The Lies You Are Told by VPN Companies

The Lies You Are Told by VPN Companies

Kailash "QAizen" Z.
Kailash "QAizen" Z.

3 VPN companies who claim to stop tracking... while tracking you.

We operate in a funny marketplace. If you look at competing VPN services, you may come across conmen (some of whom are featured in the Panama Papers), hackers for hire who indulge in state-sponsored surveillance of human rights activists, cryptocurrency scammers (see more here, here, and here), and even princes! In an industry where hypocrisy and ever-waning standards of ethics are the norm, one would think that there are no more rules left to break.

But you’d be wrong. Many, dare I say most, VPN companies falsely market their products as some sort of bulletproof solution to digital prying eyes. Therefore, one would assume that tracking customers and bombarding them with ads would be the last, or second to last thing a VPN provider would do. (The last thing they should do is turn over their users’ logs like IPVanish, PureVPN and HideMyAss did).

Top 3 VPN companies that block advertising trackers... while using them.

These VPNs talk a big game about stopping trackers but use trackers themselves.

That’s a pretty bold tweet from a company that commits the very same shady and unethical practice of aggressive targeted marketing it promises to protect you against. In the past, NordVPN has even been called out by a UK-based ad regulator for its misleading claims about WiFi connections being inherently insecure (when in reality, most websites and apps these days use strong encryption standards like HTTPS and TLS by default). Besides sponsoring scores of clueless YouTube/TikTok/Instagram influencers, as well as numerous review sites, to shill its offerings to customers for cold hard affiliate cash (incentives offered are up to 100% of the sale value), NordVPN has been tracking users on it’s very own website.

At Windscribe, we thought it would be a fun exercise to see whether the ad, malware, and tracker blocking services offered by competing VPN companies actually blocked the ad and marketing trackers on their own websites (note: they shouldn’t exist on their websites in the first place).

NordVPN’s CyberSec (“Threat Protection”):

Take a look at NordVPN’s Threat Protection feature overview. You’ll notice that they seem to have a good understanding of what third-party trackers are and claim to “block trackers so that you can enjoy the highest level of privacy”.

Let’s put CyberSec to the test and see if they stay true to their claim!

  • Bing Ads (bat.bing.com) - Blocked.
  • Twitter Ads (static.ads-twitter.com) - Blocked.
  • Google Ad Services (www.googleadservices.com) - Blocked.
  • Google Tag Manager (www.googletagmanager.com) - Allowed.
  • Google Analytics (www.google-analytics.com) - Allowed.

Now, let's test their “Threat Protection” feature which promises to do “everything CyberSec does and more”, maybe there’s hope after all!

Colour me surprised, Threat Protection blocks even fewer trackers than CyberSec. Talk about going one step forward, two steps back:

  • Bing Ads (bat.bing.com) - Allowed.
  • Twitter Ads (static.ads-twitter.com) - Blocked.
  • Google Ad Services (www.googleadservices.com) - Blocked.
  • Google Tag Manager (www.googletagmanager.com) - Allowed.
  • Google Analytics (www.google-analytics.com) - Allowed.

Not only does NordVPN (intentionally) fail to stop Google Analytics and Google Tag Manager (and Bing Ads if you choose to use “Threat Protection”) from following you across the internet, it expressly tells Google (and Microsoft) that you visited NordVPN’s site, are looking to purchase a VPN, and that Google and Microsoft need to aggressively show you ads related to VPNs (more specifically NordVPN) so that the thought of purchasing NordVPN plays on your mind EVEN when you’re not actively looking to purchase a VPN service.You have those times when you search for / mention an item or a service and are constantly bombarded by related ads? That’s exactly what is happening here, facilitated by NordVPN choosing the collude with third-party marketers. Similar associations with Facebook were noticed by users on Reddit too.

Surfshark’s CleanWeb:

Surfshark claims that CleanWeb helps you “Surf in a clean cyber ocean with no ads, trackers, malware and phishing attempts.”

Here’s how CleanWeb did:

  • Bing Ads (bat.bing.com) - Blocked.
  • Hotjar Analytics (static.hotjar.com) - Blocked.
  • Reddit Ads  (alb.reddit.com) - Blocked.
  • Doubleclick (stats.g.doubleclick.net) - Blocked.
  • Google Ad Services (www.googleadservices.com) - Allowed.
  • Google Tag Manager (www.googletagmanager.com) - Allowed.
  • Google Analytics (www.google-analytics.com) - Allowed.
  • Reddit Tracking Pixel (www.redditstatic.com/ads/pixel.js) - Allowed.

Unsurprisingly, Surfshark allows Google a free pass to proverbially peek over a user’s shoulders and follow them across the far-wide internet for the same purposes mentioned before: aggressive targeted marketing to bombard your brain with why you need a VPN and why that VPN needs to be Surfshark. What’s worse, they even allow Reddit Tracking Pixel through CleanWeb. In Reddit’s own words, Reddit Tracking Pixel is “a snippet of JavaScript code, but it’s a powerful little thing: Once you’ve placed it on your website, the pixel will allow you to track actions that visitors take after seeing or clicking your ad on Reddit."

Bonus: Surfshark's Incogni

Here's Incogni's feature overview: "Thousands of companies are collecting, aggregating and trading your personal data without you knowing anything about it. We make them remove it."

Surely, a tool aimed at helping its users get their data removed from data brokers would not be tracking and profiling its current and potential customers across the internet (cooperating with the likes of Google), right?

Wrong! Under the hood, Incogni uses Google Analytics and Google Ads (via DoubleClick). Notice the "collect" call under the "Name" section corresponding to the "stats.g.doubleclick.net" domain? You guessed it! That collects your personal browsing data.

Let's see if Surfshark with CleanWeb enabled eliminates the tracking that Incogni (the product that claims to help you deal with data brokers) indulges in.

Surfshark's CleanWeb feature allows Google Analytics to function - without restrictions, might I add - on Incogni's website. Again, they are letting Google (the world's largest data broker) know about your browsing habits. Hypocrisy much?

Private Internet Access’ MACE:

PIA claims that “MACE™ blocks ads, trackers and malware”.

Let us see how MACE™ fares:

  • CloudFlare Insights (static.cloudflareinsights.com) - Blocked.
  • Trustpilot Widget / Script (widget.trustpilot.com) - Blocked.
  • Google Optimize (www.googleoptimize.com) - Allowed.

While these results are much more heartening than those of NordVPN and Surfshark, Google Optimize is still allowed through. Google Optimize helps “personalize” customer experiences, boosting returns on ad spend and providing user “insights” (fancy talk for tracking). While personalisation may sound like a good idea, it can mean differential pricing for customers in different regions. Google Optimize also performs A/B testing, and some users may not like being experimented upon without their consent.

Utopia (or at least a baseline):

Last, but not least, let’s scrutinise Windscribe’s own website:

Nada, Zilch, Zero - Windscribe uses a total of zero third-party trackers to profile its users. Every single resource on the website is self-hosted (served from ____.windscribe.com).

To be clear, we do use self-hosted and open-source Piwik (now Matomo) analytics to measure our site’s metrics in an aggregate form. This data stays with Windscribe (and the visitor’s ISP) exclusively. No personally identifiable information is ever collected and no information at all is ever shared with a third party.

This of course stunts the growth of our company as it severely limits the amount of information we have on our users, making it impossible for us to target them with our ads - not that we have any. At Windscribe have made a conscious choice of growing ethically and organically rather than trading our ethics and moral values for sponsorship-driven, affiliate-backed and unethical, but rapid, growth.

In fact, we don’t even have a dedicated marketing person, much less a marketing team. All our “marketing” efforts are undertaken by employees who actually work full-time on the product, not some random marketer who, I’m willing to wager, has never used (oftentimes never even heard of) the product they recommend to their potential customers.

Fighting Back

The best way to fight this kind of behaviour is to vote with your wallet and avoid giving your business to services built on hypocrisy. Services that promise to keep you safe from shady marketers and annoying ads shouldn't be tracking you like the shady marketers they claim to protect you from.

(Psst, VPN selection guide by our resident VPN connoisseurs available here.)

With Windscribe, you can easily eliminate targeted marketing in your browsing experience. Just turn on R.O.B.E.R.T. (go to the app - Preferences > Account > Edit Account Details > R.O.B.E.R.T.) and Bob's your uncle! ( ͡° ͜ʖ ͡°) [I’ll show myself out]. You can also customize what you want to have blocked, or create custom rules for a more bespoke experience. Since we have a total of ZERO third party trackers on the Windscribe website (meaning R.O.B.E.R.T. will be useless on windscribe.com), R.O.B.E.R.T. will block ads, trackers, and malware on the far wide internet (with no exceptions).

P.S.: Better luck next time, Surfshark! :)

Thanks R.O.B.E.R.T.! No more trackers!



Kailash "QAizen" Z.
Kailash "QAizen" Z.