead of Oregon.

For those who haven't been following along through all my VPN guides, VPN usage in the United Arab Emirates is illegal and could get you sent to jail or fined up to the UAE equivalent of $500,000.

While a professional reviewer might be able to provide a relatively comprehensive review of one VPN he or she lives with over the course of a few years, no reviewer is going to be able to spend months of time testing each and every one of an entire set of VPNs. It's just not practical or possible. So no matter which reviews you read, the test results are going to be limited to what could be practically tested by the reviewer in question.

If your life is at stake, these tests are too limited. Period.

I'd recommend you dive much deeper into this tool you're going to be depending on. First, read this excellent guide just recently put out by the NSA and CISA. A lot of it is designed for corporate networks, but the protocol discussion is first-rate.

Second, seek out others in your life-and-deather community. Folks who have dealt with the same kind of security challenges and risks will have a better experience than some other reviewer who only theoretically walks in your shoes. Read forums. Read user reviews. Read a lot.

And, third, get to know how VPNs work on a technical level. Here's a Digital Ocean article that gets you started running your own VPN server. But don't stop with just one article. If your life is dependent on this technology, learn.

Take courses on computer security. Learn everything you can on how data moves on the internet. Coursera, for example, offers free in-depth university-level classes. The only time you have to pay is if you want the credential. But if you're more concerned about your personal security than your resume, you can learn a tremendous amount and not spend anything.

My bottom line for all of this is simple: There are ways you can learn enough to create a safer situation for yourself. Just quickly scanning product reviews tells you very little about the best way to stay alive and safe.

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

Editorial standards