VPN Trust Initiative announces 5 best-practice principles

The VPN Trust Initiative (VTI) was launched in December 2019 and is a group of like-minded companies that set out to create guidelines that all members would follow. The point being, not all VPN services are equal, and they wanted some way of strengthening trust and understanding among users.

VPNs are still a relative unknown for many people, and with stories of certain VPN apps spying on users and stealing personal information, the VTI is a way to show anyone choosing a VPN that they can trust the services offered by one of its members.

• What is a VPN and why do I need one?

Now, the consortium has announced five key principles which cover privacy, security, disclosure & transparency, advertising practices and social responsibility.

Read through them – below – and you might well think they don’t go far enough. But they are the baseline for how VPN providers should run their services and, of course, most VTI members go over and above these requirements.

For example, under the privacy section the principles are that providers should clearly explain what data they log. But almost all leading VPN services operate a no-logs policy, which means no data is stored which could identify a user, so there is nothing to hand over to authorities if a request were made. (This is also why most providers are based in jurisdictions which have ‘favourable’ privacy laws and why some users prefer not to use a provider based in the UK, US or any other member country of the ‘14-Eyes’.)

Something we’re particularly happy to see among the principles is never claiming that a VPN will make you anonymous online. This has never been true, but has often been used in marketing or advertising for VPN services, and is still a confusing aspect for many users.

A VPN certainly helps to protect your identity by hiding your true location, but your behaviour can reveal your identity anyway, as the principle states.

In case you’re wondering, the current providers who are part of the VTI include the following, most of which are in our list of the best VPN services:

• ExpressVPN
• NordVPN
• VpyrVPN
• Surfshark
• IP Vanish
• Stronger VPN
• Hide.me
• NetProtect
• SaferVPN
• Mysterium Network
• Ivacy
• Encrypt.me
• WL VPN

These are the five principles as laid out on the  VTI Principles website. 

Security

VPNs will use the necessary security measures including strong encryption and authentication protocols to appropriately address the risks. VPNs will:

• Suspend compromised authenticators in the event of a security incident
• Use token-based authentication when possible
• Never store usernames and passwords in plain text
• Help prevent keys from being shared between users

Privacy

VPNs should keep as little data as they deem necessary to provide the service, and only produce data to law enforcement when legally required. VPNs will:

• Say what they log, why they log it, and how long they keep the logs
• Notify users of a potential data breach or security incident within a reasonable timeframe
• Be transparent about any disclosure of data to third-parties

Disclosure and Transparency

To drive trust, member companies must take steps towards informing users and the public about their actions and procedures.

• Disclose how data is used, and what other business units and/or third-parties have access to data and why
• Publish annual transparency reports
• Provide user data only upon legitimate and valid court-ordered legal requests.

Advertising Practices

Given the complexity and different use cases for VPNs, claims must not mislead. VPNs will:

• Make accurate marketing claims that are backed up by the terms of use
• Use clear and transparent language
• Never claim VPNs guarantee anonymity – VPNs provide privacy but cannot ensure complete anonymity because user behaviour could hint at or reveal the user’s identity.

Social Responsibility

VPNs provide greater security and privacy – social goods that are important to those trying to make the world a better place. VPNs should:

• Support public education around VPNs and with truthful information
• Contribute to VPN technology including open source initiatives
• Promote VPN technology to support freedom of expression

“We share the common goal of making people aware of online threats and helping them understand how to mitigate against these,” said CEO and founder of hide.me, Sebastian Schaub. “Privacy online isn’t just a privilege – it’s a basic human right for every single person on the planet. The VTI Principles represent a major step forward for the industry and we’re proud to play our part.”

“The VTI Principles sets a new benchmark for VPN companies so that we can collectively improve as an industry. We are giving consumers greater confidence to use VPNs to enjoy the internet more freely, privately, and securely,” said Harold Li, vice president of ExpressVPN.

“The release of VTI Principles and Standards sets a bar for the whole industry,” said Tom Okman, co-founder of NordVPN. “In the last few years, the number of VPN service providers has skyrocketed. From the societal point of view, this is a positive turn, giving people freedom of choice on how and by whom their data should be handled. However, the rapid industry growth has also brought a lack of clarity. VPN providers operate in different ways, and not necessarily all of them apply the best standards when developing their service. VTI understood that and sought to create a set of principles: guidelines on which the services could rely. We hope that these principles will help the industry to become more trustworthy, transparent and secure.”

A good VPN doesn’t have to cost much. These are the best VPN deals available at the moment.