Is your VPN lying to you?

You've kicked the tires, but now you need to look under the hood.

It's no secret that there are oodles of shady VPN services that promise to protect your privacy as you surf the internet, but may, in fact, actually be worthless. After all, internet privacy is one part moving target and two parts shell game with your money and trust, so no one's surprised that the post-Snowden privacy panic turned into a gold rush for the unscrupulous.

One method VPN providers use to bilk trusting customers is to do shady things with customer records. We've also seen them misconfigure critical security settings, de-anonymize customers and only take action when caught.

Now there's a new problem: VPNs that say you're connecting to a server in one country while actually routing your traffic through another. RestorePrivacy recently took a close look at what some VPNs are saying when they give you a server in another country, versus what they're actually doing when they connect users. And the two aren't matching up.

Many popular VPN services let users pick which country (or city) their traffic routes through, showing the destination that you're coming from as, say, London when you're actually in Paris. This can be practical when you're a Brit traveling abroad and just want to watch your BBC shows or want to keep your IP address consistent so social-media sites like Facebook don't freak out when you log in while on the go.

In addition to these issues, RestorePrivacy pointed out that VPN performance suffers when the actual server is significantly farther away than you expect it to be. In its post, it pointed out an additional issue -- that customers "aren't getting the true server locations they paid for" and that "using fake server locations raises questions about the VPN's honesty."

woman holding phone with app vpn creation Internet protocols for protection private network

It can be disastrous for people's safety if a server that's supposed to be in Saudi Arabia is actually in Los Angeles -- which is a real example of bait-and-switch claims RestorePrivacy found in its VPN-server-claim research.

RestorePrivacy looked at VPN services ExpressVPN, Hidemyass and PureVPN.

These are popular services used by tens of millions of people. ExpressVPN was listed by TechRadar as one of the best VPN services of 2017 and is endorsed by Hidemyass got a big positive profile in The Guardian, serves tens of millions of users and was recommended in 2016 by PCWorld as a "tested" service that protects your privacy. PureVPN was listed in Extreme Tech's recent "five best VPNs" list, and the service is endorsed by BoingBoing, which hails it as "the world's fastest VPN."

Each of the services was found to be saying one thing to customers about server locations, while in practice actually doing something totally different.

With ExpressVPN, it found 11 fake server locations; it identified five fake server locations with PureVPN but said "there are many more." Regarding the Hidemyass claim of "physical servers in 190+ countries," RestorePrivacy's post countered by saying if users believe that, "I have a bridge to sell you."

In addition, "Upon closer examination of Hidemyass's network, you find some very strange locations, such as North Korea, Zimbabwe, and even Somalia." It wrote:

Hidemyass refers to these fictitious server locations as "virtual locations" on their website. Unfortunately, they do not have a server page available to the public, so I could not test any of the locations. The Hidemyass chat representative I spoke with confirmed they use fake "virtual" locations, but could not tell me which locations were fake and which were real.

A week after RestorePrivacy's post called them on it, ExpressVPN "admitted to numerous fake locations on its website (mirror) -- 29 fictitious locations in total," it wrote. "Just like PureVPN and Hidemyass, ExpressVPN refers to these as "virtual" server locations." ExpressVPN was telling customers they could use servers in Pakistan, Sri Lanka, Philippines, Indonesia and more, when RestorePrivacy found that customers were actually being routed through one server located in Singapore.

RestorePrivacy said it believes the reasons for improper server location identification are financial. "First, it saves lots of money." It explained: "Using one server to fake numerous server locations will significantly reduce costs. (Dedicated premium servers are quite expensive.)" A service can also sell more VPN subscriptions if it looks like there's a huge variety of countries to choose from.

ExpressVPN told Engadget in a statement:

With the vast majority of ExpressVPN locations, the physical server and the registered IP address are located in the same country. This describes 97% of ExpressVPN's servers, as we have invested in a significant physical footprint covering every continent save Antarctica.

For less than 3% of ExpressVPN's servers, the registered IP address matches the country you've chosen to connect to, while the server is physically located in another country, usually nearby. These are called virtual server locations, and they help ensure your connection is fast, secure, and reliable.

The post goes into deep details about each service's claims, what RestorePrivacy found, and how it did its research. For every VPN server examined, three different network-testing tools were used "to verify the true location beyond any reasonable doubt." Those included the CA App Synthetic Monitor ping test (tests from 90 different worldwide locations), the CA App Synthetic Monitor trace-route, and, a test from 24 locations around the world. All of the test results are published in an appendix to the blog post.

The research recommended users toward "smaller VPN services that have fewer locations, but prioritize the quality of their server network, such as Perfect Privacy and" As you may remember, Perfect Privacy was the service that found and reported the massive privacy hole in several popular VPN services that de-anonymized users, called "Port Fail."

With the tools and info in RestorePrivacy's article and a little technical know-how, you can exhaustively test your VPN service to see if it's telling the truth about server location (or not). Sometimes you can just tell something's wrong when your Google results are in the wrong language -- showing that Google is seeing you come from a location you didn't expect.

Maybe you don't care where your VPN's server really is, just as long as it's a secure service and your privacy is maintained. But for some people, honesty and accuracy about location is critical to the functions of their VPN service in the first place.

In the wider context, RestorePrivacy's post and this article resets the growing distrust in people's minds about security, privacy and VPNs. It's unfortunate because we really need most people to start using VPNs if we're going to elevate everyone's security and privacy (and it doesn't help with behavior-influencing, large companies like Netflix blocking VPNs across the board).

I just hope that calling out fake server locations -- whether the labeling is just incorrect or opportunistic -- changes the conversation among VPN providers to on that focuses more on accountability than profits.

Requests for comment to Hidemyass and PureVPN did not receive a response at publication time. We will update this article in the event of a response.

Image: Prykhodov via Getty Images (VPN)