Earlier this year in May, the Center for Democracy and Technology (CDT) held a discussion at RightsCon in Toronto with popular VPN service providers: IVPN, Mullvad, TunnelBear, VyprVPN, and ExpressVPN. They together formulated a list of eight questions that describes the basic commitments VPNs can make to signal their trustworthiness and positive reputation which is called Signals of Trustworthy VPNs.
CDT is a Washington, D.C.-based non-profit organization which aims to strengthen individual rights and freedom by defining, promoting, and influencing technology policy and the architecture of the internet.
What was the goal behind the discussion between CDT and VPN providers?
The goal of these questions is to improve transparency among VPN services and to help resources like That One Privacy Site and privacytools.io provide better comparisons between different services.
Additionally, it will provide a way for users to easily compare privacy, security, and data use practices of VPNs. This initiative will also encourage VPNs to deploy measures that will meaningfully improve the privacy and security of individuals using their services.
The questions that they have come up with tries to provide users clarity in three areas:
- Corporate accountability and business models
- Privacy practices
- Data security protocols and protections
You can find the entire list of the questions at CDT’s official website.
What are the key recommendations by CDT for VPN providers?
The following are few of the best practices for VPN providers in order to build trust in their users:
- VPN providers should share information about the company’s leadership team, which can help users know more about the reputation of who they are trusting with their online activities.
- Any VPN provider should be able to share their place of legal incorporation and the laws they operate under.
- They should provide detailed information about their business model, specifically whether subscriptions are the sole source of a service’s revenue.
- They should clearly define what exactly they mean by “logging”. This information will include both connection and activity logging practices, as well as whether the VPN provider aggregates this information.
- Users should be aware of the approximate retention periods for any log data. VPN providers put in place procedures for automatically deleting any retained information after an appropriate period of time. This period of time should be disclosed and the length of time should also be justified.
- VPN providers can also implement bug bounty programs. This will encourage third parties to identify and report vulnerabilities they might come across when using the VPN service.
- Independent security audits should be conducted to identify technical vulnerabilities.
To know more about the CDT’s recommendations and the eight questions, check out their official website.
Read Next
Apple bans Facebook’s VPN app from the App Store for violating its data collection rules