Mullvad, IVPN, and Mozilla VPN Top Consumer Reports’ VPN Testing
We evaluated 16 services for privacy and security, and these were the best VPNs overall
Many people looking for stronger data protection and privacy turn to commercial VPNs, or virtual private networks. A VPN is a service that directs your data through an encrypted tunnel. That means your internet service provider (ISP) such as Comcast or Verizon sees that you are using a VPN, but it doesn’t know anything else about what websites you’re visiting. If you use a VPN, everything you see and do online—watching videos, sending email, browsing through news sites—goes through the VPN’s servers or servers they pay to use.
Security experts have mixed opinions on who can benefit from using a commercial VPN. These services can be useful, especially if you want more privacy from your internet service provider.
On the other hand, using a VPN requires some level of trust, because that company now gets all the information you are hiding from your ISP. Either kind of company is in a position to make money by sharing your information with data brokers, and you’re counting on them to keep it secure from attackers. The bottom line: You shouldn’t use a VPN unless you trust it more than you trust your ISP.
What We Like About the Top VPNs
We didn’t evaluate how easy the VPNs are to set up or to use, or look at factors such as pricing that consumers might also consider when choosing which product to use. Our evaluations looked just at what we consider the most important question to ask about any VPN: How well does it protect its users’ security and privacy?
As a result, the findings presented below include some pretty technical details. But we think it’s worth understanding the technology behind services that have this much access to your browsing history and data. Here are more details on why Mullvad, IVPN, and Mozilla VPN are the three VPNs that we’d feel most comfortable using ourselves or suggesting to a friend.
Open Source Code
All three of these VPNs have open-source code, at least on the client side—the software that runs on your own devices, rather than on the company’s servers. This means that the code is posted on a public repository, where independent security researchers can evaluate it for security flaws.
All three of these services also have reproducible builds. Basically, that means the company has taken steps to ensure that a researcher with access to the source code can recreate the actual working piece of software. Once we had that, we were able to confirm that the code used in the product available for download is identical to the source code—essentially telling us that the software is what it claims to be. (Yes, that should be true for any kind of software you get from any company. No, unfortunately, it’s not always the case.)
Additionally, Mullvad uses a signature to authenticate its updates and IVPN uses a checksum, which is another technique that can confirm that no errors have crept into the software that you download.
All three VPNs support WireGuard, a highly regarded VPN protocol introduced in recent years. WireGuard has been lauded for its high-level security and defense-in-depth techniques, which are a series of layered mechanisms to protect data information. It’s also fast and stealthy, meaning that it transmits data only when necessary. IVPN and Mullvad additionally support OpenVPN, a popular VPN protocol.
Mozilla and Mullvad both have kill switches, and IVPN allows you to enable a kill switch in the form of an always-on firewall option. Kill switches protect user traffic by automatically disconnecting a user’s device if the VPN connection fails. That can happen from time to time, just the way your internet connection might occasionally be glitchy. If you don’t have a kill switch and the VPN falters, your data will just get routed by your ISP without you realizing it. If you are counting on the service to hide your IP address (one of the things VPNs do well) or you’re really counting on it for other security protections, a kill switch is important. Mullvad’s and Mozilla VPN’s kill switch is always on—you can’t disable it.
Third-Party Security Audits
All three of these VPNs subject themselves to security audits by independent companies that evaluate their core technology. Such third-party audits aren’t infallible—they can always miss something, they’re limited in time and scope, and a VPN company’s technology and security practices might change after an audit is completed. But third-party security audits are a sign of trustworthiness, especially if the reports are easily accessible to the public and outside security experts. And, of course, VPNs that receive regular audits can fix security issues that auditors identify.
IVPN has established a record of conducting publicly accessible audits every year. Mozilla VPN just launched in 2020 and has already posted a third-party security audit. (Mozilla Foundation also publishes security advisories for all of its products.) And Mullvad has had multiple audits over the years, its most recent one focusing on the company’s servers and infrastructure.
Vulnerability Disclosure Programs
IVPN and Mozilla VPN have a vulnerability disclosure program for security researchers to report their findings, and Mullvad has a dedicated email address for them to do so.
Security researchers routinely face legal risks and receive legal threats when they find and reveal flaws in companies’ software. This has a chilling effect, making people less likely to report security issues that put consumers at risk. Mozilla is one of a handful of VPNs we examined that explicitly states in its documentation that it will not pursue legal action against security researchers.
Limited Data Sharing
IVPN and Mullvad stand out for making strong commitments to keep their users’ data private, and backing them up through novel approaches.
IVPN states that no third parties have any access to user data and that all first- and third-party software is hosted on the company’s own servers. This reduces the potential risk from unscrupulous business partners. As an example, IVPN uses the open-source web analytics platform Matomo to analyze information about website visitors. Matomo is an open-source alternative to tools available from Big Tech companies such as Google and Adobe. It does not use data to monetize an advertising platform, and it allows companies like IVPN to store the data collected on their own infrastructure, rather than storing the data itself.
IVPN also clearly outlines what information it shares with various payment processors, and what information will be associated with your account for each payment option.
Mullvad stands out for stating in its documentation that it does not collect user data, deletes or destroys outdated or unnecessary information, and sets itself reasonable deadlines for doing so. Its approach to preventing unauthorized access to data is a novel one—the company doesn’t keep any unnecessary data at all, and the user ID is not linked with any user information. Even the cookies Mullvad uses to keep consumers logged into the service, remember their language preference, and prevent malicious exploits self-destruct as soon as you close your browser. (Only cookies for one of Mullvad’s payment processors, Stripe, remain.)
Accurate Marketing Messages
A number of VPNs we analyzed paint themselves as privacy and security panaceas, with marketing materials that make overly broad or unrealistic statements about their benefits. Mullvad, IVPN, and Mozilla stand out for accurately presenting their services, refraining from over-promising, and educating users about the limitations of VPNs.
Mullvad does an excellent job here, describing a VPN as “a good first step” toward protecting privacy, and pointing out that it’s “not the ultimate solution.” The site also provides information on what other steps people should take to increase their personal online security.
IVPN’s web copy is notably frank with users about what VPNs can and can’t do—and even throws some shade on more hyperbolic VPN services. For instance, the company says “we don’t promise anonymity or ‘military-grade encryption’”—two claims that are easy to find if you sift through some VPN websites. (There’s no one version of encryption used by the military, and by itself, a VPN doesn’t do much to keep your identity hidden.)
Here’s some more IVPN language we like for its clarity: “What you do online can be tracked by organizations you may not know or trust and become part of a permanent record. A VPN can’t solve this on its own, but can prevent your ISP from being able to share or sell your data.” IVPN even has an ethical guidelines page on its website, with information on its marketing practices and commitments.
Mozilla VPN also does a great job of educating users about both the benefits and limitations of its service. It says, for instance, that a VPN can’t “prevent you from things like clicking on suspicious links, downloading malware, or being victimized by email fraud. You still need to practice good habits to stay safe online.” Mozilla also posts its own easy-to-read Data Privacy Principles.