Boy, I don’t know what PG is going to do if anything at all but this is surely a tricky thing to navigate and correct. I’m taking solace in the fact that we all agree something needs to change. I hope PG seriously holistically evaluates all pros and cons for all options and then rebuild its minimum requirements and best case features it is reasonably going to ask any VPN provider to ensure.
While I understand you didn’t want this to be primarily about Proton, but because this post likely stemmed from that, it is inevitable. Perhaps you should think of this Proton “controversy” as the breaking point among us all to see the need for some overhauling of the criteria or select criterion’s.
I hope PG team reads these threads as not poorly thought out criticisms but with the eyes of seeing the passion the community has when it comes to wanting VPN companies to do better, PG recommendations/info to be better, and simply wanting the best manner in which info is shown, presented, and evaluated. Things change and so nothing should be set in stone.
And to the PG team: nothing we have said here is to be taken personally because we said something in a particular manner that may read as “targeted” toward you with how you operate and see things with products and companies. But it was an honest exposition of how we feel and why as we made the case for wanting a change here. At-least this is how I participated here. I personally did not mean anything to be an admonishment even though it may read like it.
Anyways, its the holidays so hope they look at this with fresh eyes in the new year and discuss it all internally and deliberately.
The point is, PG is not in the business of selling VPNs (and from what I can tell, also not in the business of “access journalism”). It should have no obligation to market VPNs as something they are not (recommended VPNs not meeting the minimum criteria, to the generally non-neutral wording / linking to first-party sources & (some) factually incorrect/misleading statements in the VPN knowledge base / perceived lack of critical / independent checks), it is doing exactly that.
If PG is selling anything but “reality”, it is not different than all those loathsome “content creator types”[1] I keep hearing about from the “staff”[1:1] and the “team” here.[2]
Whatever the philosophy, brand loyalty can’t certainly be the way.
To me, if they hold themselves to the policies and standards and criteria they themselves set, that’ll be refreshing.
I mean, they seem to like replying to kids[3] and trolls in hours…
“I’ve noticed a pattern where they claim “YouTubers” and other “content creators” don’t have their hearts in the right place … all the while being engaged knee-deep in content creation themselves with TWIP & whatever long blog posts they published every other week.” THE HATED ONE: We need to talk... about the Proton ecosystem - #7 by KevPham↩︎↩︎
“I find it pretty challenging to take YouTubers seriously these days when we do what they do + we do written work + we self-host everything from the ground up in addition to meeting people where they are on big tech platforms + we foster this community for other members to do the same. Unfortunately, “content creator” types have been far less willing to work with us compared to serious organizations like Tor or EFF, so to me that speaks volumes about how serious YouTubers are about advancing privacy vs. their own brand.” THE HATED ONE: We need to talk... about the Proton ecosystem - #41 by jonah↩︎
I mean, I have seen posts flagged and deleted for less. ↩︎
considering none of the reccommended VPNs have a working kill switch for all platforms, the obvious moves would be to change the criteria to something enforceable. Unless were all cool just not having a reccomended VPN.
I do think the suggestion by OP is way to complicated. Just remove the “Kill switch built in to clients” as a minimum requirement.
Genuinely asking as someone who largely doesn’t use iOS anymore, which ones do? IVPN doesn’t apparently, and some argue Proton doesn’t. Mullvad? Anyone else?
PG’s recommendation criteria for VPN and no logs policies of all VPNs recommended by PG are strong. This is supported by their transparency reports[1][2] and findings of law enforcement raids[3][4]. The tricky part lies on their official clients and implementation of network stack (and VPN) by OS and how these clients and OS work together.
One way is to add another simplified tabled table recommending which clients to use but it will be confusing of newbies. Another way is to add disclaimers wherever necessary like below. Both doesn’t require changing recommendation criteria.
And finally a gentle reminder though most don’t need this
Maybe I am mistaken but it does not seem like any of the reccomendations have a killswitch that works for iOS, which means my statement would be true. Happy to be corrected if anyone has the actual info.
I reread your comment and you did say for all platforms. It just that this lacked context and could be understood as recommended VPNs had broken killswitch on all platforms.
You are right, and according to Mullvad there are problems in macOS and android as well for apparently every provider out there.
If we are a little pedantic on what a killswitch should do, no current VPN client has a completely leak proof kill switch, even Grapheneos says they don’t consider their work on fixing VPN leaks as complete.
In my opinion PG should define what they mean by a working kill switch or just drop the requirement for one.
If yourself and @anon57862721 wouldn’t mind please edit your previous comments as it will become confusing if they see veteran members calling a true comment untrue.
Thanks for confirming.
This would be my preferred outcome. Make it a best case criteria instead of a minimum.
There should probably be a knowledge base article created and linked to from the VPN page explaining the issues with kill switches as there seems to be to many issues to provide an accurate warning on the VPN page itself.
Agree. But changing criteria so also means, VPNs will go from “hide your traffic from ISPs” to “hide certain traffic from ISPs, some of the times”.
Is “killswitch” necessary to the model that goes “hide your traffic from ISP”?
To me, it does seem like on OSes that provide a “killswitch”, the end-user must be (as a minimum criteria) given an option to enable it by VPN clients, regardless of whether the OS implementation is up to the mark or not.
PG doesn’t have to write about VPNs as something they are not then:
Should I use a VPN? Yes, almost certainly. A VPN has many advantages, including: Hiding your traffic from only your Internet Service Provider.
Without a “killswitch”, I don’t think a VPN can lay any claim to accomplish that (a client-side guarantee is hard to provide without a client-side implementation to match). In fact, 2 of the 4 points PG makes for why one must “almost certainly” use VPNs are not sound, I don’t think: Mention kill switch leaks caused by OS limitations - #4 by ignoramous
To add to your point, the very existence of traffic fingerprinting means that the promise of “hiding your traffic from your ISP” even if the kill switch worked, is very limited since they could infer what websites you visit unless you use DAITA or the Nym Mixnet.
The “almost certainly you need a VPN” claim by PG seems hard to justify…
Feel free to correct me if I misunderstand but to me it seems the issues stem from certain OS issues, not from something wrong with the VPNs that make what PG has said less true.
If that’s the case it seems to me what needs to be added, in addition to moving the kill switch criteria to a best case, is a warning saying something like “if your threat model requires a VPN we cannot recommend iOS, MacOS, or AOSP based devices without GrapheneOS due to upstream issues affecting kill switches”.
wherever necessary like below. Both doesn’t require changing recommendation criteria.
