Can a commercial VPN still offer true privacy?
Opinions

Can a commercial VPN still offer true privacy?

Yegor Sak
6 min read
Yegor Sak

Another month, another merger. NordVPN just announced that it's merging with Surfshark to create a new company called "Cyberspace" (geez, did my Grandma name this?) to be based out of the Netherlands.

It looks like folks at NordVPN/NordSecurity/Cyberspace are taking the whole "proxy" idea a little too seriously, albeit in a completely wrong context: now you've got a Lithuanian company, registered in Panama, owned by a Dutch corporation. Wait a second, isn't the Netherlands technically part of the "{random_integer} Eyes Alliance" that every VPN review site claims to be worse than cancer? I guess it doesn't make as much of a difference as SEO marketers will lead you to believe...

Anyone following these two companies closely probably noticed similarities between Nord and Surfshark years ago.

Yeah, I cited myself. Deal with it. The similarities don't stop here, however. If you look at the OpenVPN configs for both Nord and Surfshark, you will find them freakishly similar, almost as if they have been copying each other/collaborating for years.

Surfshark on the left, Nord on the right

You're probably no stranger to Nord and Sufshark's marketing tactics either. They sponsor every popular YouTuber out there to hawk VPN services while making unfounded and outright false claims about the capabilities of their product (or any VPN, for that matter). These two companies, alongside ExpressVPN, are single-handedly responsible for supplying all of your favourite YouTubers with 6+ figure incomes to sell you snake oil.

So what does the consumer VPN market look like right now? Let's pretend that it's the 90's in the US Internet Service Provider space. Dozens of ISPs are popping up and competing against each other on service and quality. Slowly but surely, these companies start buying each other up and consolidating, leading up to the present day where we are left with Comcast, Charter and Verizon. Name one person who is happy with the service they receive from either of those companies.  The same is true in Canada, where we have the Rogers and Bell oligopoly. The only thing worse than our telecom industry is our banking system, but you probably don't have all day to hear me rant about that.

Now back to the VPN consumer market. It's effectively identical to the ISP analogy above:

  • Cyberspace - Owns NordVPN, Surfshark
  • Kape Technologies - Owns ExpressVPN, Cyberghost, PrivateInternetAccess, Zenmate as well as VPNMentor (a top VPN "review" site)
  • j2Global - Owns IPVanish, StrongVPN, ibVPN, SaferVPN, Encrypt.me, BufferedVPN along with a large amount of tech publications

This leaves a very slim list of independently owned and transparently operated companies. A list that will, most likely, continue shrinking in size in the future. So why is this bad?

Choice (or lack of it)

Most people who use VPNs are oblivious to who owns and operates them, and this is by design. Many VPN companies hide behind complex corporate structures that span continents, falsely claiming that this is to protect end-user privacy. In truth, they are doing this for two entirely different reasons: the first is to avoid taxes. The second is to make it difficult for the average consumer to know which VPN companies are owned by the same parent company. When you decide you don't want to waste your hard-earned money on their service, you will attempt to cancel it (assuming you can successfully navigate the maze that is the cancellation process) and find a replacement. Then you might hit up your favorite VPN "review" site for advice, or you'll see a VPN ad on your favorite YouTube channel that ranks gerbils based on cuteness, both of which will point you to an amazing alternative. An alternative that happens to be owned by the same company. And so you're back where you started without even knowing it.  

You think that's it? It isn't. Since the aforementioned companies likely spend more on marketing than they do operations (which is why you see them being advertised everywhere), you can be sure that they fully intend to make use of all the trackers they have  on their websites. This ensures that their ad spend goes farther in the attempt to recapture churning users. They use a marketing technique known as 're-targeting', which requires companies to upload personal user data (emails) to the likes of Google and Facebook (you know, the companies they claim to protect you from), so that their VPN ads can follow you around the internet. Canceled NordVPN? Get ready to have dreams about surfing sharks when you sleep.

Is that all you've got?

Companies merging is not always bad (but usually is), as it allows them to eliminate redundancies, consolidate expenses, and have a bigger war chest when it comes to R&D, hiring and marketing. Unfortunately, in the VPN world, it usually just means more money for marketing.

But wait, there's more! The latest troubling trend making headway in the VPN space is companies offering unrelated products entirely outside of the scope of privacy. Many VPN companies are launching new "security" products in the following areas:

  • Password managers
  • Personal cloud storage
  • Email

These are essentially clones of already established and vetted tools that you should be using instead. I will leave it to the reader to do their own research into which products will suit your needs best.

But wait, aren't all of these services quite literally a collection of your most private information and intimate communications? It doesn't get more personal than a company having possession of all your passwords, credit card details and those drunken emails you sent to your ex. All of this is under the same umbrella of a company structured like a Russian nesting doll that spans 3 time zones.

Furthermore, services like email, password managers and cloud storage have completely different privacy policy requirements than a VPN does. While a VPN should never log your IP address when you use it, having the same policy for a password manager, email, or cloud storage provider would be ludicrous. These services contain highly sensitive data and require IP addresses to be stored for security purposes in order to prevent unauthorized access to your account - and alert you in case your account/personal data has been accessed using a new device. Storing IP info is not required for a VPN, and a good VPN wouldn't store any personal data to begin with, so there should be nothing for a potential attacker to steal in the first place (although you should still secure your VPN account with MFA).

A single company should not have access to all of the "keys to the kingdom" of your personal life and all of your online activities. Especially a company with such a checkered past and a corporate structure that makes Google and Apple jealous in terms of how little taxes they probably pay.

How is Windscribe different?

Since this is a Windscribe blog, and at the end of the day I am trying to sell you on our product, this section shouldn't feel out of place, and I'll keep it purposely short.

  • Windscribe is 100% privately owned by the founding team and employees
  • We're registered in Ontario, Canada
  • We pay income taxes in Canada - over 35% of our profits (most of which probably ends up as Doug Ford's food budget)
  • We will continue to build privacy tools that work together to enhance your level of privacy online (No password managers, cloud storage, email, or TikTok clones)
  • You can use all our products for free, forever (albeit with some limitations since bandwidth does cost money)
  • You can pay for our products and cancel subscriptions with just two clicks
  • We won't follow you around the Internet with our ads (since we don't advertise) and have you wake up a cold sweat thinking about "military grade" Scribes writing haikus about the Wind

Stay safe (and educated) out there.


Yegor Sak
Yegor Sak