ProtonVPN potentially misleading UI

I think that the ProtonVPN app (at least on Android) uses misleading/alarming terminology in two places:

  1. when not connected to the VPN, the app displays “You are unprotected” in red color and with an icon representing an unlocked lock; while connecting to a VPN server the app says “Protecting your digital identity”; when connection has been established the app says “Protected” in green color and with an icon representing a locked lock. (What I described can also be seen in the screenshots of the app listing in F-Droid).

Here is a relevant quote from the Privacy Guides “Minimum to Qualify” marketing criteria for VPN providers:

Must not have any marketing which is irresponsible:

  • […]
  • Use responsible language: i.e., it is okay to say that a VPN is “disconnected” or “not connected”, however claiming that someone is “exposed”, “vulnerable” or “compromised” is needless use of alarming language that may be incorrect.

I don’t know whether ProtonVPN falls within the boundaries or not.
I don’t think the misleading UI is done in bad faith, likely their marketing team was given too much room and went too far to compete with other VPN providers. What do others think about this? Should a request for Proton to use less alarming text, color and icons in the UI be opened?

  1. The other thing I noticed, which I think is quite worse than the previous, is that, in the ProtonVPN Android app, the setting for the telemetry (which is enabled by default) is “hidden” under the name “Help us fight censorship” within the settings. I myself always go through all the settings of the apps that I install, and I never would have imagined to associate the label “Help us fight censorship” to the telemetry collection setting: the name clearly suggested to me something that requires an active involvement in fighting censorship. I never realised what the setting was until much later by chance when I was randomly looking in detail. (Also note that inside the setting there is nothing about censorship; only telemetry). See video recording

I think this kind of practice should be strongly frowned upon. Besides, it could be damaging to Proton’s reputation, because it may lead people to believe that the setting is “hidden” due to the telemetry being highly invasive; in reality the telemetry is supposedly anonymous and isn’t shared with third parties. Additionally, people who are specifically looking for the telemetry setting are very likely to not find it and hence end up believing that Proton doesn’t allow their users to turn it off.
But in any case the principle of transparency should be a must, in general, and even more so for a privacy-related service.

Note that I observed the two above behaviours in the Android app; on Linux the telemetry setting is not mislabeled, and the UI of the client shows the much more sane "You are disconnected", "Connecting", "You are connected to [server]". I did not check other platforms, but it is possible that the practice described above applies to some other platforms as well, since the Linux client is their only client with non-eye-candy UI (though this might change, given Proton's job listing for 'Senior Software Engineer (Linux Desktop)' says "You would be joining the Linux Proton VPN" and "What you will do: Contribute to building a new Linux app")).
6 Likes

Hmm. I don’t think this is anything significant or even close to it to worry about. I would say this will boil down to semantics. Everyone takes what they read a little different and would prefer a different operative word was used instead but the intention, meaning, quality, and honesty of what is said doesn’t change.

I don’t see this as an issue. I think you’re being overly pedantic with point 1 to a point where like I said, semantics come in. It’s nowhere close to “alarming language”. C’mon.. lets be reasonable.

I think #1 is a nothing burger honestly. At this point pretty much all VPNs use the terms protected and not protected in this way. I think its fair to assume the user understands what is meant.

#2 I agree its misleading. For sure a stretch to say anonymous crash reports help fight censorship. Not sure if I consider this some sort of egregious issue that requires Proton to be reconsidered.


I will add that I always thought their kill switch (more so for desktop) has been misleading or at least a bit unclear. They should clarify the differences between using the kill switch and advanced kill switch.

Nice to see Proton proactively updating their UI screenshots of their new apps where needed on their support pages.

Don’t get me started on how different VPN providers have different terminology for this exact thing.

For example, Mullvad uses “Lockdown Mode” to describe what “Advanced Kill Switch” is for Proton. Not a huge deal but this problem gets even worse with other providers.

The language chosen by the app is not super concerning, but does literally goes against the explicit rules for PrivacyGuides.

With that said, a privacy company being opt-in for telemetry tracking is a bit ironic, but more importantly, hiding it in an unsuspecting category is dark patterns/Privacy Zuckering at play.

These type of actions would not be seen as privacy-friendly if any other company did them. They do have a lot of supporters on the board so we will see how the conversation plays out.

It’s literally in the category for which the telemetry is for. How is this hiding?

No it doesn’t. Like I said in my comment above, semantics. It’s not alarming language in any way. I guess @jonah will need to clarify how PG evaluates “alarming language” for us to use the same matrix or guidelines to deduce such info ourselves but by no measure I think it is alarming. Reasonableness, rationality, and the intention with which a company says or does something is to be considered as well.

Also like I said, I think we’re splitting hairs of split hairs.

1 Like

A category called Telemetry is where Telemetry settings should be placed. A category called Help Us Fight Censorship is not related to telemetry.

As for the rule re: alarming language, it is about the language used, so yes it is semantics.

3 Likes

At the end of day, these companies still need to pay their bills and make a profit. This is why some level of alarmism and fancy marketing diction should be expected as long as it does not lead to any harm.

For example, we can obviously expect Proton or Mullvad to place ads warning people that their data is at risk or that the government is spying on them. Is a VPN the best solution for these problems? No, but we have to admit that some level of alarmism is needed because of their business model.

My concern is whether this marketing/alarmism blatantly disregards reality and the capabilities of their services. I haven’t seen this yet for Proton and Mullvad.

4 Likes

It is indeed a legitimate and a great solution. For most, it may as well be the best solution they can implement in their everyday lives with little to no issue.

No statement or claim is 100% true for 100% of the time for 100% of the people. So, when they say it’s the best solution, I would still say it is a true statement. And don’t think it is “alarmist” at all.

What Proton does in their business model is their business.

As a Privacy Guides user, one suggestion is that the team removes the criteria completely from the documentation if they don’t intend on enforcing it, lest they give the appearance that the rules don’t apply to certain companies.

2 Likes

I wont assume anything about how UX etc creates fud, we are all different.
Your point may be very valid.

With that said, I’ve been using the Proton-services (including the VPN) for a long time. And, been working with security and infrastructure for 30 years, so I am probably to jaded, to “damaged”, but I trust Proton.
(As far as you can trust any cloud service).

To damaged to say anything sensible about the UX… send them a (support) request.

I do wish they were more clear and upfront about the telemetry options in the app. I’ve always had mine turned on because I trust Proton, but did find it odd that it was “hidden” in the settings menu under a vague title.

EVERY app now a days have telemtry (Firefox, Thunderbird and bunch of others).

Telemtry in and of it self is a non-problem. I find it positive that providers of services use telemetry to make the service better.

Here in Europe the Formula 1 teams (F1) are pumping gigabytes of data for each round using “telemetry”.

Telemetry is not a negative, it can be very useful, and in 95% of cases are.

Edit: (just for those who think): This is telemtry: https://en.wikipedia.org/wiki/Telemetry

What you replied to was about UI/UX, not an issue with telemetry.

I agree that the use of the term “Protected”/“Unprotected” is not a big deal, and I can definitely live with it, but I initially brought this up because it seems to directly conflict with the Privacy Guides inclusion criteria, so I wanted to hear if the team thinks that ProtonVPN satisfies the criteria or not, or if the criteria should be changed, or if they would ask Proton to change the terminology to be more neutral.

But having thought about it some more, I also think that only tech-savvy people are able to understand the true meaning of the words, while the average user is instead subconsciously driven to believe that they are “unprotected” and “vulnerable” and “exposed to adversaries” when not using the VPN service, and that they are instead fully safe and secure from anything when they are connected – and that’s why certain marketing terms are used; it’s almost like the careful choice of terminology is designed to induce users to believe that a product does more than what it actually does, and “scare” the user into renewing their subscription.
So my opinion is that the language used by service providers should be neutral and not marketing-driven, in order to protect the average non-tech-savvy user.

And regarding the practice of hiding the data collection settings behind a seemingly unrelated label, I think that it is kind of sketchy, especially for a service aimed at privacy-minded people. I think that there should be some laws against practices of this kind…
And given this example, I propose that the inclusion criteria (for all recommendation categories) be updated to disallow dark patterns.

2 Likes

And maybe not totally related to original topic, but if you make payments with credit card, your identity can be exposed. That is even valid if you top up your account with Proton gift cards bought via your own credit card.

in what way a payment with a credit card exposes an identity?
with a virtual card you don’t need to put your real name nor a real billing address so this is straight up false.

Offical Proton reply

We have received an update from our legal team, and they confirmed that we do not save the name, but we do save the last 4 digits. Moreover, we have a transaction ID that would likely be able to reveal your identity if subpoenaed to the payment service provider (for example, Stripe). If you do not want your account to be associated with your identity, you should not pay with a credit card. We recommend BTC or cash as a payment in that case.

If you use your credit card to buy Gift cards from Proton Shop, then the answer is yes, as mentioned in our previous reply.

We can’t delete any details from Stripe since Stripe is a processor that is not managed by us, however, we can delete payment details saved on your Proton account.

the virtual card argument still applies honestly, if they have nothing to trace back to the card itself nor the billing they they simply cannot even if subpoenaed
speaking of I’ll try and see how my billing address looks like in Proton, maybe I’m trusting them way too much so it’s a good opsec heads up you gave me.