Today, we’re excited to take our next step towards earning your trust. Over the past 6 months, we’ve been working closely with the Center for Democracy and Technology (CDT) to help provide insight into what questions customers can ask to understand whether they can trust their VPN provider.
The CDT’s initiative is important as we’ve seen an increasing number of VPN providers collecting user data, turning over usage data to law enforcement and generally abusing customer’s trust. Through the CDT’s questions, we believe that VPN companies now have a framework for being transparent about the important details that will impact their customer’s privacy.
These questions have been developed by the CDT and answered by TunnelBear below. We hope in the coming weeks that we’ll see answers from all VPN providers posted publicly.
Introducing Signals of Trust
Trust is a critical component to a thriving digital ecosystem. While VPN providers are often a tool for users who lack trust in the practices of other online entities, these services must still foster trust in users that they adequately obscure individuals’ digital footprints.
Responsible VPN providers should ensure that their users’ information is handled in a way that respects the trust placed in them by individuals. User information should not be sold or shared in unexpected ways, such as web browsing habits being exploited for sale or handed over to law enforcement or other public authorities without proper legal procedures in place. VPN providers should provide users with transparency about basic security practices, company business models, economic incentives, and ownership structures.
Below is a list of questions that a trustworthy VPN service should be able to answer honestly, clearly, and thoroughly, signaling the provider’s commitment to earning user trust. The goal of these questions is to improve transparency among VPN services and to provide a way for users to easily compare privacy, security, and data use practices, encouraging VPNs to deploy measures that meaningfully improve the privacy and security of individuals using their services.
Corporate Accountability & Business Model
What is the public facing and full legal name of the VPN service and any parent or holding companies? Do these entities have ownership or economic stakes in in other VPN services, and if so, do they share user information? Where are they incorporated? Is there any other company or partner directly involved in operating the VPN service, and if so, what is its full legal name?
TunnelBear’s team and offices are based in Toronto, Canada while the corporation, TunnelBear LLC, is incorporated in Delaware, USA. TunnelBear is wholly owned by McAfee.
McAfee is a well known security software company, with both consumer and enterprise products. While McAfee owns TunnelBear, TunnelBear operates independently with no TunnelBear customer information shared with McAfee.
Does the company, or other companies involved in the operation or ownership of the service, have any ownership in VPN review websites?
TunnelBear offers an affiliate program where we pay commissions to websites who send us customers. We require these affiliates to disclose their financial relationship with TunnelBear.
TunnelBear does not own, or operate, any review or affiliate websites.
What is the service’s business model (i.e., how does the VPN make money)? For example, is the sole source of the service’s revenue from consumer subscriptions?
TunnelBear offers paid and free versions of our app. The paid version solely and exclusively generates revenue from subscription services while the free version offers people a capped “trial” of 500mb a month. Our free service gives people a way to try TunnelBear without having to provide any personal information and serves as a marketing tool, rather than a revenue generator.
Not profiting from our free users includes not selling your bandwidth, usage habits, or turning you into a botnet. TunnelBear has plans to offer an SDK which would allow select partners to resell a white labeled VPN service.
Privacy: Logging/Data Collection Practices and Responding to Law Enforcement
Does the service store any data or metadata generated during a VPN session (from connection to disconnection) after the session is terminated? If so what data? (including data from Client / VPN app, APIs, VPN gateways).
No. TunnelBear is proud to not store any data surrounding the times and IP addresses when people use TunnelBear. We do collect the aggregate amount of data you use in a given month. This data usage is not session specific, aggregated over the month and deleted once a new month starts.
Whether it’s designing features like our map to not store your IP address, setting up marketing tools to respect privacy or even creating our own privacy focused social media buttons, we try to consider privacy in every decision we make. Most recently, in preparation for the GDPR, TunnelBear launched a tool which allows customers to see exactly what information we store.
Does your company store (or share with others) any user browsing and/or network activity data, including DNS lookups and records of domain names and websites visited?
Do you have a clear process for responding to legitimate requests for data from law enforcement and courts?
Over the past 7 years, more than 25 million people have connected to TunnelBear. By design, we don’t know much about who these people are or how they’ve used our service. We’ve done this on purpose, as we see it as crucial to operating a VPN service.
When TunnelBear receives a request from governmental authorities, law enforcement agencies or in connection with a legal proceeding, the request is reviewed by our legal counsel to ensure that the request is valid and to determine the appropriate nature and scope of our response.
At TunnelBear, we believe that the best way to protect our customer’s privacy is simply to not store data that puts your privacy at risk. If we’re required to respond to a request, you can see the exact data that we might be required to provide by downloading a copy of your data from TunnelBear’s privacy center.
Security Protocols and Protections
What do you do to protect against unauthorized access to customer data flows over the VPN?
Protecting our customers data and preventing unauthorized access is our highest priority. We employ an extensive list of processes, techniques and services.
Our infrastructure and client apps have undergone extensive hardening, testing and the VPN industry’s only independent public security audit.
TunnelBear hardens every server with full disk encryption, malware and intrusion scans and intrusion protection techniques. Security patches are up to date. Hardware 2FA is extensively applied throughout our organization.
SDLC methodology is followed with all development and is architecturally reviewed, peer-reviewed, tested and independently audited on an annual basis - the results are available for the public to see.
What other controls does the service use to protect user data?
TunnelBear is proud to be the first and only VPN provider in the world that has released a public, full infrastructure security audit from a verified third party. We have hosted bug bounties, accept honey and Bitcoin as alternative payment options for privacy conscious customers, and continue to have annual full audits of our system, apps and code.
Trust and transparency
Fostering trust with customers shouldn’t be a difficult thing, yet so many VPN providers seem happy to mislead people about what their service can do, what data they collect and how it’s used.
The CDT’s Trustworthy VPN initiative calls for openess from providers and we’re happy to provide answers to the important questions surrounding how we run our business. Our hope is that the questions from the CDT will give customers the tools they need to confidently decide whether they can trust their VPN provider.