Preface: I realize this is a bit long (though I did not intend for it to be when I started), but I wanted to go into at least some justification/detail since I’ve seen previous discussions of this nature but just with the request alone be shot down. Also, if you disagree with something, please be constructive and specific so a discussion can be had.
If you narrow VPNs down by those that have the “bare minimum” of generally accepted security and anonymity principles which I define to be one that has no logs, no analytics, anonymous payments (meaning they accept at least one of either XMR or cash), anonymous registration/logins (i.e. email is not required and/or generates a random alphanumeric “account”), and is (relatively) well known [such as showing up on Techlore’s list VPN Comparison Tool | Techlore VPN Toolkit ] you have (non-exhaustively of course, but using that as a baseline): Mullvad VPN, IVPN, Windscribe, hide\.me, AirVPN, Cryptostorm, AzireVPN, and ShockVPN.
Now, comparing to what Privacy Guides recommends (Mullvad, Proton, and IVPN), this immediately eliminates Proton VPN, which doesn’t have anonymous registrations (requires email or phone number to sign up). According to Privacy Guides Criteria, https://www.privacyguides.org/en/vpn/, “We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration…” This I agree with; however, it also says, “No personal information required to register: Only username, password, and email at most,” which seems almost oxymoronic and contradictory to the former criteria. An email is definitely not necessary when there exists random account number generation like with Mullvad, Cryptostorm, etc. Though I think there’s a strong argument that this should be grounds for removal, I think at the very least it should be disclosed on the page under Proton that anonymous registrations are not fully supported since it requires an email. Even if the email is new/a throwaway, it’s still an extra factor by which you provide identification of yourself and constitutes an extra channel through which information could leak, which is certainly not “as little data as possible,” which again seems contradictory.
It seems weird to me that there’s other potential VPNs out there that have even higher standards of security than those on the guide with regard to the aforementioned criteria that aren’t listed on the guide when ones with lower standards are allowed. I don’t think Proton necessarily would have to be removed, but to have it but not some of the other options seems counterintuitive to providing solutions that maximize anonymity.
If we go beyond what one might consider “bare minimum” criteria and include criteria I think should also be necessary for a proper VPN service (or at least having some option with these criteria), I reckon supporting port forwarding be included (for various applications, including torrenting–note there are non-piracy based legal use cases for this for people circumventing oppressive regimes as well). This criterion alone narrows the list down to Windscribe (though it is limited to 7 days at a time, so could exclude this or put a disclosure…), AirVPN, Cryptostorm, AzireVPN, and ShockVPN. If we further constrict the options to the larger of these providers (just to simplify the options and use age/time existing without security issues as a useful benchmark), that leaves AirVPN and Cryptostorm.
Also, as another criteria, out of those five VPNs, those two ones both support both OpenVPN and Wireguard to ensure maximum compatibility in places where one might be blocked and since neither seems to be particularly more secure than the other (also considering how new WireGuard is, it’s had less time to be analyzed and had vulnerabilities found).
Of the two remaining VPNs recommended by Privacy Guides, if we consider the necessity for port forwarding and supporting both protocols, this leaves none (since neither Mullvad nor IVPN support port forwarding and Mullvad just dropped OpenVPN support). I think having at least one or two options that support these is critical (and which also satisfy the anonymous registration criterion that we discussed regarding Proton… further, Proton’s port forwarding support by PG’s own account is limited).
The last criterion worth discussion I believe (beyond the “obvious”/technical ones like high standards of encryption/RSA and other criteria that most/all of these VPNs meet anyway) is auditing. Privacy Guides requires this as a criteria, and this was used to shoot down AirVPN before AirVPN (VPN Services) - #4 by anon28734771 . But, as has been discussed in various circles online, auditing doesn’t guarantee anything because 1.) there’s nothing stopping a VPN service from violating its own logging policies as soon as an audit is over or before one begins; 2.) there’s LOTS of VPNs that have audits that you won’t find on any privacy list like NordVPN, SurfShark, etc. (not that these are bad, but they don’t scream privacy and anonymity rights, either), meaning audits don’t add any sort of credibility that isn’t added by having good-faith security and anonymity criteria in the first place; Everything else equal, is a VPN with 100% anonymous registrations and payments more or less likely to have logs than one that doesn’t? I think that offers more credibility that one wouldn’t log because what would be the point vs. if you’re “audited” to have no logs but aren’t as privacy/anonymity focused like a Nord (or even a Proton VPN) compared to those on the other extreme end of the security/anonymity spectrum such as Cryptostorm (which is even advertised for the security/anonymity “paranoid”) or AirVPN.
So, my question is, why not consider adding options like AirVPN and Cryptostorm (or others) to the list given some of the security/prviacy/anonymity limitations discussed? Even if those limitations in your opinion don’t warrant the removal of some of the existing VPNs, certainly adding ones with comparable, if not higher, security/privacy/anonymity standards is warranted, no? In addition, this would allow a wider range of important VPN features to be supported as well (port forwarding, protocols, etc.).
I will quickly add a “bonus” criterion that I think not only ensures an even higher standard of privacy/security/anonymity but also speaks volumes to how “good faith” a VPN might be. That is, having an onion website. Think about it. If you are worried about privacy from someone watching your network, be it a government, ISP, or countless other security threats/bad actors that might be tracking you, this ensures that you are truly anonymous/private throughout the entire loop: from the beginning–before even registration or payment is collected– until you’re up and running. (Can obviously use Tor to acquire the VPN either way over clearnet, but VPN supporting this and having more factors of privacy/anonymity <=> better). VPNs that offer this (not exhaustive, but just for argument’s sake) are Cryptostorm (bonus points for no JavaScript required) and AirVPN (and Proton too, bonus points for that). I think having a set of “bonus” criteria such as this could further enhance the detail and breadth of quality options on Privacy Guides. And this adds more credibility to the privacy and anonymity features of Cryptostorm and AirVPN.
TL;DR: There are some criteria on the Privacy Guide VPN article I feel are missing and others with which I don’t agree because they leave out critical features that would ensure a higher standard of maximizing privacy and anonymity.
Edit: Grammar/clarification tweaks and preface added.
Edit 2: Added TL;DR.
Edit 3: More clarification/edits/formatting.
