Methodology

This page explains how I evaluate VPNs and privacy tools. If you’re reading a review or ranking on this site, this is the process behind it.

What I’m trying to figure out

For every product I review, I’m answering one question: would I use this myself, and would I recommend it to my family?

That’s the bar. Everything else flows from it.

I don’t review products I haven’t used. I don’t rank products I haven’t compared side-by-side. I don’t include providers in rankings just because they’re popular — if a “top-rated” VPN doesn’t deserve its reputation, I’ll say so and explain why.

Criteria for VPN reviews

I evaluate VPNs across six dimensions:

1. Privacy posture

  • Jurisdiction — where the company is incorporated, what data retention laws apply, and what alliances that country participates in (Five Eyes, Fourteen Eyes, etc.)
  • Logging policy — what they claim to collect, what they actually collect, and how those two often differ
  • Independent audits — who audited them, scope of the audit, and how recent it is
  • Past incidents — have they been compromised, served subpoenas, or caught logging in the past

2. Technical implementation

  • Protocols supported (WireGuard, OpenVPN, IKEv2 — in that order of preference for most users)
  • DNS leak protection and whether it works when actually tested
  • Kill switch behavior on app crashes, network changes, and reboots
  • IPv6 handling — many VPNs silently leak IPv6 traffic outside the tunnel

3. Speed

  • Tested on my own home connection (Canadian residential gigabit fiber)
  • Speed compared to no-VPN baseline at multiple server locations
  • Flagged whenever a VPN is dramatically slower than alternatives. The practical bar: fast enough for 4K streaming and large file downloads without noticeable pain.

4. Apps and usability

  • Native apps on Windows, macOS, iOS, Android (and Linux when relevant)
  • Setup friction for a non-technical user
  • How obtrusive the app is when running
  • Whether anything in the app is a dark pattern (auto-renewal traps, hidden upsells, fake “system warnings”)

5. Payment and anonymity

  • Whether you can pay without giving up your identity (cash, Monero, Bitcoin)
  • Whether signup requires email or other identifiers
  • Refund policy and whether it’s honored without friction

6. Pricing and value

  • Cost on monthly, annual, and multi-year plans
  • Whether intro pricing is honest or designed to trap users at autorenewal
  • Number of devices, real features, and what’s actually included vs. upsold

What disqualifies a VPN from recommendation

A VPN gets removed from my recommendations if any of these are true:

  • Headquartered in a jurisdiction with broad surveillance powers and mandatory data retention
  • No independent audit, or audit older than three years with no follow-up
  • Caught logging when claiming a no-logs policy
  • Privacy policy contains broad data-sharing language
  • Owned by a holding company that owns multiple competing brands (Kape Technologies is the most common red flag here)
  • Refuses to publish a transparency report or warrant canary
  • Aggressive affiliate marketing without product quality to back it up

How affiliate relationships affect rankings (they don’t)

I have affiliate relationships with some products I cover. The full list is on my Affiliate Disclosure page.

These relationships do not affect:

  • Which products I include in rankings
  • The order of those rankings
  • Whether I criticize a product I have a relationship with
  • Whether I recommend a product I have no relationship with (I lead my “Best VPN” rankings with Mullvad, which has no affiliate program — I earn nothing when readers sign up for them)

If a product I have an affiliate relationship with does something I dislike, I write about it. If a product without an affiliate relationship is the best choice for a specific use case, I recommend it.

The simplest test: if you read a review here and feel like you’ve been sold something, I’ve failed.

How often reviews are updated

  • Major reviews — revisited at least once per year, or sooner when something material changes (new audit, new pricing, new ownership)
  • Best-of rankings — updated when an actual ranking shift happens, not just to refresh the date in the URL
  • Date stamps — every page shows when it was last updated. If a page hasn’t been updated in over a year, I note that explicitly at the top.

What I can’t test

There are limits to what one person can verify:

  • I can’t audit a VPN’s source code line by line
  • I can’t independently verify a no-logs policy in real time
  • I can’t measure server-side behavior I don’t have visibility into

When I rely on third-party audits, transparency reports, or court records, I cite them. When I’m making an inference rather than a measurement, I say so.

Corrections and updates

If you find something wrong in a review, email me. I’ll fix it and add a correction note. I’d rather be right than look right.