What should you require of VPN providers on macOS?
My answer: The same minimum standard that you should apply to all other OSs.
What should the kill switch requirement be?
My answer: A security feature that, so long as it is activated, blocks external network traffic when such traffic would reveal your IP address.
Does ProtonVPN meet this minimum criteria?
My answer: No, ProtonVPN reveals your IP address every time you switch ProtonVPN server, even whilst the kill switch is turned on.
Do other VPN providers meet this minimum criteria?
My answer: Yes, I know that MullvadVPN (and likely IVPN) meets this criteria. It completely blocks all external network traffic, even when switching servers.
Should the kill switch protect your IP address at all times, such as at computer boot?
My answer: Preferably, yes, but not as a minimum requirement to be recommended. Privacy Guides also lists this as “best case”, but not a minimum.
If an operating system has underlying limitations that may leak the IP or DNS under certain circumstances, should the operating system be recommended against and minimum requirement for a VPN on that operating system void?
My answer: No, software solutions on operating systems cannot be 100% relied upon to protect you from all possible IP leaks. Android, iOS, macOS are all known to have kill switch implementation limitations. If a user has such a high threat level that they cannot ever allow their IP to be leaked, then VPNs on OS should be recommended against. Otherwise, users should expect that, at a minimum, their IP is not leaked during network interruptions or server switches.
I would encourage the moderators of PG to answer these questions for themselves and re-evaluate whether ProtonVPN meets what ought to be the minimum criteria.
Yesterday, PG moderators merged the following changes to PG’s guidelines for minimum kill switch criteria
removed:
We require all our recommended VPN providers to provide standard configuration files which can be used in a generic, open-source client. If a VPN provides their own custom client, we require a kill switch to block network data leaks when disconnected.
Added:
We require our recommended providers to support modern technologies currently available to VPNs.
removed:
[ minimum requirement ] Kill switch built in to clients.
Added:
[ minimum requirement ] Functional kill switch built in to service-provided clients on our recommended desktopandmobile platforms. This kill switch should be able to block all internet traffic when the VPN connection drops unexpectedly.
What these changes mean:
- PG only recommends linux as a desktop platform and android as a mobile platform, thus, the kill switch criteria would not apply to macOS. This entails that having a kill switch on macOS is not a requirement for recommendation.
- This defines a kill switch as a security feature that blocks all internet traffic when the VPN connection drops unexpectedly. Is this the minimum criteria that you want for a kill switch? If so, then your platform requirement makes no sense, given that all the recommended VPNs match that criteria on all platforms.
It seems to me that the moderators of PG are at once taking a maximalist position on the issue, saying that the kill switch shouldn’t even be a requirement on all operating systems (because not all OSs provide perfect environments for a kill switch) - and at the same time, taking a minimalist approach by claiming that the only role of a kill switch should be to block internet traffic in case the connection drops unexpectedly. How can you square these two positions together?
My conclusion is that you are trying to change the criteria specifically to keep ProtonVPN.