There's a massive problem in the privacy world. Websites, social media accounts, and other platforms are constantly popping up out of nowhere, telling you to buy The Greatest Service Ever in order to solve all your privacy woes, whatever that may be. These websites often employ marketing teams to make sure their "reviews" are what you see first when you begin your research. Some of them are even operated by VPN providers themselves, operating under anonymous business entities to hide their bias, or doing it right out in the open, hoping you'll mistake their advertising-filled press releases and blogs as insider knowledge of the VPN space.

When a seemingly "unbiased review" on a site is merely a paid advertisement in disguise, that website is breaking their reader's trust. From a consumer's point of view, affiliate marketing and other paid promotional techniques like this make it near impossible to know when a review is genuine or not.

This isn't going to be a lengthy blog post on advertising being bad, far from it. In fact, many of the VPN providers we recommend engage in responsible advertising across various platforms. The key is transparency: Their advertisements should look like advertisements, and nothing else.

The Bad

I'm really looking to take the time here and identify "the bad" sites and resources that use these techniques to profit off a community just looking for reliable answers. Lots of sites like these will claim they're acting in your best interest, but they're just here to make money.

One common thing I'll see on these sites is a ranked list of providers that are ostensibly the best ones to choose from. These sites have supposedly done all the work for you, so you can just click and go, assured you're making the right choices.

So here's my issue with ranking VPN providers: Let's face it, VPN providers are all offering the same service, and they will either protect your information or they won't. Ranking providers like this only serves as an easy way to guide users to a certain choice (in this case, the choice that will make the reviewers the most money).

Let's look at one of these "review" sites for example, which will go unnamed for the purposes of this article. On their homepage they prominently list 10 providers as the "best" VPN services, in this order:

NordVPN Surfshark ExpressVPN PerfectPrivacy IPVanish Mullvad CyberGhost Trust.Zone ibVPN Private Internet Access

To their credit, this review site also helpfully included an advertising disclosure in their footer. On this fairly well hidden away page, they note that they participate in affiliate programs from 8 providers, as follows:

NordVPN

SurfShark

ExpressVPN

Perfect-Privacy

IPVanish

CyberGhost

Trust.Zone

Private Internet Access

Hmm. Look familiar? Of the 73 providers this site had reviewed at the time of writing this article, all eight of the VPN providers paying this review site happened to make their top 10 recommendations. In fact, you'd have to scroll down to #6 before you found a provider that wouldn't pay them, practically buried.

Furthermore, their list includes NordVPN, a company notable for not disclosing security breaches in a timely fashion, and ExpressVPN, a provider notable for once using weak 1024-bit encryption keys to protect their users. By any objective standard, these providers do not deserve to be included in a top 10 recommendations list for securing anybody's information. This review site in particular claims to have set criteria for their recommendations, but this just demonstrates that any criteria can be adjusted to fit any goal you may have.

If these sites truly wanted to be helpful, they would consolidate all the relevant information and present it to their users without making the choice for them. A provider is going to be better or worse for every user depending on their particular situation, and encouraging making an informed choice between options presented equally is far more beneficial to putting one over the other in a largely arbitrary fashion.

But that isn't to say they should just throw all the providers in a big table and call it a day. Almost worse than the ranking scheme above is when sites provide out of context lists of providers, often just with pricing and a link. Sometimes they will link you to a full review (more on that in a bit), but for the most part these sites just expect you to follow their recommendations blindly.

Affiliate links and discounts galore! This is a different site than before, but look at the familiar faces we're seeing...

These read like advertisements, because they usually are. Once again we see the usual suspects — NordVPN, ExpressVPN... — paraded as the gold standard in the VPN space, not out of any inherent value, but based on the value of their affiliate programs. To further this point, let's take a look at how much each of the five providers above will pay you for a referral (on a one month plan).

ExpressVPN: $13 for first month NordVPN: $11.95 for first month VPNArea: $4.95 for first month VPN.ac: $2.90 for first month

Unfortunately, Perfect Privacy would not share their commission rates publicly, but if anyone has any information on that I'd be happy to receive it. What I will say is that based on the information above, I would not be surprised if it fell right between ExpressVPN and NordVPN's rates. Their one month plan costs $12.99, so assuming a 100% match on the first month (the standard from NordVPN and ExpressVPN) that would add up quite nicely.

Once again, we see a lineup of providers ordered in a way that appears to conveniently pay the most to the website owner. And therein lies the issue with affiliate programs. Once you begin receiving financial compensation on a per-signup basis, you are now motivated to push the most users to the sites that pay more on a monthly basis, rather than the sites that will actually help the user.

Occasionally, these recommendations are coupled with a "review" that is supposedly independent and unbiased, but in reality are simply more marketing tools to persuade you towards their opinions. In most cases, these reviewers will simply copy the VPN provider's own press releases and even media, presenting their advertising as fact to their readers. These reviews are always hidden away as well, with main navigation links directing users towards the more affiliate-link-laden lists and tables that they'd much rather you browse. The true value of these review articles is the Search Engine Optimization (SEO) advantage they bring in the rankings on Google, and not much more. More traffic = More clicks, at the expense of good, independent content and integrity.

The Good

This isn't to say all tables or lists are bad, it's how they're presented rather that makes or breaks a site. ThatOnePrivacySite.net for example sets what is perhaps the gold standard of VPN comparisons:

VPN providers listed as equals with their benefits and flaws covered? What?

Here's the difference. They include virtually every provider — the good and the bad — and present them at equal value to sort through. Instead of providing their readers with answers, they provide them with information that can be used to deduce their own recommendations, based on their values as an individual.

But some users just want the answers, and that's fine too. I think there is still definitely a way to provide recommendations without introducing financials or bias into the equation. At PrivacyTools, we've developed a set list of criteria, and we make that abundantly clear when you read our list of recommended VPN providers.

Our currently recommended VPN provider Mullvad meets and exceeds our transparent expectations, and does not pay reviewers to tip the scales in their favor.

We also refrain from using affiliate links. As we've discussed, they are fundamentally flawed ways to market a service, and using them would break the trust our community has in our recommendations.

We do have a newly-introduced sponsorship program, but all of our finances are handled in an incredibly transparent fashion. As a non-profit organization, the funding we receive cannot be used for private profit, and our community can see both where we receive money from and how it is being spent thanks to Open Collective. Additionally, the recommendations on www.privacytools.io are handled by an entirely separate team of editors and contributors than the administrative team such as myself that handles the sponsorships and finances. The editors have sole control over our recommendations and operate entirely independently and on a volunteer-basis to ensure the choices we make are for the benefit of the privacy community over one individual.

Ultimately, as a matter of policy our sponsors have no say over our recommendations, or whether they are recommended or a competitor is removed. We have given our community vast access to our website and internal workings to keep us in check and ensure we're staying true to our word. This separation of management and editors is a strategy that has served the media industry well for decades, and makes all of our team and organization a more credible and trustworthy source of information.

In Summary

We have a lot of points we want to get across. The current landscape of privacy reviewers and "experts" weighing in on topics regarding the very companies that pay for their reviews is morally reprehensible, and just another way for big tech companies to collect all of our data more easily.

Review sites should make it abundantly clear when their reviews are paid for by the VPN companies in any fashion, whether that be via affiliate programs or good old-fashioned sponsorships. This can't be via a hidden-away disclosure in the footer or not published at all, but clear and close in proximity to the claims published on their site. Customers are not expecting or seeking out these disclosures when they visit review sites, and can't be expected to immediately discern whether you're speaking from a place of unbiased fact, or from a place with the greatest financial incentive. Better yet, they should reconsider their entire business model. We built PrivacyTools from the ground up in 2015 based solely on a community donation model that still keeps us sustained. It's the more difficult way to build a site to be sure, actually working to gain the trust of a huge community, but the difference in quality and integrity is remarkable.

VPN providers should consider spending less money on paid reviews, and more money on securing and validating their infrastructure. Regular security audits are one fantastic way for companies to demonstrate their dedication to keeping their users secure. We strongly believe VPN services should consider the PrivacyTools VPN Criteria, especially in regard to the ownership of their organization. Your VPN provider should not be hiding away in Panama controlled by anonymous leadership. While you as a user deserve privacy, transparency should be required of providers if you are expected to trust them. I would not give my money to some anonymous overseas investor, why would I give all of my internet traffic to some anonymous overseas administrator?

Finally, when you're choosing a VPN provider, do your own research. Understand what a VPN actually does for you. Understand what it is a security audit proves, find out who owns and operates the VPN service you want to use, and make sure their policies and technologies reflect your values. Again, we'll recommend ThatOnePrivacySite and PrivacyTools as great resources to get you started, but ultimately gathering the information yourself and making an informed decision is the only way to make sure your privacy is being respected.

Update 11/21: I've clarified this article to make it clear that I cannot objectively prove how much a "review site" is profiting off any particular provider, without having access to their private financial statements. The findings in this article were based on public information from affiliate programs and opinions were drawn accordingly.