Incognito mode: Why it’s time to stop paying for a VPN

For more than a decade, security experts have recommended using a VPN to shield your internet traffic from bad actors who are trying to snoop on you. But just as tech gadgets become outdated over time, so does some tech advice.

The reality is that web security has improved so much in the last few years that VPN services, which charge monthly subscription fees that cost as much as Netflix, offer superfluous protection for most people concerned about privacy, some security researchers said. Many of the most popular VPN services are now also less trustworthy than in the past because they have been bought by larger companies with shady track records. That’s a deal-breaker when it comes to using a VPN service, which intercepts our internet traffic. If you can’t trust a product that claims to protect your privacy, what good is it? “Trusting these people is really critical,” Matthew Green, a computer scientist who studies encryption, said about VPN providers. “There’s no good way to know what they’re doing with your data, which they have huge control over.”

For several years, I subscribed to a popular VPN service called Private Internet Access. In 2019, I saw the news that the service had been acquired by Kape Technologies, a security firm in London. Kape was previously named Crossrider, a company that had been called out by researchers at Google and the University of California for developing malware. I immediately canceled my subscription. In the last five years, Kape has bought several other popular VPN services, including CyberGhost VPN, Zenmate and, just last month, ExpressVPN in a $936 million deal. This year, Kape additionally bought a group of VPN review sites that give top ratings to the VPN services it owns.

A Kape spokeswoman said that Crossrider, which has long been shut down, was a development platform that was misused by those who distributed malware. She said Kape’s VPN review sites maintained their independent editorial standards. “It kind of sets a concerning precedent from the consumer standpoint,” said Sven Taylor, the founder of the tech blog Restore Privacy. “As the average user goes online to look for information about the product, do they know that what they’re reading might have been written by the company that owns the end product?”

A caveat: VPNs are still great for some applications, such as in authoritarian countries where citizens use the tech to make it look as if they are using the internet in other locations. That helps give them access to web content they cannot normally see. But as a mainstream privacy tool, it’s no longer an ideal solution.

Not long ago, many websites lacked security mechanisms to prevent bad actors from eavesdropping on what people were doing when browsing their sites, which opened doors to their data being hijacked. This helped VPN services become a must-have security product. VPN providers offered to help cloak people’s browsing information by creating an encrypted tunnel on their servers, through which all your web traffic passes. But in the last five years, the internet has undergone immense change. Many privacy advocates and tech companies pushed for website creators to rewrite their sites to support HTTPS, a security protocol that encrypts traffic and solves most of the aforementioned problems.