Shattering the Grand Illusion of Cookie Flavored Lies
Technical

Shattering the Grand Illusion of Cookie Flavored Lies

Yegor Sak
Yegor Sak

I had written an article some time ago on the hypocrisy of the VPN industry as a part of our market research efforts when building Windscribe. Well, it’s been 4 years since then, and I thought it would be good to revisit our findings and see if anything has changed.

Hint: Not much has changed, in fact, everything has gotten arguably worse. Just like housing prices!

First, let’s take a look at the homepages of the “top” VPN companies that have high rankings on pretty much all of the VPN Review websites out there. For this exercise, we will be using Chrome DevTools and the Sources Tab in order to see the number of unique domains that are requested when you load the homepages of these VPN providers.


1. CyberGhost

Wow. This is very impressive. It’s like they tried to go out of their way to make sure you’re tracked by as many services as humanly possible. Not even Amazon packages get tracked this much.

If you look at the numbers from 4 years ago Cyberghost went from being one of the best, to literally the worst.

Tracking 3rd party domains:

  • Twitter Analytics
  • Bing Analytics
  • Mixpanel Tracking
  • TrustPilot Tracking
  • Facebook Analytics
  • Impact Radius Tracking
  • VVO Tracking
  • Hexagon Data Tracking
  • Brand Mentions
  • Yahoo Analytics
  • Cloud Helpdesk
  • Cloud Live Chat
  • Clickcease Tracking
  • Google Adwords
  • Google Analytics

2. IPVanish

IPvanish comes in 2nd place, almost as “impressive” as Cyberghost, so it earns the coveted “Almost as bad as Cyberghost” trophy.

Tracking 3rd party domains:

  • Quara
  • Bing Analytics
  • Sift Science Analytics
  • Facebook Analytics
  • Hexagon Data Tracking
  • LinkedIn Analytics
  • Cloud Live Chat
  • Cloud Helpdesk
  • TrustPilot Tracking
  • Google Adwords
  • Google Analytics
  • Upsellit Tracking

3. PureVPN

Coming in third, we have PureVPN, or PureShitVPN as some people call it.

Tracking 3rd party domains:

  • Cloud Live Chat
  • Sift Science Analytics
  • Facebook Analytics
  • Hexagon Data Tracking
  • Wisepops
  • Hotjar Tracking
  • Trust Pilot Tracking
  • Google Adwords
  • Google Analytics

4. Hotspot Shield

In fourth place, also known as 1st place for losers, is HotSpot Shield. Not much else needs to be said here.

Tracking 3rd party domains:

  • Bing Analytics
  • Sentry Tracking (ravenjs)
  • Facebook Analytics
  • Cloud Helpdesk
  • Cloud Live Chat
  • Google Adwords
  • Google Analytics

5. NordVPN

Coming in at an unusually low position, is NordVPN. They refused to pay us for a higher spot. 
Nord Lawyer: This is satire.

Tracking 3rd party domains:

  • Twitter Analytics
  • Bing Analytics
  • Cloud Live Chat
  • Google Adwords
  • Google Analytics
  • Youtube

6. ExpressVPN

And in 6th place we have ExpressVPN. Bless their hearts, they are only using three trackers. Allow us to express our dissatisfaction! Ba dum tss.

Tracking 3rd party domains:

  • Facebook Analytics
  • Google Adwords
  • Google Analytics

7. PrivateInternetAccess (PIA)

Coming in dead last is PrivateInternetAccess. Huge improvement since the last time we did this. Only 2 trackers. That’s 2 more than necessary, but who’s counting? Oh right, we are.

Tracking 3rd party domains:

  • New Relic Tracking
  • Google Analytics

Why they do this

Average VPN ad

You may be thinking, “Wait a sec, aren’t these companies promising to eliminate online tracking and keep me anonymous online? Why are they being such hypocrites?” Well, the answer has to do with marketing.

All of the VPNs I mentioned above spend an obscene amount of money on marketing. Maybe even more than Kim Jong Un spends on cognac and “Kim Jong is number 1” mugs. This is why you find them in the “Top 10 VPNs” list on virtually all VPN Review (marketing) sites. When a user clicks through to the VPN provider’s website, they get stuffed with so many cookies, the Cookie Monster would have overdosed. These cookies track the users for several reasons:

  • Optimize their sales funnel
  • A/B testing
  • Fraud prevention
  • Re-targeting
  • Because internet cookies are a calorie-free way to enjoy cookies without eating actual cookies.

That last one is basically a joke. But the one before that that (re-targeting) basically means that you will be followed and targeted by Google, Facebook and dozens of other shady data-brokers across their ecosystems. This is done so that they can keep showing you the same ads for the same VPN services until you have a nervous break down and buy the damn thing and rid yourself of said annoying ads. This is equivalent of a pest control company releasing cockroaches into your home on daily basis and then coming by every day to offer you their services. Except when the victim eventually does buy the service, it doesn’t do what was promised.

Most of these 3rd party trackers will leave cookies in your browser. Even after you purchase a VPN and connect to a server, the cookies will persist and your browsing activities can be linked, even though you’re using a VPN. Here is an example of cookies that will remain in your browser after visiting Cyberghost.

So All hope is lost?

Well, not quite. The services I mentioned in the previous article stayed true to their word, and continue not to track their website visitors, at least not using any 3rd party platforms. These providers include:

  • AirVPN
  • Mullvad
  • IVPN
  • …. oh, and Windscribe too, now that it exists.

However you won’t find these VPNs on most “Top 10” lists because they don’t have an Affiliate Program. Windscribe currently does have one, but that will likely change in the future, so keep an eye out for us disappearing from most of these snake oil peddling websites.

  • UPDATE: Windscribe affiliate program was terminated as of January 1st 2021.

Yegor Sak
Yegor Sak