Minimum to Qualify:

• Operating outside the USA or other Five Eyes countries.

Best Case:

• Operating outside the USA or other Fourteen Eyes countries.
• Operating inside a country with strong consumer protection laws.

Minimum to Qualify:

• OpenVPN support.
• Killswitch built in to clients.
• If VPN clients are provided, they should be open source, like the VPN software they generally have built into them. We believe that source code availability provides greater transparency to the user about what their device is actually doing. We like to see these applications available in F-Droid.

Best Case:

• OpenVPN and WireGuard support.
• Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.)
• Easy-to-use VPN clients
• Supports IPv6. We expect that servers will allow incoming connections via IPv6 and allow users to access services hosted on IPv6 addresses.
• Capability of remote port forwarding assists in creating connections when using P2P (Peer-to-Peer) filesharing software, Freenet, or hosting a server (e.g., Mumble).

Minimum to Qualify:

• Bitcoin or cash payment option.
• No personal information required to register: Only username, password, and email at most.

Best Case:

• Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.)
• No personal information accepted (autogenerated username, no email required, etc.)

Minimum to Qualify:

• Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption.
• Perfect Forward Secrecy (PFS).
• Published security audits from a reputable third-party firm.

Best Case:

• Strongest Encryption: RSA-4096.
• Perfect Forward Secrecy (PFS).
• Comprehensive published security audits from a reputable third-party firm.
• Bug-bounty programs and/or a coordinated vulnerability-disclosure process.

Minimum to Qualify:

• Public-facing leadership or ownership.

Best Case:

• Public-facing leadership.
• Frequent transparency reports.

Minimum to Qualify:

• Must self host analytics (no Google Analytics etc). The provider's site must also comply with DNT (Do Not Track) for those users who want to opt-out.

Must not have any marketing which is irresponsible:

• Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know users can quite easily deanonymize themselves in a number of ways, eg:
• Reusing personal information eg. (email accounts, unique pseudonyms etc) that they accessed without anonymity software (Tor, VPN etc)
• Browser fingerprinting
• Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of 3 or more hops that regularly changes.
• Use responsible language, eg it is okay to say that a VPN is "disconnected" or "not connected", however claiming that a user is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example the visiting user might be on another VPN provider's service or using Tor.

Best Case:

Responsible marketing that is both educational and useful to the consumer could include:

• A accurate comparison to when Tor or other Self contained networks should be used.
• Availability of the VPN provider's website over a .onion Hidden Service

Should I use a VPN?

The answer to this question is not a particularly helpful one: It depends. It depends on what you're expecting a VPN to do for you, who you're trying to hide your traffic from, and what applications you're using.

In most cases, VPNs do little to protect your privacy or enhance your security, unless paired with other changes.

VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way.

What if I need encryption?

In most cases, most of your traffic is already encrypted! Over 98% of the top 3000 websites offer HTTPS, meaning your non-DNS traffic is safe regardless of using a VPN. It is incredibly rare for applications that handle personal data to not support HTTPS in 2019, especially with services like Let's Encrypt offering free HTTPS certificates to any website operator.

Even if a site you visit doesn't support HTTPS, a VPN will not protect you, because a VPN cannot magically encrypt the traffic between the VPN's servers and the website's servers. Installing an extension like HTTPS Everywhere and making sure every site you visit uses HTTPS is far more helpful than using a VPN.

Should I use encrypted DNS with a VPN?

The answer to this question is also not very helpful: it depends. Your VPN provider may have their own DNS servers, but if they don't, the traffic between your VPN provider and the DNS server isn't encrypted. You need to trust the encrypted DNS provider in addition to the VPN provider and unless your client and target server support encrypted SNI, the VPN provider can still see which domains you are visiting.

However you shouldn't use encrypted DNS with Tor. This would direct all of your DNS requests through a single circuit, and would allow the encrypted DNS provider to deanonymize you.

What if I need anonymity?

VPNs cannot provide strong anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data.

Shouldn't I hide my IP address?

The idea that your IP address is sensitive information, or that your location is given away with all your internet traffic is fearmongering on the part of VPN providers and their marketing. Your IP address is an insignificant amount of personal data tracking companies use to identify you, because many users' IP addresses change very frequently (Dynamic IP addresses, switching networks, switching devices, etc.). Your IP address also does not give away more than the very generalized location of your Internet Service Provider. It does not give away your home address, for example, despite common perception.

Should I use Tor and a VPN?

By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides 0 additional benefit to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. Read more about Tor bridges and why using a VPN is not necessary.

Are VPNs ever useful?

A VPN may still be useful to you in a variety of scenarios, such as:

1. Hiding your traffic from only your Internet Service Provider.
2. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations.

For use cases like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're trusting the provider. In pretty much any other scenario you should be using a secure-by-design tool such as Tor.