Who owns your data? A VPN Relationship Map

Who owns your data? A VPN Relationship Map

Daniel Sobey-Harker
Kailash "QAizen" Z.
Database
9 min read
Daniel Sobey-Harker, Kailash "QAizen" Z., Database

The relationship between corporate VPNs and Paid Affiliates, and who really owns your data.  

"This map is my best approximation of charting the relationships between VPN companies, media companies, and affiliate programs."
@sobeyharker

The 2022 VPN Industry Relationship Map 1.0

Take me to the full map (Third-party website).

Full VPN Industry Map Notice. This map uses 3rd party plugins.

What am I looking at?

This beauty right here is every proven relationship between media companies, content sites, corporate VPNs, and independent VPNs that I could find - and it's only the 1.0 version. I hope to map and track other information that might prove useful to people with the help of more contributors in the 2.0 version.

KEY


Red - Corporate Relationship & Ownership
Orange - Paid Relationship or Paid Affiliates (Dashes)
Blue - Cooperation or Partnership (These companies may share staff, resources, networks, or facilities with one another).
Purple - Corporate Media Relationship & Ownership
Brown - Legal Dispute

Hover over nodes to highlight relationships
Use right-click to focus on select areas


7 Observations about the VPN Industry

Here are a handful of things I noticed or want to highlight as they're interesting or simply messed up (there's many more but for the sake of brevity these are ones that stood out to me).

#7 - SurfShark Windows & Linux GUI reading/writing to local machines in plain text.

Leaving local logs on machines readable by all about the email, payment type, card identifiers and providers, as well as other identifiable information. 

Why is this an issue? To put it simply, it leaves a very easy to find log with details about the user. With Windows you can read the user's service login and make new connections with it, thus hijacking the user's account for VPN usage. This goes for Manual IKEv2 and OpenVPN connections.

All it takes is an unattended machine for someone to boot another os on and grab the file or take it via a remote access trojan.

Oh, and it's also visible to all users. Oof. Discord.gg/VPN sum it up better than I can.

Not cool guys, not cool. 

#6 - How much do VPNs pay their affiliates? How much can affiliates earn?

ExpressVPN $13 - $36 per conversion. Up to 90 days tracking via cookies.

NordVPN pay 30% commission on all plans sold with up to 30 days tracking via cookies.

Private Internet Access pay 33% commission on all plans sold with up to 30 days tracking via cookies. Commission can be earned for recurring payments and not just new sign-ups.

PureVPN pay 30% commission on all plans sold with up to 90 days tracking via cookies.

OVPN pay 30-50% commission on all plans sold with up to 30 days tracking via cookies.

TorGuard pay 30% commission on all plans sold with up to 60 days tracking via cookies.

Norton LifeLock pay 32% commission on all plans sold with up to 30 days tracking via cookies.

Avast pay 35% commission on all plans sold with up to 60 days tracking via cookies.

VuzeVPN pay 50% commission on all plans sold with up to 30 days tracking via cookies.

SurfShark pay 40% commission on all plans sold with up to 30 days tracking via cookies.

TunnelBear pay 50% commission on all plans sold with up to 45 days tracking via cookies.

Source

It's a shame many sites that I asked about their affiliate rates did not get back to me. It seems no one wants to admit just how much they're being paid to promote these VPNs.

So let's napkin math this bad boy. We'll go with NordVPN, seeing as they have one of the most aggressive affiliate programs worldwide.

A single sale of their popular 2-year plan nets an affiliate site $28.73 per conversion. The industry average for conversion rates for an affiliate site is around 0.5% - 1.0%. Nord hints at a much higher one in their marketing materials, but we'll use 0.5% for now.  

If we look at a popular affiliate site that runs multiple affiliates like Kape Technologies' Safety Detectives, which has 3.1M hits a month, we can guestimate a rough payout.

0.5% of 3.1M is 15500
15500 x $28.73 = $445,315

We should account for the fact that a lot of their users may be visiting for informational purposes and not for commercial ones. Their bounce rate on SimilarWeb suggests that 73.86% of visitors visit one page before leaving. Let's say they're not buying (even though they are potentially converting off a single landing page).

73.86% of 3,100,000 = 2,289,660. That leaves us with 810,340 visitors who at least check another page before leaving.

0.5% of 810, 340 = 4052
4052 x $28.73 = $116,413.96

Let's be honest, it was never really a mystery why Kape bought Webselenese: gaining control over Safety Detectives and VPNMentor seems like a safe and profitable investment for a VPN company like ExpressVPN.

#5 NordVPN potential class-action lawsuit

NordVPN is currently facing a potential class-action lawsuit by Wittels McInturff Palikovic. The cause? Their utterly dismal cancellation process is so bad it's criminal according to WMP.

WMP ask NordVPN customers who faced such issues to contact them at [email protected].

Stealth recurring payments are sneakily on the rise - as always - and NordVPN are apparently pushing their luck, to a degree where they compromise ethical and legal standards.

WMP have won cases on behalf of victims of sexual discrimination at Dell, overtime class-action with AT&T, and unpaid internships.

Courtesy of @Winder on discord.gg/vpn

#4 VPNs cause murders, say Hollywood (Well, two-dozen studios at least).

VPNs are frequently under attack by various bodies motivated typically by profit or control. Most commonly dictators, censors, and authoritarian governments that wish to limit VPN access for political reasons.

Enter Hollywood with a spicy new hot-take and novel accusation.

Defendants’ end users use their VPN services not only to engage in widespread movie piracy, but other outrageous criminal conduct such as harassment, illegal hacking and murder,” reads the lawsuit - Source
Chill the fuck out, Hollywood.

Personally, I like how this feels like they put digital piracy on the same level as murder. I just had to throw this one in for fun, it felt like it was getting a bit too serious here.

#3 Corporate VPNs will use influencers (YouTube, TikTok) to make claims they legally cannot.

The authors of this study kindly gave us access immediately after it passed review. Legends.

Misrepresenting what part of the threat model a VPN can cover can potentially endanger people, as we've seen with various VPNs giving up hackers over the years, and ...well ...a student who typed up some protestor admin tips.

"Delhi Police in a press conference confirmed that some of the key evidence they have against Disha Ravi, a 21-year-old climate activist supporting farmers' protest and who has been arrested, comes from Google."

"Investigating Influencer VPN Ads on YouTube"

This is a clear study regarding how VPN corporations utilise YouTubers to make claims beyond what a VPN can reasonable provide. It's an interesting read that will improve your understanding of just why VPNs are absolutely everywhere on the platform. I highly recommend giving it a gander.  

On the right you can see the worst of the bunch for overpromising. 

I'm of the opinion that many affiliate campaigns by VPNs are to alleviate the legal responsibilities of accurately representing their products. Influencers making skits or references to VPNs have weirdly warped a lot of people's understandings of just what VPNs can do. We're not fans of how affiliate marketing works. We don't go in for that. It also highlights not only the huge sums of money moving through YouTube affiliate programs, but the scale of those involved.  

#2 Content sites that are paid affiliates NEVER* suggest a non-affiliate over a paid affiliate.

It probably shouldn't be a surprise, but websites that engage in affiliate promotions never suggest a non-affiliate over one of their paid affiliates. Articles utilise fluffy criteria or move the goalposts to ensure the affiliates are never poorly reflected upon. The entire article is often designed to create conversions for their affiliates.

Reviewers frequently compare the latest affiliate build to an outdated (or defunct) non-affiliate build from several years ago. Non-affiliate listings often lack detail, or correct information.  

*Not a single source found for the links between affiliates showcased a non-affiliate as a better option. Even in areas where the non-affiliate has been proven to be a superior option such as successful real-world tests, lack of breaches, etc. Go through the map and go through each affiliate node, I'll wait. I already did the hard work. (VPNs particularly affected are Mullvad, IVPN, and ourselves)

#1 The VPN industry is worth billions...soon to be trillions.

In 2019 this was a $25.41B industry. As of May 2022 VPNs are estimated to be a $44.6B industry and are predicted to break $77B within 4 years*. Mental.

To the surprise of absolutely no one, totalitarian governments and censors just can't help themselves. It is in their nature to snoop and spy. To do a little thought-policing. To surveil the state and whatnot. A direct result of the actions of these dickhead dictators, shows demand for security and safety is ever rising - but the real sad part is it appears the majority of people who then seek a VPN are being duped by shady marketing tactics.

There's certainly a very expensive battle going on right now, but our mindset isn't exactly the status quo. We've said this before and we'll say it again. We won't pay for the #1 spot.

These corporate VPNs are spending millions all in the hopes of squashing independents like us and taking control of the market, and they aren't afraid to use whatever tactics yield results, ethics be damned.

*Source

CONTRIBUTORS


Contributors must prove the accuracy of their claims by providing a source that can prove their statements. Non-verifiable claims are not accepted.

@SobeyHarker: 1042 data points
@QAizen: 418 data points
@Database: 38 data points
@Bear_Thornton: Editor

Want to contribute? See the footer to find out how to get in touch.

SOURCES


Most information regarding organisations found here is taken directly from the site listed at the top of their node. Additional information is taken from the following sources:

These sources are used to confirm basic information about the companies involved, such as location, website URLs, and where the majority of their team operates from.

VPNs - If the majority of the technical and senior staff are based in a specific country, then that is considered their "based" location. I reference where the company is officially registered and use that to base their tax information.

Corporations - Many of the corporations listed here do not provide a simple insight into where they may be located. Here I have surmised where a corporate entity is based using the location of key c-suite staff members.  

Media Companies - Currently I have not tracked the operating location of most of the media/content companies here. When I expand this to the 2.0 version I may include this.

*Let me preface this with a disclaimer. Everything stated here has been meticulously double-checked and doubled-sourced. That's why they make the top ten. I absolutely adore being wrong though because it helps me learn and look less of a tit. If you have additional sources or counter-points I welcome them. I'm a VPN industry novice in the grand scheme of things compared to my colleagues - but they vouch for this too.


Want to chat? Need a source? Have gushing praise or hate it? Let me know at [email protected] or on Twitter @SobeyHarker.


Daniel Sobey-Harker
Kailash "QAizen" Z.
Database
Daniel Sobey-Harker, Kailash "QAizen" Z., Database