Securing your online footprint can seem like a daunting task. We’ve become accustomed to giving up bits of data for convenience, and have been forced into trusting our internet service providers because access has become so vital to everyday life. You don’t have to blindly accept this, though: using a virtual private network (VPN) can be an easy way to gain back some of your anonymity and security while browsing online. Still, it can be challenging to differentiate which service makes most sense for your online needs. We tested nine popular VPNs to narrow down our top picks and provide advice on choosing the best VPN service for you.

Table of contents

• Best VPNs of 2024

• What is a VPN?

• Are VPNs worth it?

• How we tested VPNs

• Other VPN services our experts tested

• VPN FAQs

Best VPNs of 2024

What is a VPN?

VPNs, or virtual private networks, mask your IP address and the identity of your computer or mobile device on the network and creating an encrypted "tunnel" that prevents your internet service provider (ISP) from accessing data about your browsing history. VPNs are not a one-size-fits-all security solution, though.

Instead, they’re just one part of keeping your data private and secure. Roya Ensafi, assistant professor of computer science and engineering at the University of Michigan, told Engadget that VPNs don’t protect against common threats like phishing attacks, nor do they protect your data from being stolen. Much of the data or information is stored with the VPN provider instead of your ISP, which means that using a poorly designed or unprotected network can still undermine your security. But they do come in handy for online privacy when you’re connecting to an untrusted network somewhere public because they tunnel and encrypt your traffic to the next hop.

That means sweeping claims that seem promising, like military-grade encryption or total digital invisibility, may not be totally accurate. Instead, Yael Grauer, program manager of Consumer Reports’ online security guide, recommends looking for security features like open-source software with reproducible builds, up-to-date support for industry-standard protocols like WireGuard (CR's preferred protocol) or IPsec, and the ability to defend against attack vectors like brute force.

Understanding VPNs and your needs

Before considering a VPN, make sure your online security is up to date in other ways. That means complex passwords, multi-factor authentication methods and locking down your data sharing preferences. Even then, you probably don’t need to be using a VPN all the time.

“If you're just worried about somebody sitting there passively and looking at your data then a VPN is great,” Jed Crandall, an associate professor at Arizona State University, told Engadget.

That brings us to some of the most common uses cases for VPNs. If you use public WiFi networks a lot, like while working at a coffee shop, then VPN usage can help give you private internet access. They’re also helpful for hiding information from other people on your ISP if you don’t want members of your household to know what you’re up to online.

Geoblocking has also become a popular use case as it helps you reach services in other parts of the world. For example, you can access shows that are only available on streaming services, like Netflix, Hulu or Amazon Prime, in other countries, or play online games with people located all over the globe.

There are also a few common VPN features that you should consider before deciding if you want to use one, and which is best for you:

What is split tunneling?

Split tunneling allows you to route some traffic through your VPN, while other traffic has direct access to the internet. This can come in handy when you want to protect certain activity online without losing access to local network devices, or services that work best with location sharing enabled.

What is a double VPN?

A double VPN, otherwise known as multi-hop VPN or a VPN chain, passes your online activity through two different VPN servers one right after the other. For VPN services that support this, users are typically able to choose which two servers they want their traffic to pass through. As you might expect, this provides an extra layer of security.

Are VPNs worth it?

Whether or not VPNs are worth it depends how often you could use it for the above use cases. If you travel a lot and rely on public WiFi or hotspots, are looking to browse outside of your home country or want to keep your traffic hidden from your ISP, then investing in a VPN will be useful. But, keep in mind that even the best VPN services often slow down your internet connection speed, so they may not be ideal all the time.

In today's world, we recommend not relying on a VPN connection as your main cybersecurity tool. VPN use can provide a false sense of security, leaving you vulnerable to attack. Plus, if you choose just any VPN, it may not be as secure as just relying on your ISP. That’s because the VPN could be based in a country with weaker data privacy regulation, obligated to hand information over to law enforcement or linked to weak user data protection policies.

For VPN users working in professions like activism or journalism that want to really strengthen their internet security, options like the Tor browser may be a worthwhile alternative, according to Crandall. Tor is free, and while it's less user-friendly, it’s built for anonymity and privacy.

How we tested VPNs

To test the security specs of different VPNs and name our top picks, we relied on pre-existing academic work through Consumer Reports, VPNalyzer and other sources. We referenced privacy policies, transparency reports and security audits made available to the public. We also considered past security incidents like data breaches.

We looked at price, usage limits, effects on internet speed, possible use cases, ease of use, general functionality and additional “extra” VPN features like multihop. The VPNs were tested across iOS, Android and Mac devices so we could see the state of the mobile apps across various platforms (Windows devices are also supported in most cases). We used the “quick connect” feature on the VPN apps to connect to the “fastest” provider available when testing internet speed, access to IP address data and DNS and WebRTC leaks or when a fault in the encrypted tunnel reveals requests to an ISP.

Otherwise, we conducted a test of geoblocking content by accessing Canada-exclusive Netflix releases, a streaming test by watching a news livestream on YouTube via a Hong Kong-based VPN and a gaming test by playing on servers in the United Kingdom. By performing these tests at the same time, it also allowed us to test claims about simultaneous device use. Here are the VPN services we tested:

• ExpressVPN

• NordVPN

• Surfshark

• Proton VPN

• TunnelBear

• Bitdefender VPN

• CyberGhost

• Windscribe

• Atlas VPN

Read more: The best password managers for 2023

Other VPN services our experts tested

NordVPN

NordVPN didn’t quite make the cut because it’s overhyped, and underwhelming. As I've written in our full review of NordVPN, the pricing, up to $14.49 for a “complete” subscription, seemed high compared to other services, and its free or lower cost plans just didn’t have the same wide variety of features as its competitors. 

TunnelBear

Despite the cute graphics and user friendliness, TunnelBear wasn’t a top choice. It failed numerous basic security tests from Consumer Reports, and had limited availability across platforms like Linux. It did, however, get a major security boost in July when it updated to support WireGuard protocol across more of its platforms.

Bitdefender VPN

Bitdefender doesn’t offer support for devices like routers, which limits its cross-platform accessibility. It also lacked a transparency report or third-party audit to confirm security specs.

Atlas VPN

Atlas ranked lower on our speed tests compared to the other VPNs tested, with a notably slower difference on web browsing and streaming tests. It was a good option otherwise, but could easily cause headaches for those chasing high speed connections. Security-wise, an Atlas VPN vulnerability leaked Linux users’ real IP addresses.

VPN FAQs

What are some things VPNs are used for?

VPNs are traditionally used to protect your internet traffic. If you’re connected to an untrusted network like public WiFi in a cafe, using a VPN hides what you do from the internet service provider. Then, the owner of the WiFi or hackers trying to get into the system can’t see the identity of your computer or your browsing history.

A common non-textbook use case for VPNs has been accessing geographically restricted content. VPNs can mask your location, so even if you’re based in the United States, they can make it appear as if you’re browsing abroad and unblock access. This is especially useful for streaming content that’s often limited to certain countries, like if you want to watch Canadian Netflix from the US.

What information does a VPN hide?

A VPN doesn’t hide all of your data. It only hides information like your IP address, location and browser history. A common misconception is that VPNs can make you totally invisible online. But keep in mind that the VPN provider often still has access to all of this information, so it doesn’t grant you total anonymity. You’re also still vulnerable to phishing attacks, hacking and other cyberthreats that you should be mindful of by implementing strong passwords and multi-factor authentication.

Are VPNs safe?

Generally, yes. VPNs are a safe and reliable way to encrypt and protect your internet data. But like most online services, the safety specifics vary from provider to provider. You can use resources like third-party audits, Consumer Reports reviews, transparency reports and privacy policies to understand the specifics of your chosen provider.

What about Google’s One VPN?

Google One subscriptions include access to the company’s VPN, which works similarly to other VPNs on our list, hiding your online activity from network operators. However, Google announced recently that it plans to shut down the One VPN because "people simply weren’t using it." There's no specific date for the shutdown, with Google simply saying it will discontinue the service sometime later in 2024. Pixel phone owners, however, will continue to have access to the free VPN available on their devices.

Recent updates

June 2024: Updated to include table of contents.

November 2023: This story was updated after publishing to remove mention of PPTP, a protocol that Consumer Reports' Yael Grauer notes "has serious security flaws."

This article originally appeared on Engadget at https://www.engadget.com/best-vpn-130004396.html?src=rss

Virtual private networks (VPNs) promise the potential to stream any content, from anywhere. They unlock content from abroad across nearly any streaming platform you use regularly, which can come in handy if you’re into some obscure BBC exclusive not available in the United States. But that’s actually just one small perk of VPN services. VPNs provide a private traffic tunnel to keep your internet service provider out of your business, and provide an extra layer of security to protect your browsing habits. We tested nine of today’s most popular VPNs to help you find the best option for your needs.

What is a VPN?

VPNs, or virtual private networks, mask your IP address and the identity of your computer or mobile device on the network and creating an encrypted "tunnel" that prevents your internet service provider (ISP) from accessing data about your browsing history. VPNs are not a one-size-fits-all security solution, though.

Instead, they’re just one part of keeping your data private and secure. Roya Ensafi, assistant professor of computer science and engineering at the University of Michigan, told Engadget that VPNs don’t protect against common threats like phishing attacks, nor do they protect your data from being stolen. Much of the data or information is stored with the VPN provider instead of your ISP, which means that using a poorly designed or unprotected network can still undermine your security. But they do come in handy for online privacy when you’re connecting to an untrusted network somewhere public because they tunnel and encrypt your traffic to the next hop.

That means sweeping claims that seem promising, like military-grade encryption or total digital invisibility, may not be totally accurate. Instead, Yael Grauer, program manager of Consumer Reports’ online security guide, recommends looking for security features like open-source software with reproducible builds, up-to-date support for industry-standard protocols like WireGuard (CR's preferred protocol) or IPsec, and the ability to defend against attack vectors like brute force.

Understanding VPNs and your needs

Before considering a VPN, make sure your online security is up to date in other ways. That means complex passwords, multi-factor authentication methods and locking down your data sharing preferences. Even then, you probably don’t need to be using a VPN all the time.

“If you're just worried about somebody sitting there passively and looking at your data then a VPN is great,” Jed Crandall, an associate professor at Arizona State University, told Engadget.

That brings us to some of the most common uses cases for VPNs. If you use public WiFi networks a lot, like while working at a coffee shop, then VPN usage can help give you private internet access. They’re also helpful for hiding information from other people on your ISP if you don’t want members of your household to know what you’re up to online.

Geoblocking has also become a popular use case as it helps you reach services in other parts of the world. For example, you can access shows that are only available on streaming services, like Netflix, Hulu or Amazon Prime, in other countries, or play online games with people located all over the globe.

There are also a few common VPN features that you should consider before deciding if you want to use one, and which is best for you:

What is split tunneling?

Split tunneling allows you to route some traffic through your VPN, while other traffic has direct access to the internet. This can come in handy when you want to protect certain activity online without losing access to local network devices, or services that work best with location sharing enabled.

What is a double VPN?

A double VPN, otherwise known as multi-hop VPN or a VPN chain, passes your online activity through two different VPN servers one right after the other. For VPN services that support this, users are typically able to choose which two servers they want their traffic to pass through. As you might expect, this provides an extra layer of security.

Are VPNs worth it?

Whether or not VPNs are worth it depends how often you could use it for the above use cases. If you travel a lot and rely on public WiFi or hotspots, are looking to browse outside of your home country or want to keep your traffic hidden from your ISP, then investing in a VPN will be useful. But, keep in mind that even the best VPN services often slow down your internet connection speed, so they may not be ideal all the time.

In today's world, we recommend not relying on a VPN connection as your main cybersecurity tool. VPN use can provide a false sense of security, leaving you vulnerable to attack. Plus, if you choose just any VPN, it may not be as secure as just relying on your ISP. That’s because the VPN could be based in a country with weaker data privacy regulation, obligated to hand information over to law enforcement or linked to weak user data protection policies.

For VPN users working in professions like activism or journalism that want to really strengthen their internet security, options like the Tor browser may be a worthwhile alternative, according to Crandall. Tor is free, and while it's less user-friendly, it’s built for anonymity and privacy.

How we tested

To test the security specs of different VPNs and name our top picks, we relied on pre-existing academic work through Consumer Reports, VPNalyzer and other sources. We referenced privacy policies, transparency reports and security audits made available to the public. We also considered past security incidents like data breaches.

We looked at price, usage limits, effects on internet speed, possible use cases, ease of use, general functionality and additional “extra” VPN features like multihop. The VPNs were tested across iOS, Android and Mac devices so we could see the state of the mobile apps across various platforms (Windows devices are also supported in most cases). We used the “quick connect” feature on the VPN apps to connect to the “fastest” provider available when testing internet speed, access to IP address data and DNS and WebRTC leaks or when a fault in the encrypted tunnel reveals requests to an ISP.

Otherwise, we conducted a test of geoblocking content by accessing Canada-exclusive Netflix releases, a streaming test by watching a news livestream on YouTube via a Hong Kong-based VPN and a gaming test by playing on servers in the United Kingdom. By performing these tests at the same time, it also allowed us to test claims about simultaneous device use. Here are the VPN services we tested:

• ExpressVPN

• NordVPN

• Surfshark

• Proton VPN

• TunnelBear

• Bitdefender VPN

• CyberGhost

• Windscribe

• Atlas VPN

Read more: The best password managers for 2023

Best VPNs of 2024

Other VPN services our experts tested

NordVPN

NordVPN didn’t quite make the cut because it’s overhyped, and underwhelming. As I've written in our full review of NordVPN, the pricing, up to $14.49 for a “complete” subscription, seemed high compared to other services, and its free or lower cost plans just didn’t have the same wide variety of features as its competitors. 

TunnelBear

Despite the cute graphics and user friendliness, TunnelBear wasn’t a top choice. It failed numerous basic security tests from Consumer Reports, and had limited availability across platforms like Linux. It did, however, get a major security boost in July when it updated to support WireGuard protocol across more of its platforms.

Bitdefender VPN

Bitdefender doesn’t offer support for devices like routers, which limits its cross-platform accessibility. It also lacked a transparency report or third-party audit to confirm security specs.

Atlas VPN

Atlas ranked lower on our speed tests compared to the other VPNs tested, with a notably slower difference on web browsing and streaming tests. It was a good option otherwise, but could easily cause headaches for those chasing high speed connections. Security-wise, an Atlas VPN vulnerability leaked Linux users’ real IP addresses.

VPN FAQs

What are some things VPNs are used for?

VPNs are traditionally used to protect your internet traffic. If you’re connected to an untrusted network like public WiFi in a cafe, using a VPN hides what you do from the internet service provider. Then, the owner of the WiFi or hackers trying to get into the system can’t see the identity of your computer or your browsing history.

A common non-textbook use case for VPNs has been accessing geographically restricted content. VPNs can mask your location, so even if you’re based in the United States, they can make it appear as if you’re browsing abroad and unblock access. This is especially useful for streaming content that’s often limited to certain countries, like if you want to watch Canadian Netflix from the US.

What information does a VPN hide?

A VPN doesn’t hide all of your data. It only hides information like your IP address, location and browser history. A common misconception is that VPNs can make you totally invisible online. But keep in mind that the VPN provider often still has access to all of this information, so it doesn’t grant you total anonymity. You’re also still vulnerable to phishing attacks, hacking and other cyberthreats that you should be mindful of by implementing strong passwords and multi-factor authentication.

Are VPNs safe?

Generally, yes. VPNs are a safe and reliable way to encrypt and protect your internet data. But like most online services, the safety specifics vary from provider to provider. You can use resources like third-party audits, Consumer Reports reviews, transparency reports and privacy policies to understand the specifics of your chosen provider.

What about Google’s One VPN?

Google One subscriptions include access to the company’s VPN, which works similarly to other VPNs on our list, hiding your online activity from network operators. However, Google announced recently that it plans to shut down the One VPN because "people simply weren’t using it." There's no specific date for the shutdown, with Google simply saying it will discontinue the service sometime later in 2024. Pixel phone owners, however, will continue to have access to the free VPN available on their devices.

Update November 10, 2023: This story was updated after publishing to remove mention of PPTP, a protocol that Consumer Reports' Yael Grauer notes "has serious security flaws."

This article originally appeared on Engadget at https://www.engadget.com/best-vpn-130004396.html?src=rss

AI Chatbots are relatively old by tech standards, but the newest crop — led by OpenAI's ChatGPT and Google's Bard — are vastly more capable than their ancestors, not always for positive reasons. The recent explosion in AI development has already created concerns around misinformation, disinformation, plagiarism and machine-generated malware. What problems might generative AI pose for the privacy of the average internet user? The answer, according to experts, is largely a matter of how these bots are trained and how much we plan to interact with them

In order to replicate human-like interactions, AI chatbots are trained on mass amounts of data, a significant portion of which is derived from repositories like Common Crawl. As the name suggests, Common Crawl has amassed years and petabytes worth of data simply from crawling and scraping the open web. “These models are training on large data sets of publicly available data on the internet,” Megha Srivastava, PhD student at Stanford's computer science department and former AI resident with Microsoft Research, said. Even though ChatGPT and Bard use what they call a "filtered" portion of Common Crawl's data, the sheer size of the model makes it "impossible for anyone to kind of look through the data and sanitize it,” according to Srivastava.

Either through your own carelessness or the poor security practices by a third-party could be in some far-flung corner of the internet right now. Even though it might be difficult to access for the average user, it's possible that information was scraped into a training set, and could be regurgitated by that chatbot down the line. And a bot spitting out someone's actual contact information is in no way a theoretical concern. Bloomberg columnist Dave Lee posted on Twitter that, when someone asked ChatGPT to chat on encrypted messaging platform Signal, it provided his exact phone number. This sort of interaction is likely an edge case, but the information these learning models have access to is still worth considering. "It’s unlikely that OpenAI would want to collect specific information like healthcare data and attribute it to individuals in order to train its models," David Hoelzer, a fellow at security organization the SANS Institute, told Engadget. “But could it inadvertently be in there? Absolutely.”

Open AI, the company behind ChatGPT, did not respond when we asked what measures it takes to protect data privacy, or how it handles personally identifiable information that may be scraped into its training sets. So we did the next best thing and asked ChatGPT itself. It told us that it is "programmed to follow ethical and legal standards that protect users’ privacy and personal information" and that it doesn't "have access to personal information unless it is provided to me." Google for its part told Engadget it programmed similar guardrails into Bard to prevent the sharing of personally identifiable information during conversations.

Helpfully, ChatGPT brought up the second major vector by which generative AI might pose a privacy risk: usage of the software itself — either via information shared directly in chatlogs or device and user information captured by the service during use. OpenAI’s privacy policy cites several categories of standard information it collects on users, which could be identifiable, and upon starting it up, ChatGPT does caution that conversations may be reviewed by its AI trainers to improve systems. 

Google's Bard, meanwhile, does not have a standalone privacy policy, instead uses the blanket privacy document shared by other Google products (and which happens to be tremendously broad.) Conversations with Bard don't have to be saved to the user's Google account, and users can delete the conversations via Google, the company told Engadget. “In order to build and sustain user trust, they're going to have to be very transparent around privacy policies and data protection procedures at the front end,” Rishi Jaitly, professor and distinguished humanities fellow at Virginia Tech, told Engadget.

Despite having a "clear conversations" action, pressing that does not actually delete your data, according to the service’s FAQ page, nor is OpenAI is able to delete specific prompts. While the company discourages users from sharing anything sensitive, seemingly the only way to remove personally identifying information provided to ChatGPT is to delete your account, which the company says will permanently remove all associated data.

Hoelzer told Engadget he’s not worried that ChatGPT is ingesting individual conversations in order to learn. But that conversation data is being stored somewhere, and so its security becomes a reasonable concern. Incidentally, ChatGPT was taken offline briefly in March because a programming error revealed information about users’ chat histories. It's unclear this early in their broad deployment if chat logs from these sorts of AI will become valuable targets for malicious actors.

For the foreseeable future, it's best to treat these sorts of chatbots with the same suspicion users should be treating any other tech product. “A user playing with these models should enter with expectation that any interaction they're having with the model," Srivastava told Engadget, "it's fair game for Open AI or any of these other companies to use for their benefit.”

This article originally appeared on Engadget at https://www.engadget.com/what-do-ai-chatbots-know-about-us-and-who-are-they-sharing-it-with-140013949.html?src=rss

AI Chatbots are relatively old by tech standards, but the newest crop — led by OpenAI's ChatGPT and Google's Bard — are vastly more capable than their ancestors, not always for positive reasons. The recent explosion in AI development has already created concerns around misinformation, disinformation, plagiarism and machine-generated malware. What problems might generative AI pose for the privacy of the average internet user? The answer, according to experts, is largely a matter of how these bots are trained and how much we plan to interact with them

In order to replicate human-like interactions, AI chatbots are trained on mass amounts of data, a significant portion of which is derived from repositories like Common Crawl. As the name suggests, Common Crawl has amassed years and petabytes worth of data simply from crawling and scraping the open web. “These models are training on large data sets of publicly available data on the internet,” Megha Srivastava, PhD student at Stanford's computer science department and former AI resident with Microsoft Research, said. Even though ChatGPT and Bard use what they call a "filtered" portion of Common Crawl's data, the sheer size of the model makes it "impossible for anyone to kind of look through the data and sanitize it,” according to Srivastava.

Either through your own carelessness or the poor security practices by a third-party could be in some far-flung corner of the internet right now. Even though it might be difficult to access for the average user, it's possible that information was scraped into a training set, and could be regurgitated by that chatbot down the line. And a bot spitting out someone's actual contact information is in no way a theoretical concern. Bloomberg columnist Dave Lee posted on Twitter that, when someone asked ChatGPT to chat on encrypted messaging platform Signal, it provided his exact phone number. This sort of interaction is likely an edge case, but the information these learning models have access to is still worth considering. "It’s unlikely that OpenAI would want to collect specific information like healthcare data and attribute it to individuals in order to train its models," David Hoelzer, a fellow at security organization the SANS Institute, told Engadget. “But could it inadvertently be in there? Absolutely.”

Open AI, the company behind ChatGPT, did not respond when we asked what measures it takes to protect data privacy, or how it handles personally identifiable information that may be scraped into its training sets. So we did the next best thing and asked ChatGPT itself. It told us that it is "programmed to follow ethical and legal standards that protect users’ privacy and personal information" and that it doesn't "have access to personal information unless it is provided to me." Google for its part told Engadget it programmed similar guardrails into Bard to prevent the sharing of personally identifiable information during conversations.

Helpfully, ChatGPT brought up the second major vector by which generative AI might pose a privacy risk: usage of the software itself — either via information shared directly in chatlogs or device and user information captured by the service during use. OpenAI’s privacy policy cites several categories of standard information it collects on users, which could be identifiable, and upon starting it up, ChatGPT does caution that conversations may be reviewed by its AI trainers to improve systems. 

Google's Bard, meanwhile, does not have a standalone privacy policy, instead uses the blanket privacy document shared by other Google products (and which happens to be tremendously broad.) Conversations with Bard don't have to be saved to the user's Google account, and users can delete the conversations via Google, the company told Engadget. “In order to build and sustain user trust, they're going to have to be very transparent around privacy policies and data protection procedures at the front end,” Rishi Jaitly, professor and distinguished humanities fellow at Virginia Tech, told Engadget.

Despite having a "clear conversations" action, pressing that does not actually delete your data, according to the service’s FAQ page, nor is OpenAI is able to delete specific prompts. While the company discourages users from sharing anything sensitive, seemingly the only way to remove personally identifying information provided to ChatGPT is to delete your account, which the company says will permanently remove all associated data.

Hoelzer told Engadget he’s not worried that ChatGPT is ingesting individual conversations in order to learn. But that conversation data is being stored somewhere, and so its security becomes a reasonable concern. Incidentally, ChatGPT was taken offline briefly in March because a programming error revealed information about users’ chat histories. It's unclear this early in their broad deployment if chat logs from these sorts of AI will become valuable targets for malicious actors.

For the foreseeable future, it's best to treat these sorts of chatbots with the same suspicion users should be treating any other tech product. “A user playing with these models should enter with expectation that any interaction they're having with the model," Srivastava told Engadget, "it's fair game for Open AI or any of these other companies to use for their benefit.”

This article originally appeared on Engadget at https://www.engadget.com/what-do-ai-chatbots-know-about-us-and-who-are-they-sharing-it-with-140013949.html?src=rss