Co-authored by: Roya Ensafi and Yael Grauer
In March 2021, Digital Lab fellow Roya Ensafi, PhD, assistant professor of computer science and engineering at the University of Michigan, and her team launched a user survey aimed at understanding VPN users. Because this survey was promoted to Consumer Reports readers and attendees of a CR-hosted digital hygiene webinar on VPNs, we wanted to summarize the results here.
A lot has been written about consumer VPNs at Consumer Reports and elsewhere, and a limited amount of research has delved into factors contributing to retention of VPN use, attitudes of U.S.-based users toward VPNs, and the widespread misconceptions of how they work. But this survey was the first attempt to understand not only the motivations, needs, and considerations of VPN users but also the perspective of VPN providers.
1,252 U.S.-based VPN users filled out an extensive survey about their motivation, needs, the threats they face, and which threats they think VPNs could mitigate. Additionally, the VPNalyzer team conducted in-depth interviews with nine VPN providers to discuss their key challenges and insights. By focusing on both VPN users and providers at the same time, the VPNalyzer team could highlight cases where the user and provider perspectives are misaligned, where FTC and proper policy/regulation intervention is the only hope to protect the user.
The VPN ecosystem has expanded into a multi-billion dollar industry, but why they’ve been adopted so widely is still unclear. By using a VPN, U.S.-based consumers essentially transfer trust from their network provider, which has oversight by the FTC, onto a VP provider maintained by unknown entities.
The purpose of the survey was to find out whether the popularity of VPNs, which have found their way into regular internet users’ toolboxes, are grounded in an understanding of risks, and what benefits they believe they’ll gain.
The VPNalyzer team wanted to know how U.S.-based users find VPNs, why they want to use them, what factors they consider when choosing a provider, how safe they feel browsing with and without a VPN, who they want to secure or conceal their online activity from, and whether they have an accurate understanding of how VPNs work and what data they collect. They were also interested in how they perceive the VPN ecosystem. And we were curious about the misalignment in priorities and incentives between VPN users and VPN providers.
While providers often tout the number and location of their servers, the survey found that VPN users were looking at speed, price, and an easy-to-use graphic interface. Many VPNs heavily market around pricing and discounts, sometimes even succumbing to deceptive design.
As far as why people use VPNs, 86.7% of those surveyed did so for a feeling of safety. The vast majority (91.5%) of surveyed users indicate they do so to secure or protect their online activity, primarily from hackers and eavesdroppers on open WiFi networks (83.9%), advertising companies (65.4%) and ISPs (46.9%). Users with higher levels of expertise were more likely to include ISPs in their threat model. Notably, less than a third of users were concerned about government surveillance. This indicates a shift in user attitudes and a growing concern toward corporate and advertiser surveillance.
Unfortunately just under 40% of users surveyed have a wrong understanding of what protection VPNs actually provide. Additionally, 73.2% of those surveyed expressed concern that providers were selling their data, even when the VPN providers clearly communicated otherwise.
The survey found that many users rely on Google and on review sites to determine which VPN to use. However, several of the VPN providers interviewed alleged that Google search results are unreliable and that the VPN review ecosystem is largely pay-to-play.
Based on these survey results plus VPNalyzer’s other previous VPN research, we recognize a dire need for better user education and greater oversight on VPN advertising and recommendation ecosystems to curb VPNs’ malicious tactics that lead to unrealistic expectations among users.
Following CR’s VPN reporting, members of Congress called on the FTC to enhance consumer protections for VPN users.
The VPNalyzer team believes that this work will help security and privacy advocates, technologists, and VPN providers alike by calling attention to the key areas of issues within the VPN ecosystem.
To read the full white paper, go to: https://vpnalyzer.org/survey2022.html
Yael Grauer works at Consumer Reports managing Security Planner, a free, easy-to-use guide to staying safer online: https://securityplanner.consumerreports.org/