Over the past few months, we reviewed 144 VPN providers for 63 different factors, with the main focus on:
How serious are VPN providers actually about the privacy of their users?
Among other things, we examined which VPNs have their no-logs policy confirmed by an external audit and how many VPN providers in fact violate the GDPR.
In this article, we’ll present the results of our research. If you are interested in how the study was conducted, please see below.
Summary: The key findings of our study
- 72% of all VPN services violate the GDPR by setting trackers on their website without an opt-in.
- A VPN client for Android contains an average of 3.4 trackers.
- Of all VPN providers, only 8.28% are completely tracker-free. Neither do they have trackers on the website nor in the Android app.
- 80% of all VPN services promise not to store any logfiles. However, only 17% have had an external audit performed.
- OpenVPN is the most used VPN protocol, with a coverage of 81%. Only 23% of all VPN providers support WireGuard.
- The costs for a VPN are on average 9 Euros, if monthly paid. 86% of the providers offer discounts for longer periods of use.
- 82% offer a money-back guarantee.
- 23 % of all VPNs have their company headquarters in the United States. Only 54 % are located outside the “14 Eyes”.
- On average, a VPN has 1.257 servers in 40 countries.
Privacy protection: 72 % of all VPN providers violate the GDPR!
With the introduction of the General Data Protection Regulation (GDPR) in 2018, an EU-wide law came into force that sets out certain rules for handling personal data. According to various lawyers, one effect of the GDPR is that website operators must give their visitors the choice of whether technically unnecessary cookies (e.g. tracking cookies from Google Analytics or Facebook) may be set.
In response to our inquiry, attorney Phil Salewski of IT-Recht Kanzlei Munich some clear words about this:
„If VPN providers use cookie-based tracking and web analysis services such as Google Analytics, this is only permitted with prior express and voluntary user consent according to Section 25 (1) TTDSG. In case the consent is not obtained before or not given voluntarily, there is a violation of applicable data protection law.“
Advocate Phil Salewski
Especially with VPN service providers, it is more than questionable if they do not comply with the cookie consent requirement. Most providers frequently advertise the advantage of protecting your private data on the Internet – why trample all over it?
Therefore, we first examined which VPN providers use tracking cookies on their website without providing an active opt-in beforehand. The finding is astonishing.
Before agreeing to the cookie banner, we found trackers on the website of a total of 104 VPN providers. That means: Around 72% of VPN services violate the GDPR or applicable data protection law.
We also found some VPN providers who appear to be GDPR-compliant, but the truth is, that we still found some trackers in the background. Hidemy.name for example gives you the choice to consent to tracking cookies, but sets them anyway, such as Facebook or Google Analytics.
Within the 40 remaining VPN providers that are GDPR-compliant by offering the opt-in option, we were able to find trackers on 6 websites, after accepting the third-party cookies. While these providers do not violate the GDPR, they still track their website visitors, which is not ideal for a VPN operator. Overall, only 24% of all VPN providers do not use any tracking cookies on their website.
In addition to website trackers, there is also a huge amount of VPN providers who hide various trackers in their apps. To investigate this, we used exodus-privacy.eu.org. With this platform, Android apps can be analysed and the number of trackers can be determined. Unfortunately, we could not find a suitable alternative for iOS apps.
After investigating all VPN providers on Exodus for trackers, we came to the following conclusion: 79% of all services use trackers in their Android app, whereby the average VPN provider integrates 3.4 trackers.
Fun Fact: According to Exodus, iTop VPN has the most trackers on the Android app. We were able to find 17 of them. That really is a lot.
Finally, we were interested to know whether there are any providers who are „tracker-free“, i.e. do not install any trackers on the website or in the apps.
Fortunately, there are a few providers that do without trackers. However, this counts down to only 12 providers that are completely free of trackers. This means that just 8.28% of all VPN providers examined are tracker-free. These include Mullvad, AirVPN and ProtonVPN.
Conclusion: More than two-thirds of all VPN providers violate the GDPR. They use trackers on their website and their apps without giving you a choice. Although some services offer the option of only accepting technically necessary cookies, they still track you without your consent. Only one out of 12 VPN can do without any tracking cookies.
No-logs VPN: Only a few providers live up to their promises
Storing log files is not only relevant for Internet providers and website operators, but also for VPN providers. A basic distinction is made between connection logs and usage logs. Connection logs are important for operators to keep an eye on the utilization and capacity of their VPN servers, among other things.
The situation is different when it comes to usage logs. VPN providers that follow a no-logs policy should not record which websites you visit or which data you download.
“No logs”, “No-logs policy” or “We don’t log user data” can be read quite often on the websites of various VPN providers. To be exact, 80% of all services state that they do not store any usage logs. The question is, do they keep these promises?
Unfortunately, it is not possible for us as users to check whether this information is actually correct. For this reason, VPN operators can conduct an external audit, where an independent company checks whether no information is actually stored.
Our study showed that just 17% of VPN services have had an external audit completed and can thus confirm their no-logs policy. In fact, there are already some VPN services, such as IPVanish, that have already been exposed and have blithely stored data despite big no-logs promises.
ExpressVPN is a good example of how it should be done. There are several external audits from reputable companies commissioned by the VPN provider.
Conclusion: Only very few VPN providers confirm their no-logs policy through an external audit. So it is questionable whether you can believe the promises on the website or not. Most operators probably do not seem to have the financial means for such an audit. Another possible explanation is that they want to hide something.
Protocols: WireGuard still not very common
There are several VPN protocols to establish a connection between the VPN client and the VPN server. OpenVPN is considered the standard, but not all services use this protocol. We have therefore examined which protocols are used by the individual providers.
According to our statistics, 17 providers use their own protocol, which is around 12%. Good examples are the Lightway protocol from ExpressVPN or NordLynx developed and used by NordVPN.
Most providers use open protocols to encrypt data traffic, such as OpenVPN or WireGuard. I am not surprised that more than two-thirds of the providers use OpenVPN. The protocol is supported by 117 out of 144 VPN services, which makes up 81% of the sample. Thus, OpenVPN is the most popular VPN protocol.
WireGuard is a VPN protocol that is still quite new on the market. Although WireGuard is considered to be as secure as OpenVPN and has the advantage of being even faster, only 23% of VPN providers offer WireGuard (33 VPN services in total). That number is significantly lower than I had expected.
Conclusion: OpenVPN is still the most widely used encryption protocol among VPN operators. 4 out of 5 providers support the protocol.
VPN Prices: Long-term contracts are more profitable
In the search for a suitable VPN provider, the cost factor plays an important role for many people. The price difference is huge. There are services that offer their software for as little as two Euros per month, while others charge significantly more for their service.
On average, a VPN costs around 9.00 Euros in a monthly rate. The most expensive VPN we came across is Astrill VPN. You have to pay 25.00 Euros if you book the service for a month. In comparison, you can get the monthly subscription from Hoxx VPN for just 1.94 Euros.
Typically, most providers offer different pricing models for different contract periods. As I had already expected, the monthly rate is the most expensive.
If you want to save money, it is a good idea to book the service directly for a longer period. Around 86% of VPN providers will give you with a discount if you choose a longer term. In the cheapest rate, the costs for a VPN narrow down to 4.40 Euros per month on average. The duration of the contract mostly ranges from 6 months to 3 years.
According to our research, the cheapest VPN providers are WideVPN (0.83 Euros monthly / 24 months), NoodleVPN (1.00 Euros monthly / 12 months) and Namecheap VPN (1.02 Euros monthly / 12 months).
Signing up for a new service without having tested it first entails certain risks. Does the service perform as promised? Will it satisfy my requirements? In order to convince potential users of their performance, many VPN providers therefore entice with a money-back guarantee.
Overall, 82% of VPN services offer a money-back guarantee. The average time period is 19.6 days. Only around 3% of providers grant their customers a longer period to test the VPN. One of them is CyberGhost. With CyberGhost you have the option to get your money back up to 45 days after completing the purchase.
Another way to test a VPN before the paid subscription is free trial access. This allows you to fully test the VPN for a limited period of time. According to our study, most providers grant you 7 days for this.
A total of 47 providers offer such a trial period. Interestingly, significantly more VPN providers offer a money-back guarantee. You have to pay for the service in advance, but you also get more time to test it.
We are used to things being free on the internet. This can quickly become dangerous with a VPN service, especially with regard to your private data. The operation of the servers alone incurs costs that have to be covered sooner or later.
This raises the question of how a free service is going to manage all the maintenance costs. A common way to make money on the internet is to sell user data. To keep the chances of getting hold of such a provider as small as possible, you should refrain from using a completely free VPN.
Interestingly, 28% of paid services also offer a free plan. One of them is ProtonVPN. The free plan, as with many other providers, is a bit more stripped down than the paid version. You only get access to a few servers and cannot use all the features.
When it comes to payment, you have several options. With almost every VPN provider, payment by credit card is possible. Many also support PayPal or a direct bank transfer.
We investigated how many providers also allow payment with cryptocurrencies. The result: Almost 56% offer an „anonymous payment“. However, many of them only support crypto payments via an intermediary company. If this is the case, anonymous payment is no longer feasible.
As with NordVPN or PureVPN for example, you will be redirected to the crypto payment provider CoinGate when paying with Bitcoin, XRP or Ethereum.
Mullvad on the other hand, uses a different method for payments with cryptocurrencies. A unique payment address is generated, which makes the process much more anonymous.
5% of the VPN providers contest the supreme discipline of anonymous payment – cash payment. ProtonVPN or Mullvad, for example, allow you to pay the service by sending cash along with your payment token to the company via mail.
Conclusion: Only very few VPNs are free of charge. However, almost every fourth provider has a free plan. Most VPNs also get cheaper if you sign up for a longer period of time, and almost all services offer a money-back guarantee.
Clients: Only every second VPN service supports Linux
A VPN client is the program that establishes the encrypted connection to a VPN server. VPN providers offer apps for this, which simplify the installation of the software on various devices.
VPN clients can exist for all common operating systems and devices. However, our study showed that only a few actually support all of them. Just 6% of VPN providers offer clients for a huge variety of platforms, including ExpressVPN, NordVPN and Surfshark. If you use one of these providers, you can install the VPN on all your devices.
The most popular devices are supported by the majority of providers. More than 90% offer a VPN client for Windows, macOS, iOS and Android. A client for Linux is less represented. Only half of all examined VPN services have a corresponding Linux app.
Less common devices such as routers (38%), Android TV (20%) and Amazon Fire TV (24%) get the least support. Only one in 10 providers also supports Apple TV.
Conclusion: Finding a VPN for Windows, macOS, iOS and Android is easy. It gets more difficult when you start looking for a VPN for other devices like Linux. This operating system is only supported by one of two VPN services. A proper app for Apple TV is only available from one in ten providers.
Devices: Most providers allow more than 4 simultaneous connections.
A good feature set also means that you can install a VPN on more than one platform and use it at the same time. Each provider determines how many simultaneous connections are possible with each subscription.
On average, VPN providers allow you to connect to 5 devices at the same time. 71% let you use the VPN on 5 or more VPN clients at the same time. This is more than enough for private use. Around 11% even grant you an unlimited number of simultaneous connections, whereas some providers only allow you to use a single device to connect to the VPN.
Conclusion: Almost one in ten providers allows an unlimited number of simultaneous connections. The majority however limits the number to 5 or more.
Foundation & company headquarters: VPNS on average 12 years old
There is a great market of VPN service providers. Not only the cost factor matters in the decision-making process, but also the trust in a service plays an important role in the purchase decision. How trustworthy the company behind the VPN is can be determined, among other things, by how transparently it handles information and under which jurisdiction it operates.
Many VPN services have been established on the market for years. Surprisingly, 45% of active VPN services have been around for more than 10 years. Among the oldest providers are HideMyAss, StrongVPN, Ironsocket and GoTrusted. These four have been offering their service since 2005. On average, a VPN operator is about 12 years old. In the last 5 years, there have been barely 20 new VPN services that have made it onto our list.
Often, well-known operators simply continue to develop their services. This is the case with Opera’s new VPN, for example. Previously, it only offered a free browser extension with just a few features. Since 2022, the company has entered the market with Opera VPN Pro, a more powerful software.
However, you cannot tell how trustworthy a VPN service really is just by its fame and establishment. The company’s location says a lot about how your data is handled.
Unlike in the EU or Switzerland, there are no general data protection laws in the USA that regard the protection of private data as a fundamental right. From a data protection perspective, it is therefore less good if a VPN provider operates its service from there. According to our study, 23% of all providers have their corporate headquarters in the United States.
In Germany, data protection is provided thanks to the GDPR. However, VPN operators that have their headquarters here are at the same time subject to the data retention law. We were able to find 9 providers, including Avira Phantom VPN and Zenmate, that have chosen Germany as their company headquarters. In case of doubt, they can be forced by the authorities to release user data.
Ideally, VPN services do not have their company headquarters in one of the countries that are members of the 14 Eyes. Unfortunately, this is only true for slightly more than half of all VPN operators. According to our study, 54% of VPN providers are located outside the 14 Eyes.
One of them is ExpressVPN. The company is headquartered in the British Virgin Islands. According to the laws in this country, user data does not have to be passed on to the authorities.
Conclusion: There are some VPN providers that have been established on the market for almost 20 years. New ones are coming in only sluggishly. Almost half of the providers are located within one of the 14 Eyes countries.
Distribution: The number of downloads reveals nothing about the popularity
Finding reliable user numbers is difficult. To figure out how popular a VPN is, we looked at the search volume on Google and examined the popularity of Android apps in the Playstore.
Most of the searches on Google are related to NordVPN. This comes as little surprise to me, as NordVPN also performed very well in my personal VPN test, where I had a deeper look at almost 40 providers. NordVPN came in second place.
In the second place of Google search queries is Hola. This is equally unsurprising in my view, as it is one of the few VPNs that you can use completely free of charge. However, you can find out why the provider is a threat to your privacy in my Hola review.
On the third place, ProtonVPN also appears in the statistics. I have also tested this service extensively and appointed ProtonVPN as my privacy test winner. Due to the extensive free version, I am not surprised that many people are interested in ProtonVPN.
The top 3 VPNs with the most Google Play Store downloads are surprisingly occupied by completely different providers. These include VPN Unlimited with 1,000,000 downloads as well as Hotspot Shield VPN and Turbo VPN with 100,000,000 downloads each. On average, a VPN was downloaded 500,000 times in the Google Play Store.
The number of downloads alone does not say anything about the popularity of a VPN provider. We therefore looked at the ratings of each service in the Google Play Store.
According to that, the three most popular Android VPN apps are HotVPN (4.9 stars), Turbo VPN (4.7 stars) and Bitdefender Premium VPN (4.7 stars). For comparison, the average rating of a VPN in the Play Store is 3.9 stars. The worst ratings were received by BetterVPN (1.5 stars), Steganos Online Shield (1.9 stars) and DeutscheVPN (2.4 stars).
Conclusion: On average, a VPN is downloaded 500,000 times in the Google Play Store and has a rating of 3.9 stars.
Servers: Thousands of VPN connections around the world
Depending on your intended use, the number of servers and the countries in which these are located is highly important. If you want to use a VPN for streaming, servers in various countries are advantageous. If you want to encrypt your connection and get a German IP address at all times, your VPN service must provide corresponding servers in Germany and so on.
On average, a VPN service has 1,257 servers. While just less than half of them provide only 500 or fewer servers, there are also some providers that operate several thousand servers. Turbo VPN is right at the top of the list. According to its own statement, you get access to 21,000 VPN servers worldwide. CyberGhost ranks second among VPNs with the largest server selection. Here you have access to 8,700 servers.
However, the number of servers alone says nothing about which IP addresses you can obtain. The countries in which they are located are decisive. Most VPN services operate servers in around 40 countries. HideMyAss promises its users access to a respectable 210 countries. This would then cover almost all countries in the world. Such a large selection is often only achieved by using virtual servers.
When travelling abroad, an IP address of your home country is interesting. You will only get one if your VPN provider also has at least one server in your country. According to our study, 126 VPN providers (88%) operate a server in Germany. Just as many services also allow a connection to the USA.
The number of free services is much lower. Only 16% of VPNs provide you with a German IP address for free. These include OkayFreedom VPN, Windscribe, CyberGhost and some more.
But what about other countries? A total of 117 providers are represented with servers in Switzerland. In contrast, you can only access an Austrian server with about every second provider.
A VPN connection to the UK also seems to be very popular. 85% of all providers examined in this study have a VPN server in the United Kingdom.
Turkey is somewhat less represented. Only around 49% operate a VPN server from here. One possible reason for this is that more and more providers are withdrawing from the country, since VPN services are banned in Turkey. The situation is similar with Russia. However, almost half of the providers still offer a server here as well. It is questionable how long this will remain the case.
Other countries where the use of VPN services is prohibited include the United Arab Emirates, China and Belarus. I am therefore less surprised that the availability of servers in these countries is not that great either.
After all, around 32% offer a VPN server in the United Arab Emirates. In China, on the other hand, it is only 15% and in Belarus as little as 10%. In North Korea and Iraq, barely 2% of the providers offer a connection to a VPN server.
Conclusion: Most VPN services offer a large selection of VPN servers in several countries. Almost all providers allow you to connect to Germany, as well as Switzerland, the USA and UK. In countries that forbid the use of a VPN, the range of servers is significantly smaller.
Support: Only half of the applications in German
Good customer service is no coincidence. No matter what type of service is involved, companies and service providers that focus on satisfying their customers offer assistance with questions and problems. For fast problem-solving, it is additionally advantageous if the information is also provided in your native language.
Almost half of all providers (49 %) have a German website. 23% even provide a knowledge database in German. This result surprised me a bit, since most VPNs, as we found out, are not of German origin.
A VPN can be in use at any time of the day or night. Often, the operators are located on the other side of the world, which makes it even more difficult to be permanently available. Surprisingly, 42% of VPN services offer 24/7 support. This means that almost half of all VPN customer services are available around the clock. Mostly you can reach them via live chat, but telephone and e-mail support are also very common.
Conclusion: Every second VPN website is available in German. This makes it much easier for German users to obtain information about the provider. In addition, almost every second provider also offers 24/7 customer support. To be honest, I had expected a bit more here.
Conclusion: This is how we conducted the study
At the beginning, we scoured the Internet for VPN services that are available on multiple platforms. In doing so, we were able to identify 144 providers that are available for users to download.
We analysed these services based on 63 different factors, which brought us to a total of 9,072 data points. Between August 05, 2022 and January 26, 2023, we collected this data through hours of painstaking work, checking each provider for their respective factors. The first round of research took us about 20 minutes per provider, for a total of about 48 hours.
You can have a look at our raw data here.
We grouped the factors into six different categories. Based on that, we then compiled the various statistics.
- General information
- Language and support
- Costs and contract terms
- Privacy and security
- Clients and server network
- Distribution and popularity
Now we’re interested in what you think about our data: Which statistic surprised you the most? What else are you wondering about VPN providers? Feel free to leave a comment below the article!
Original Article: German Version