Building Trust Encryption Privacy Security Strengthening the Internet

This Data Privacy Day It’s the Little Things That Count

Today we’re celebrating Data Privacy Day, which is all about empowering people and organizations to respect privacy, safeguard data, and enable trust.

Let’s face it, protecting your privacy can feel overwhelming. It can seem like we conduct our entire lives online and it’s hard not to notice headlines about our privacy being undermined, like law enforcement trying to gain access to encrypted data. But whether you know it or not, you’re making choices about what you share and how you share it each day. These seemingly-small actions can make a big impact.

You might already be doing some of these, but here are six actions you can take to protect your privacy:

  • Use end-to-end encrypted messaging apps. Switch to using messaging apps that offer end-to-end encryption, such as WhatsApp, Signal, Threema, and Telegram. Some are better than others, so make sure to read the reviews.
  • Turn on encryption on your devices or services. Some devices or services will offer encryption, but not set it as the default. Make sure to turn on encryption.
  • Use strong passwords. Do not just use a default password, a simple guessable password, or a password that uses personal information, such as your pet’s name. No matter how strongly your device or application is encrypted, if someone can figure out your password – they can access your data.
  • Keep up with updates. No system is perfectly secure. Security vulnerabilities are always being discovered and fixed with updates. That’s why it is so important to keep up with updates to your applications, devices and services. The update could be fixing a vulnerability and making you safer!
  • Turn on two-factor log-in (2FA). Two-factor log-in adds another factor (like a bank security fob) to your usual log-in process (e.g. a username and password). Adding another factor makes it even harder for criminals to access your data.
  • Turn on erase-data options. Some smartphones and services have an option that will erase your data after 3 or 10 failed attempts. Turn this on to protect yourself from thieves or if you lose your phone.

This Data Privacy Day, join the global community of people who are taking steps to secure our data. Your small actions can make a big difference!

Image by Vlad Tchompalov via Unsplash

Building Trust Privacy Security

Deep Dive: Scoring ISPs and Hosts on Privacy and Security

In April 2019 the Internet Society’s Online Trust Alliance (OTA) released its 10th Annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites on the Internet from retailers to governments. In this post we will take a deeper dive into the ISP/Hosts sector of the Audit. This sector is comprised of the top ISPs and other hosting organizations in the U.S. It includes everything from organizations that provide network access to organizations that host email services.

In the Audit, privacy statements are scored across 30 variables. ISP/Hosts were a decidedly mixed bag compared to other sectors, which tended to do either relatively well or poorly across the board in their statements. (Though to clear, the vast majority of organizations in the Audit had poor privacy statements, it was the most common reason for failure across privacy and security scoring.)

ISP/Hosts fell somewhat short in the presentation of their statements. OTA advocates several best practices that deal with how the privacy statement is displayed to make it as easy as possible for users to understand.

The simplest practice OTA advocates is a link to the privacy statement on the homepage so users can easily find it. Here ISP/Hosts did not fare well, with just 75% having links on their homepage – the lowest of any sector – compared to 89% of sites overall.

Another simple practice is putting a date stamp at the top indicating when the privacy statement was last updated. Here 43% of ISP/Hosts had a date stamp at the top, compared to 47% overall. This number is deceiving, however. Because ISP/Hosts were the lowest of any sector, they brought down the overall average significantly.

Finally, OTA advocates for the use of “layered” statements. The bar for getting points for a “layered” statement is low. This can be achieved with something as simple as a table of contents, to something more complex like an interactive statement or a summary outlining the longer privacy statement.

Just 25% of ISP/Hosts had a layered privacy statement, the lowest of any sector, compared to almost half (47%) of organizations overall. ISP/Hosts may have lagged behind in how they display their privacy statements, but they did much better in the content of the statement.

Specifically ISP/Hosts stood out in data sharing and retention language. Fully 82% of ISP/Hosts had language explicitly saying they did not share user data (except to complete a service for a customer), compared to 67% overall. In addition, 5% had data retention language. This means they explicitly said how long user data is retained and for what purpose. While 5% may seem small, only 2% of organizations had this language at all. In addition, ISP/Hosts were the second highest sector just behind the top 100 Internet retailers at 6%.

ISP/Hosts were right in the middle on one data sharing variable, showing that there is room for improvement in this area. Roughly half of ISP/Hosts (55%) had language stating that they would hold their third-party vendors to the same standards they hold themselves, compared to 57% of organizations overall. OTA advocates this practice because any organization that uses vendors must hold those vendors accountable. If a vendor abuses user data, and has a written agreement with an organization, that organization could be held liable for the vendor’s behavior.

ISP/Hosts privacy statements show that OTA standards are generally easy to meet. Small changes in these statements can go a long way to helping users understand the information being conveyed. These changes will also become increasingly important to keep up with the rapidly changing landscape of privacy laws and regulations around the world.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Building Trust Privacy Security

Deep Dive: U.S. Federal Government’s Security and Privacy Practices

In April 2019, the Internet Society’s Online Trust Alliance released its 10th Annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites on the Internet, from retailers to government sites. In this post we will take a deeper dive into the U.S. Federal Government sector of the Audit. The Government sector is defined as the top 100 sites in the U.S. Federal Government by traffic (based on Alexa ranking). Given the nature of the U.S. Government compared to companies, this sample has some unique properties, namely site security.

The most obvious place the government excels is in the area of encryption. The reason for this is largely due to a mandate from the Homeland Security Department that all U.S. Government sites be encrypted, but the standard should still be the same for any site. Put another way, the other sectors in the Audit do not have an excuse for lagging in security.

In site security the Government sector fared the best with 100% adoption of “Always-On Secure Socket Layer” (AOSSL) and/or “HTTP Strict Transport Security” (HSTS), compared to 91% of sites overall. The health sector fared the worst with 82% of sites using these technologies. Both technologies ensure that traffic on the website is encrypted.

Most sites in the Audit fared well in these areas, but the Government sector was the only one to achieve 100% adoption of these technologies. From OTA’s perspective all sites should be adopting these technologies and while it is encouraging that the U.S. Federal Government (or at least the top 100 sites) have, it is discouraging that all of the other sectors are not reaching the 100% adoption rate.

In addition, the Government sector saw improvement over time. All sectors improved somewhat, but the Federal Government was the only one to cross the finish line. Here again it is important to note that the Federal Government is unique in some ways. Homeland Security can simply mandate encryption and it happens. Companies and other types of organizations may not be as straightforward, but that is not an excuse not to work towards full encryption.

In 2017, 91% of Federal Government sites were encrypted, up to 100% this year as noted above. Other sectors improved as well. ISP/Hosting sites went from 70% in 2017 to 91% in 2018. Banks, a sector where encrypting website traffic is particularly important given the types of data sent over those sites, also saw a marked improvement. In 2017 just 76% of banks encrypted their sites. In 2018 that number jumped to 91%.

Despite improvements across the board in site encryption, banks are a good example of where improvement is not enough. The Government sector sets the standard. The lesson for all organizations from the success of the U.S. Federal Government is simple. It’s possible to encrypt large numbers of sites quickly – and it’s in the interest of any organization to do so.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Building Trust Security

‘Major Initiatives in Cybersecurity’ Shows Everyone Can Contribute to Trust

How do we work toward a more secure Internet?

In the Cyber Security discussions that take place in the various policy fora around the world, there is often little appreciation that the security of the Internet is a distributed responsibility, where many stakeholders take action.

By design, the Internet is a distributed system with no central core or point of control. Instead, Internet security is achieved by collaboration where multiple companies, organizations, governments, and individuals take action to improve the security and trustworthiness of the Internet – so that it is open, secure, and available to all.

Today we’ve published Major Initiatives in Cybersecurity: Public & Private Contributions Towards Increasing Internet Security to illustrate, via a handful of examples regarding Internet Infrastructure, there are a great number initiatives working, sometimes together and sometimes independently, in improving the Internet’s security. An approach we call collaborative security.

Major Initiatives in Cybersecurity describes Internet security as the part of cybersecurity that, broadly speaking, relates to the security of Internet infrastructure, the devices connected to it, and the technical building blocks from which applications and platforms are built.

We make no claim to completeness, but we do hope that the paper illustrates the complexity, breath, and depth of the various initiatives out there. And, by extension, that there are no one-size fits all solutions. In the spirit of collaboration, we appreciate any feedback you might have for future versions of this document.

Read Major Initiatives in Cybersecurity:Public & Private Contributions Towards Increasing Internet Security

Building Trust Privacy Security

Deep Dive: How Does the Consumer Sector Score on Privacy and Security?

In April 2019 the Internet Society’s Online Trust Alliance released its 10th annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites on the Internet from retailers to government sites. In this post we will take a deeper dive into the Consumer section of the Audit. The Consumer section is a diverse set of sites including travel sites, hotels, and dating sites (see the methodology of the report for the full list).

In 2018 the Consumer section improved its standings with 85% making the honor roll, up from 76% in 2017. This was largely due to improvements in email security. Despite these gains in overall email security, TLS 1.3 adoption was actually down in 2018 (largely due to a change in the list of retail sites). Despite this OTA advocates the adoption of TLS 1.3.

Where these sites did stand out, compared to other sectors, was in privacy scores. Overall, the Consumer sector scored 43 out of 55 on their privacy tracker score, among the highest of any sector, and 33 out of 55 on their privacy statement, also among the highest.

The Consumer section privacy statements were exemplary in a few ways. First, the Consumer section had the highest score in the use of archives for their privacy statements, 12% of consumer sites had archives, the highest of any sector in the Audit.

OTA advocates this practice so users can see what changes were made to the privacy statement over time, without having to compare past statements on their own. This is a transparency issue. Privacy statements change constantly and it helps the organization to give users an easy way to see those changes.

Second, the Consumer section also stood out in data sharing language. 68% of Consumer sites had language they do not share data with third parties, among the highest of any sector. In addition, only 39% had language that they share data with “affiliates.”

“Affiliate” language is about sharing data within a corporate family, as opposed to entirely third parties. While obviously common practice, OTA advocates that organizations be more open about their data sharing practices, even among the corporate family.

Finally, the Consumers section scored among the highest with language explicitly saying that they hold their vendors to the same standards as themselves. In short, this is about holding any vendor that might hold data to the same data privacy standards as an organization would hold itself.

Overall, 74% of Consumer sites had language indicating they held their vendors to their own standards. This compares to 50% overall, well above the average for the entire sample. OTA advocates language like this because often data breaches happen with third party vendors, as opposed to the main organization itself, and therefore it is important that any organization make it clear that they hold all of their partners to the same standards they hold themselves.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Building Trust Privacy Security

Deep Dive: How the News and Media Sector Scores on Security and Privacy

In April 2019 the Internet Society’s Online Trust Alliance released its 10th annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites in various sectors. The news and and media sector, comprised of the top 100 news and media sites according to US traffic to their websites, improved its privacy practices in 2018. Like most sites, however, there is still room for improvement in privacy statements.

In 2017 less than half (48%) of news and media sites made the Honor Roll. In 2018 that number went up significantly to 78%, largely due to improvements in privacy statements. Privacy is scored in two ways in the Audit, we look at trackers on each site and we score the privacy statements across over 30 criteria.

One area where news sites did not improve was in the use of trackers on their site. Out of all the sectors news and media scored the lowest in trackers with a score of 39 (out of 45). Part of the reason for this is the news and media sector relies on advertising revenue, which often requires the use of trackers to serve ads.

On the positive side, news and media fared well in the use of tag management systems and privacy solutions, with 69% of news and media sites using these technologies. Tag management systems and privacy solutions help manage third-party data collection and data sharing in real time.

On the bright side, however, news and media sites did improve their privacy statements. On statements, news and and media scored near the top with a score of 32 out of 55, second only to the consumer section.

First, news and media sites improved the readability of their statements, with 71% using layered notices up from 42% in 2017. A layered notice can be anything from a simple table of contents to a summary version of the longer privacy policy. OTA advocates the use of layered statements to help users understand the privacy statements and find information they may be looking more for easily.

One area for improvement, however, is in the use of icons and multilingual policies. Just 1% of news and media sites used icons to indicate what information is being conveyed in a section of the privacy policy. OTA advocates the use of icons to help users of various reading comprehension levels understand the information in the statement. In addition, only 5% had privacy statements in multiple languages. To be fair this is not unique to news and media. Few sites in the Audit use either icons or have multilingual policies.

Second, news and media sites improved their sharing language. Overall, 60% of news and media sites had language that they do not share user data with third parties, up from 53% in 2017. In addition, most (85%) news and media sites indicated that they hold those they do share data with to the same standards they hold themselves.

Finally, this year’s Audit tracked some aspects of GDPR (which went into effect in spring 2018) in order to gauge adoption of certain GDPR principles. To be clear, at the time of this Audit’s data collection many of the sites were not required to follow GDPR as they are largely U.S.-based organizations.

Since this Audit’s data collection period, more regulations have been put in place around the world, such as the California Consumer Privacy Act (CCPA), that mirror many of the principles OTA measured. Here news and media did not fare as well. For example, one GDPR requirement is that privacy statements be easy for most consumers to read and understand. Here the news and media sector fared the worst with just 8% being easy to read. On the plus side 70% of news and media sites offered a direct contact for users to address their privacy concerns. (In GDPR parlance this is a Data Protection Officer, but in the U.S. one is not required at the moment.)

It is encouraging to see improvement in the news and media sector’s privacy statements. It is also true, however, that given the shifting privacy regulations around the world these improvements will need to continue if news and media sites want to stay ahead of regulatory changes.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

About Internet Society Building Trust Securing Border Gateway Protocol (BGP) Security Technology

Claudio Jeker Honored by Internet Security Research Group with Radiant Award

This week another Radiant Award has been awarded by the Internet Security Research Group, the folks behind Let’s Encrypt. The award puts the limelight on the heroes who make the Internet more secure and trustworthy each day.

The newest Radiant Award winner is Claudio Jeker, who receives the prize for his work of a BGP4 implementation on OpenBSD. This makes me horrendously enthusiastic. Why?

OpenBSD is a open-software based operating system that is focused on being secure and feature complete. It comes with a set of tools that make it ideally suited to be deployed, for instance, as a secure route server in an Internet Exchange Point (IXP). A route server is a service that an IXP can host in order to make the participating network service providers lives a little easier. They do not have to get the routing information from each other, but can simply talk to this piece of centralized infrastructure. OpenBSD allows this type of infrastructure to be build from commodity components in a scalable and secure way.

With a route server in place, an IXP can take additional measures to secure the Internet, namely by taking the MANRS actions.

Ultimately this would not be possible if OpenBSD did not have a rock-solid implementation of the Internet routing protocol (BGP4) – and that is exactly what Claudio developed. And to put a cherry on top, his software fully supports authenticated filtering of routes using a protocol called RPKI. RPKI is yet another critical piece of infrastructure needed to secure the Internet routing system and a way to implement one of the MANRS actions.

Claudio’s work will prove to be an important piece towards a better Internet security.

Want to know more about Let’s Encrypt? Read a comprehensive overview of the initiative – from inspiration to implementation, organization, and execution.

Building Trust Privacy Security

Online Trust Audit for 2020 Presidential Campaigns Update

On 7 October 2019, the Internet Society’s Online Trust Alliance (OTA) released the Online Trust Audit for 2020 U.S. Presidential Campaigns. Overall, 30% of the campaigns made the Honor Roll, and 70% had a failure, mainly related to scores for their privacy statements. As part of this process, OTA reached out to the campaigns, offering to explain their specific Audit scores and ways to improve them. The campaigns were also told that they would be rescored in mid-November and the updated results would be published in early December. As a result, several campaigns contacted us to understand the methodology and scoring, and several of them made improvements.

Rescoring of all elements of the Audit was completed on 25 November, and the table below shows the updated results since release of the original Audit. Several campaigns have been suspended since early October (Messam, O’Rourke, Ryan, and Sanford, as well as Bullock and Sestak in early December). Campaigns shown in bold in the Honor Roll column made enough improvements to earn passing scores for their privacy statements and thereby achieve Honor Roll status. Campaigns shown in italics at the bottom of the table are new entrants since the Audit was released. Based on this updated list of 20 campaigns, 10 made the Honor Roll while 10 had a failure in one or more areas, creating a 50/50 split.

Figure 1 – 2020 Presidential Campaign Audit Supplement Results
Privacy Practice Updates

Three campaigns updated their privacy statements, and all three made changes that caused them to pass in the privacy area (a score of 60 or more) and achieve Honor Roll status. However, these were minor changes (added a date stamp, addressed children’s use of the site, layered the statement to make it easier to navigate) – none addressed the core data sharing issues highlighted in the original Audit.

For the new entrants, one had no privacy statement (De La Fuente), one had a privacy statement with a score below 60 (Bloomberg), and one had a privacy statement with a passing score that directly addressed the data sharing issues (Patrick).

Site Security Updates

Minor changes were noted in the site security aspects of the Audit, and none were substantial enough to cause a change in Honor Roll status. Two campaigns now have outdated software (lowering their score), and one added support for TLS 1.3.

Site security scores for the new entrants were strong, which is in line with other campaigns, and all of them support “always on SSL” or fully encrypted web sessions.

Consumer Protection Updates

A few changes were noted in the existing campaigns – one added support for DNSSEC, and one added DMARC support with a reject policy (the recommended email security best practice). These improved the campaigns’ scores, but did not affect their Honor Roll status. The two campaigns that originally had failures due to email authentication have been suspended so are no longer on the list.

For the new entrants, one has insufficient email authentication (so fails in Consumer Protection as well as Privacy), and while the other two have strong SPF and DKIM protection, only one uses DMARC with a reject policy. One supports DNSSEC.


The engagement with several of the campaigns was constructive and led to improvements that helped them earn Honor Roll status. We find that for most organizations the issue is more about awareness of best practices and their impact on overall trust than a refusal to follow those best practices. However, the data sharing language in all but one of the privacy statements is concerning. For example, most of the campaigns had language that would allow them to share data with “like minded organizations.” Language along these lines gives the campaigns broad discretion to share user data. We encourage campaigns (and the political parties they work with) to consider improvements to sharing language to increase transparency about how data is shared and give users more control over their data.

Campaign Sites and Privacy Statements

You can find the list of the URLs for the rescored campaign sites and associated privacy statements in the Supplement to Online Trust Audit – 2020 Presidential Campaigns.

This supplement was finalized before Kamala Harris dropped out of the U.S. presidential race on 3 December 2019.

About Internet Society Building Trust Encryption Security Technology

Rachel Player Honored by Internet Security Research Group with Radiant Award

Internet security is accomplished by many unsung heroes. People who put their talent and passion into improving the Internet, making it secure and trustworthy. This is a feature of the Internet: security isn’t achieved through a central mandate but through the hard work and tenacity of individuals working across the globe.

Rachel Player, a cryptographic researcher, is one of those unsung heroes. She’s just been awarded the Radiant Award from the Internet Security Research Group, the folks behind Let’s Encrypt, for her work in post-quantum cryptography and homomorphic encryption. Homomorphic encryption allows people to do computations on encrypted data, so that information can remain private and still be worked with. This is a highly-relevant field in any area that deals with sensitive and personal data, such as medicine and finance. Player is also interested in lowering the barriers for young people – young women, especially – to work professionally on topics like cryptography.

To learn more, read the announcement by the Internet Security Research Group and Rachel Player’s blog post about her work and her interest in making the profession more accessible.

Want to know more about Let’s Encrypt? Read a comprehensive overview of the initiative – from inspiration to implementation, organization, and execution.

Building Trust Encryption Privacy Security

What Scary Movies Can Teach Us About Internet Trust

Mad geniuses. Evil dolls. Slow zombies. This Halloween, we’ll see all of these horror film clichés come to life. Sure they’re fun, but are there lessons we can learn from them? What if they could teach us what not to do? We looked at seven scary tropes and what they might teach us about Internet trust.

The call is coming from inside the house.

The phone calls keep coming, each one scarier than the last. Ring. “Are you home alone?” Ring. “Have you locked the doors?” Ring. “Look in the basement.” It’s only then you realize the stalker has been in the house all along.

We lock our doors to make our homes more secure, but we don’t always think about the security of the things we connect to our home networks. An insecure connected device can put your whole network and the devices on it at risk. Meaning, yes, the cybersecurity threat could be coming from inside the house. By protecting your home network, you limit your devices’ exposure to online threats and help mitigate the risk they may pose to others. You can make your network more secure by using encryption, a strong password, and firewall for your home WiFi network.

Sometimes your car won’t start when you really, really need it to.

You’ve escaped the abandoned hospital, you’ve made it to your car, and now you’re hunched over the steering wheel, hand shaking as you turn the ignition. There’s just one problem. The car won’t start. That’s when you spot the sticker in the window. The last maintenance call was over a year ago.

Maintain your devices and apps so you’re not stuck in a sticky situation. If a device or app has an auto-update feature, turn it on! No system is perfectly secure, and security vulnerabilities are always being discovered and fixed with updates. Anything that’s Internet connected, from your light bulbs to your thermostat, should be updated.

Build a strong barricade.

The zombies are coming. They’ve chased you into the last room of the house. You push the chair against the door, hoping it will buy you enough time to get away. But when you hear the splinter of particle board and see the door slam open, you curse your decision to buy from the IKEA clearance rack.

You wouldn’t try to secure a door with flimsy furniture, so why would you trust a weak password, such as “letme1n,” to secure your email, devices, and everything else you rely upon? No matter how strongly your device or application is encrypted, if someone can figure out your password, they can access your data. Make sure to use strong passwords, stop reusing passwords, and turn on two factor authentication (2FA) for your applications and services. Taking these steps makes it harder for the bad guys to access your data.

There are clues in that old book that might help you.

The book looks out of place with the others. It’s heavy, covered in dust, and written in arcane language. At first you ignore it. But when you start to see ghostly apparitions, you realize you should have paid attention to it from the start.

We often ignore the fine print, mindlessly scrolling through user agreements and privacy policies before clicking “Accept.” But they often contain information about what data is being collected and how that data is shared. When we are armed with this information, we can make smarter choices about which apps and devices we use, how much information we share with them, and how we set our permissions and privacy settings.

Seemingly ordinary objects can hide secrets.

It’s just a mirror, right? Certainly not a portal to a sinister underworld. Chanting a nursery rhyme in front of one won’t invoke haunted demons. And when you glance in it to check your hair, you won’t see a ghost standing behind you searching for her lost betrothed.

From credit cards to smart TVs, we use lots of everyday objects without thinking they might bring us harm by putting our privacy and security at risk. But we can protect ourselves from these ordinary objects by using encryption. Some devices and services have the capability to use encryption, but don’t turn it on by default. Take a few minutes to see if your devices or services are already using encryption or if you need to turn it on. You can also switch to messaging apps that offer end-to-end encryption.

Denial is a good way to get yourself in trouble.

That character who refuses to believe there’s any danger? The one who ignores the tapping on the window? They usually don’t make it past the first scene.

You don’t have to be that person. By taking steps to protect security and privacy, you can become the hero of your own film.

Finally, never go off on your own.

You’re camping with five of your closest, most photogenic friends, when mysterious things start to happen. Funny, you don’t remember leaving your car’s headlights on. And what is that shrieking coming from the woods? You decide to investigate. You’re about ten feet into the abandoned trail when you realize you should have stayed with your friends.

Whether it’s making Internet routing stronger, helping close the global digital divide, or shaping its future, we make the Internet a better place when we work together.

Join us! Let’s work together to help build an open, globally-connected, secure, and trustworthy Internet for everyone.

Privacy Security Technology

What to Look for When Choosing a VPN

We welcome this guest post from, an Organization Member of the Internet Society.

The search for online privacy has driven a quarter of the world’s Internet users to download a Virtual Private Network (VPN). VPN services are now an important tool for anyone concerned about security and privacy on public networks.

There’s a world of difference between VPNs, though. Without clear and unbiased information many users are forced to navigate their choice of VPN without much clarity.

Why is choosing the right VPN provider so important?

Whenever you switch on a VPN you are entrusting its provider with your personal data, browsing activity, and sometimes even your security. For this reason, VPN providers must be held to a higher standard than most products. It’s important you do your due diligence when making a decision.

What should I look out for? 

A good VPN will ensure that no one – even the VPN itself – can see what the user is doing online. Consider the following qualities:

Technical Security

The most secure VPN services will be transparent about the measures they have in place to safeguard their users and their business.

Any VPN worth its salt will offer the latest and most secure levels of encryption, a wide selection of strong protocols, and a range of additional security features including kill-switches, split-tunneling, and Tor compatibility.

Look for features like AES-256 encryption, OpenVPN functionality, and products that are independently audited by a respected third party. You should also look for VPNs that accept anonymous payments, incorporate open source software where appropriate, and have a clear policy for disclosing vulnerabilities.

Some VPNs can suffer from IP and DNS leaks. These leaks can be seen and collected by your ISP or any other entity that’s able to access your network. Needless to say, this renders the VPN effectively useless in terms of protecting your privacy.

Ultimately, a secure service will have several measures in place to protect user data and will actively offer the most sophisticated security standards available. Be sure to test your provider for leaks and ensure that respected third-parties have validated your provider’s claims of security.

Privacy Policy

Evaluating the privacy policy is one of the most important stages in assessing a VPN. Unfortunately, there are some products on the market with policies that leave room for improvement.

The best VPNs have ‘zero logs’ policies which, if implemented properly, will not store any identifying data. However, many providers use this term with very little substantiating evidence, and it can be difficult to know with complete certainty whether a provider is logging or not.

Secure VPNs will only log a minimal amount of basic connection data like bandwidth usage, server load, or server location. This is used to optimize provision of the service, and can’t be used to identify a user. Some VPNs, by contrast, have been found to log activity data including the originating IP address, DNS requests, and even a user’s entire online history – websites visited, files downloaded, and message contents included.

To make matters worse, the logging policies of some providers are often vague or unnecessarily complicated. It’s not uncommon for some VPN services to avoid directly stating whether their policy applies to connection logs, activity logs, or both. A provider might advertise ‘zero-logs’ or ‘minimal logs’ for one type of data, but continue to record the other.

It should be clear exactly what type of data your VPN creates and stores during or after a session. Look for VPNs that explain clearly what their logging policy is and VPNs that have a demonstrated history of inability to cooperate with legal data requests for this reason.

Make sure you read your provider’s privacy policy in full, or consult a third party who can do this research for you. 

Location and Jurisdiction

Jurisdiction is an important issue that’s often overlooked. Every VPN provider is bound to local laws and regulations. It’s crucial that you are aware of these laws and how they might affect your privacy.

In theory, if a provider’s logging policy is watertight, its jurisdiction shouldn’t matter. That being said, any legitimate VPN provider will have clear procedures for responding to requests from law enforcement regardless of its logging policy. These procedures, including a warrant canary, should be publicly available along with any measures in place to protect user data if a third party were to gain access to their servers.

It’s wise to check the country your VPN is based in, the laws of that country, and the company’s history in terms of cooperation with law enforcement.

Ownership and Business Model

VPN services can monetize your data in unexpected ways. It’s expensive to develop and operate a reliable VPN, and many services choose to subsidize these costs with income from other channels.

It’s possible that some form of data collection, sharing, or sale is occurring in order to cover the cost of the product. Many services also rely heavily on advertising, which is less than ideal for privacy.

Providers should clearly explain how they make money and how your financial details are processed. You should be able to easily tell whether a service runs on user subscriptions alone or if it also profits from the processing of personal data.

Before buying a subscription or reading a review, make sure you understand who ultimately owns the VPN service and whether or not it can be trusted.

You should be able to find the company’s legal name if it differs from its brand name, along with information on any other entities that control or invest in the provider’s services. Be sure to find out if these groups have financial stakes in other VPN products, and if so, whether they share information between them.

Determining your standards 

People use VPNs for many different reasons. Whether you’re picking a service for streaming, torrenting, censorship circumvention, or strictly for privacy purposes, it’s important to understand whether your chosen provider offers all the necessary features you need.

Once you have an idea of how your VPN stands up in terms of technical security, privacy, and business model, it’s worth considering broader qualities like customer support, speed, and device compatibility.

Some VPNs offer dedicated servers for specific streaming platforms, while others can give you a connection specifically optimized for torrenting. Check the company’s website and third-party reviews to see if your provider will work with the platforms you need and provide speeds that are sufficient for your purposes. You can also find out whether its servers will work in heavily-censored countries.

Check to see if your provider has dedicated apps for each of your devices. A lack of native support for your tablet, smartphone, or streaming device means you could risk partial protection and a suboptimal user experience.

Can you trust your VPN?

At the most basic level, a trustworthy VPN will never collect, share, or sell user data without appropriate legal precedent. Make sure to consider its business model, location, technical security and privacy policy. If it’s unable to provide clear answers to all of these questions, it’s probably not worth your time.

Common sense can save you a lot of trouble. Review your provider’s reputation and never use a VPN you’re not fully comfortable with. Just like you wouldn’t give a stranger unrestricted access to your home, you shouldn’t give unfamiliar applications access to your personal data.

Ultimately, if you’re really concerned about security and performance, you should be using a VPN that’s independently tested and well-reviewed by unbiased experts.

A good VPN can be seen as an investment in your security, privacy, and freedom – to prevent costly data loss, open up your browsing capabilities, and protect your right to privacy.

Ready to do more? Read The Lazy Person’s Guide to Better Online Privacy.

Building Trust Encryption Security Strengthening the Internet

A criptografia nossa de cada dia

Com que frequência você usa a criptografia? Pode parecer coisa de espiões, mas você vai ficar surpreso/surpresa quando souber que ela faz parte de muitas coisas do seu cotidiano.

A criptografia envolve a codificação de dados, e somente alguém com a chave de cifragem/decifragem pode ler ou acessá-los. Ela é usada em compras online, nos serviços bancários móveis e nos aplicativos de mensagens que conhecemos. Mesmo que você não esteja trabalhando com dados ultra sigilosos, a criptografia é o que mantém seus dados e informações seguras e confidenciais.

Saiba como a criptografia é usada em vários momentos do seu cotidiano.


Seu alarme toca. Você pega o telefone e pensa em apertar o botão soneca. Mas você tem uma apresentação importante no trabalho e vai precisar de cada minuto do dia de hoje. Você vê que recebeu uma mensagem de um amigo e uma amiga que estão no exterior desejando boa sorte. Para isso, sua amiga e seu amigo utilizaram um aplicativo de mensagens criptografadas de ponta a ponta. Essa medida é cuidadosa: ela garante que só vocês três saibam do conteúdo da comunicação. Além disso, o aplicativo permitiu que eles economizassem em tarifas telefônicas internacionais.


Você está pronto para sair de casa, mas antes de sair resolve dar uma olhadinha nas condições do trânsito local no sítio do seu jornal preferido. Há um ícone com um cadeado na barra de endereços do navegador, informando que o site usa HTTPS. Isso significa que é mais difícil para qualquer pessoa ver quais artigos você está lendo no portal. Bom, você descobre que houve um pequeno acidente na sua rota habitual, então você resolve tomar o transporte público.


O ônibus está lotado, mas você consegue se sentar. Você toma um gole do café que comprou na vendinha da esquina. Você pagou o café com seu cartão de débito, que usou criptografia em três lugares diferentes: no chip do cartão, no leitor de cartão na maquininha e na transmissão das informações (do estabelecimento até sua operadora e vice-versa, para validar sua transação). Você, obviamente, sequer está pensando nisso. Você só quer saber de ouvir uma boa música com seu novo fone de ouvido bluetooth enquanto viaja. Pode respirar aliviado: se você usa criptografia, seus dados, informações e transações online estão todos protegidos.


Antes que você possa sentar definitivamente na sua mesa de trabalho, é preciso que você cheque seu e-mail para verificar algum detalhe de último minuto sobre sua apresentação. Feito isso, você pode finalmente entrar em videoconferência com colegas espalhados por todo o país para buscar atualizações de várias filiais antes de fechar sua apresentação. A chamada é protegida por criptografia ponta a ponta; portanto, é muito mais difícil para qualquer terceiro não autorizado (inclusive a concorrência!) ouvir a sua conversa enquanto os dados fluem de um lado para outro entre os participantes da chamada.


Antes da apresentação, você resolve pedir o almoço por um aplicativo que reúne vários restaurantes e sua cidade. Você faz o pedido, paga com seu cartão de crédito diretamente na plataforma e só precisa esperar até que a comida chegue! Pode comer sossegado: como você escolheu um aplicativo com criptografia de ponta a ponta, somente você e o restaurante terão acesso ao seu menu. Da mesma forma, somente a plataforma terá acesso aos seus dados financeiros utilizados para fazer o pagamento online. Tomara que o entregador não abra o pacote para roubar algumas batatinhas antes de chegar ao destino, não é mesmo?


Você conseguiu! A apresentação correu bem e agora você está pronto para uma pausa. Você está na metade de um merecido cafezinho quando sente um pouco de dor de barriga: o almoço não caiu bem! Você pensa: “não deveria ter comido tão rápido!” Você desce até a farmácia mais próxima e usa todos os pontos de recompensa acumulados em seu programa de fidelidade para comprar remédios para azia. Para sua sorte, a base de dados da farmácia está em conformidade com a Lei Geral de Proteção de Dados Pessoais e emprega criptografia forte para proteger seus dados, o que dificulta a ação de hackers interessados em conhecer seu histórico de compras e suas informações bancárias. Dessa forma, ninguém saberá que você anda exagerando na comida!


Mais pro fim do dia, você olha para o seu reloginho fitness enquanto espera o ônibus para voltar para casa e vê que andou 8.000 passos até então. Bom trabalho! Queimou praticamente todas as calorias do almoço. Como existe uma comunicação segura entre o relógio e o aplicativo que você usa no celular, você sabe que suas informações de saúde permanecerão protegidas contra qualquer pessoa que venha a invadir o Wi-Fi público do café em frente à parada de ônibus que você está utilizando. Bom, o ônibus chegou! Use seu cartão pré-pago para pagar o ônibus e fique tranquilo: há alguns meses, a autoridade de trânsito atualizou o sistema de passes, que agora usa criptografia para dificultar que clonem seu cartão!


Antes de rumar para casa, você passa mais uma vez no mercadinho da esquina para arranjar algo para jantar. Como você está sem dinheiro, você resolve pagar a conta com o novo aplicativo de seu banco diretamente pelo smartphone. Saiba que cada vez que você faz um pagamento dessa maneira, os dados da transação são igualmente protegidos usando criptografia. Você resolveu comprar uma pizza de calabresa com catupiry. Essa informação não precisa chegar até seu cardiologista, certo? (Afinal, a pizza vem com rodelas de tomate, o que indica que você está fazendo uma escolha obviamente saudável).

No momento em que você chega em casa, você pede para sua assistente digital acender as luzes da sala e colocar sua TV Inteligente no seu canal preferido. Você não resiste a um filme pastelão! Como o Wi-Fi ao qual está conectada a sua TV é criptografado, seu vizinho esnobe não terá jamais como saber o que você anda vendo na TV nas horas de descanso.

Bom, esta é uma pitadinha de informação sobre como a criptografia mantém seus dados mais seguros! Agora que você já entende um pouco do assunto, sua missão é defendê-la e promovê-la para ajudar a proteger os dados de todos!

Read the English-language version.