It's no secret that there are oodles of shady VPN services that promise to protect your privacy as you surf the internet, but may, in fact, actually be worthless. After all, internet privacy is one part moving target and two parts shell game with your money and trust, so no one's surprised that the post-Snowden privacy panic turned into a gold rush for the unscrupulous.
One method VPN providers use to bilk trusting customers is to do shady things with customer records. We've also seen them misconfigure critical security settings, de-anonymize customers, and only take action when caught.
Now there's a new problem: VPNs that say you're connecting to a server in one country while actually routing your traffic through another. RestorePrivacy recently took a close look at what some VPNs are saying when they give you a server in another country, versus what they're actually doing when they connect users. And the two aren't matching up.
Many popular VPN services let users pick which country (or city) their traffic routes through, showing the destination that you're coming from as, say, London when you're actually in Paris. This can be practical when you're a Brit traveling abroad and just want to watch your BBC shows, or want to keep your IP address consistent so social media sites like Facebook don't freak out when you log in while on the go.
In addition to these issues, RestorePrivacy pointed out that VPN performance suffers when the actual server is significantly farther away than you expect it to be. In its post they pointed out an additional issue -- that customers "aren't getting the true server locations they paid for" and that "using fake server locations raises questions about the VPN's honesty."
It can be disastrous for people's safety if a server that's supposed to be in Saudi Arabia is actually in Los Angeles, California -- which is a real example of bait-and-switch claims RestorePrivacy found in their VPN server claim research.
RestorePrivacy looked at VPN services ExpressVPN, Hidemyass, and PureVPN.
These are popular services used by tens of millions of people. ExpressVPN was listed by TechRadar as one of the best VPN services of 2017, and is endorsed by Geek.com. Hidemyass got a big, positive profile in The Guardian, serves tens of millions of users, and was recommended in 2016 by PCWorld as a "tested" service that protects your privacy. PureVPN was listed in Extreme Tech's recent "5 best VPNs" list, and the service is endorsed by BoingBoing who hails it as "the world's fastest VPN."
Each of the services were found to be saying one thing to customers about server locations, while in practice actually doing something totally different.
With ExpressVPN they found 11 fake server locations; they identified 5 fake server locations with PureVPN but said "there are many more." Regarding the Hidemyass claim of "physical servers in 190+ countries," RestorePrivacy's post countered saying if users believe that, "I have a bridge to sell you."
In addition, "Upon closer examination of Hidemyass's network, you find some very strange locations, such as North Korea, Zimbabwe, and even Somalia." They wrote:
Hidemyass refers to these fictitious server locations as "virtual locations" on their website. Unfortunately, they do not have a server page available to the public, so I could not test any of the locations. The Hidemyass chat representative I spoke with confirmed they use fake "virtual" locations, but could not tell me which locations were fake and which were real.
A week after RestorePrivacy's post called them on it, ExpressVPN "admitted to numerous fake locations on its website (mirror) – 29 fictitious locations in total," they wrote. "Just like PureVPN and Hidemyass, ExpressVPN refers to these as "virtual" server locations." ExpressVPN was telling customers they could use servers in Pakistan, Sri Lanka, Philippines, Indonesia and more, when RestorePrivacy found that customers were actually being routed through one server located in Singapore.
RestorePrivacy said they believe the reasons for improper server location identification are financial. "First, it saves lots of money." They explained, "Using one server to fake numerous server locations will significantly reduce costs. (Dedicated premium servers are quite expensive.)" A service can also sell more VPN subscriptions if it looks like there's a huge variety of countries to choose from.
ExpressVPN told Engadget in a statement:
With the vast majority of ExpressVPN locations, the physical server and the registered IP address are located in the same country. This describes 97% of ExpressVPN's servers, as we have invested in a significant physical footprint covering every continent save Antarctica.
For less than 3% of ExpressVPN's servers, the registered IP address matches the country you've chosen to connect to, while the server is physically located in another country, usually nearby. These are called virtual server locations, and they help ensure your connection is fast, secure, and reliable.
The post goes into deep details about each service's claims, what RestorePrivacy found, and how they did their research. For every VPN server examined, three different network-testing tools were used "to verify the true location beyond any reasonable doubt." Those included the CA App Synthetic Monitor ping test (tests from 90 different worldwide locations), the CA App Synthetic Monitor traceroute, and Ping.pe, a test from 24 locations around the world. All of their test results are published in an appendix to the blog post.
The research recommended users toward "smaller VPN services that have fewer locations, but prioritize the quality of their server network, such as Perfect Privacy and VPN.ac." As you may remember, Perfect Privacy was the service that found and reported the massive privacy hole in several popular VPN services that de-anonymized users, called "Port Fail."
With the tools and info in RestorePrivacy's article and a little technical know-how, you can exhaustively test your VPN service to see if they're telling the truth about server location (or not). Sometimes you can just tell something's wrong when your Google results are in the wrong language -- showing that Google is seeing you come from a location you didn't expect.
Maybe you don't care where your VPN's server really is, just as long as it's a secure service and your privacy is maintained. But for some people, honesty and accuracy about location is critical to the functions of their VPN service in the first place.
In the wider context, RestorePrivacy's post and this article resets the growing distrust in people's minds about security, privacy, and VPNs. It's unfortunate, because we really need most people to start using VPNs if we're going to elevate everyone's security and privacy (and it doesn't help with behavior-influencing, large companies like Netflix blocking VPNs across the board).
I just hope that calling out fake server locations -- whether the labeling is just incorrect or opportunistic -- changes the conversation among VPN providers to on that focuses more on accountability than profits.
Is your VPN lying to you?
RestorePrivacy testing is here
VPNs are Using Fake Server Locations | RestorePrivacy
One method VPN providers use to bilk trusting customers is to do shady things with customer records. We've also seen them misconfigure critical security settings, de-anonymize customers, and only take action when caught.
Now there's a new problem: VPNs that say you're connecting to a server in one country while actually routing your traffic through another. RestorePrivacy recently took a close look at what some VPNs are saying when they give you a server in another country, versus what they're actually doing when they connect users. And the two aren't matching up.
Many popular VPN services let users pick which country (or city) their traffic routes through, showing the destination that you're coming from as, say, London when you're actually in Paris. This can be practical when you're a Brit traveling abroad and just want to watch your BBC shows, or want to keep your IP address consistent so social media sites like Facebook don't freak out when you log in while on the go.
In addition to these issues, RestorePrivacy pointed out that VPN performance suffers when the actual server is significantly farther away than you expect it to be. In its post they pointed out an additional issue -- that customers "aren't getting the true server locations they paid for" and that "using fake server locations raises questions about the VPN's honesty."
It can be disastrous for people's safety if a server that's supposed to be in Saudi Arabia is actually in Los Angeles, California -- which is a real example of bait-and-switch claims RestorePrivacy found in their VPN server claim research.
RestorePrivacy looked at VPN services ExpressVPN, Hidemyass, and PureVPN.
These are popular services used by tens of millions of people. ExpressVPN was listed by TechRadar as one of the best VPN services of 2017, and is endorsed by Geek.com. Hidemyass got a big, positive profile in The Guardian, serves tens of millions of users, and was recommended in 2016 by PCWorld as a "tested" service that protects your privacy. PureVPN was listed in Extreme Tech's recent "5 best VPNs" list, and the service is endorsed by BoingBoing who hails it as "the world's fastest VPN."
Each of the services were found to be saying one thing to customers about server locations, while in practice actually doing something totally different.
With ExpressVPN they found 11 fake server locations; they identified 5 fake server locations with PureVPN but said "there are many more." Regarding the Hidemyass claim of "physical servers in 190+ countries," RestorePrivacy's post countered saying if users believe that, "I have a bridge to sell you."
In addition, "Upon closer examination of Hidemyass's network, you find some very strange locations, such as North Korea, Zimbabwe, and even Somalia." They wrote:
Hidemyass refers to these fictitious server locations as "virtual locations" on their website. Unfortunately, they do not have a server page available to the public, so I could not test any of the locations. The Hidemyass chat representative I spoke with confirmed they use fake "virtual" locations, but could not tell me which locations were fake and which were real.
A week after RestorePrivacy's post called them on it, ExpressVPN "admitted to numerous fake locations on its website (mirror) – 29 fictitious locations in total," they wrote. "Just like PureVPN and Hidemyass, ExpressVPN refers to these as "virtual" server locations." ExpressVPN was telling customers they could use servers in Pakistan, Sri Lanka, Philippines, Indonesia and more, when RestorePrivacy found that customers were actually being routed through one server located in Singapore.
RestorePrivacy said they believe the reasons for improper server location identification are financial. "First, it saves lots of money." They explained, "Using one server to fake numerous server locations will significantly reduce costs. (Dedicated premium servers are quite expensive.)" A service can also sell more VPN subscriptions if it looks like there's a huge variety of countries to choose from.
ExpressVPN told Engadget in a statement:
With the vast majority of ExpressVPN locations, the physical server and the registered IP address are located in the same country. This describes 97% of ExpressVPN's servers, as we have invested in a significant physical footprint covering every continent save Antarctica.
For less than 3% of ExpressVPN's servers, the registered IP address matches the country you've chosen to connect to, while the server is physically located in another country, usually nearby. These are called virtual server locations, and they help ensure your connection is fast, secure, and reliable.
The post goes into deep details about each service's claims, what RestorePrivacy found, and how they did their research. For every VPN server examined, three different network-testing tools were used "to verify the true location beyond any reasonable doubt." Those included the CA App Synthetic Monitor ping test (tests from 90 different worldwide locations), the CA App Synthetic Monitor traceroute, and Ping.pe, a test from 24 locations around the world. All of their test results are published in an appendix to the blog post.
The research recommended users toward "smaller VPN services that have fewer locations, but prioritize the quality of their server network, such as Perfect Privacy and VPN.ac." As you may remember, Perfect Privacy was the service that found and reported the massive privacy hole in several popular VPN services that de-anonymized users, called "Port Fail."
With the tools and info in RestorePrivacy's article and a little technical know-how, you can exhaustively test your VPN service to see if they're telling the truth about server location (or not). Sometimes you can just tell something's wrong when your Google results are in the wrong language -- showing that Google is seeing you come from a location you didn't expect.
Maybe you don't care where your VPN's server really is, just as long as it's a secure service and your privacy is maintained. But for some people, honesty and accuracy about location is critical to the functions of their VPN service in the first place.
In the wider context, RestorePrivacy's post and this article resets the growing distrust in people's minds about security, privacy, and VPNs. It's unfortunate, because we really need most people to start using VPNs if we're going to elevate everyone's security and privacy (and it doesn't help with behavior-influencing, large companies like Netflix blocking VPNs across the board).
I just hope that calling out fake server locations -- whether the labeling is just incorrect or opportunistic -- changes the conversation among VPN providers to on that focuses more on accountability than profits.
Is your VPN lying to you?
RestorePrivacy testing is here
VPNs are Using Fake Server Locations | RestorePrivacy
Last edited:
