No centralized logging
Every single online interaction leaves behind data. This is logged by Internet Service Providers (ISP), but it can also be logged by VPN providers.
Logging simply means collecting user data. When you connect to a VPN, your traffic is encrypted and all your internet usage is funneled through the VPN. By replacing your IP address with that of the VPN server, your ISP is unable to see what you’re doing.
By using a VPN, we effectively shift our trust from your ISP to your VPN provider. If the VPN provider wanted to, it could view the destinations of your online activity, such as which websites you visit or who you send a message to. To be clear though, when using a VPN, neither your ISP nor the VPN should be able to view the content of your activity, which is encrypted.
Many VPN providers promise “no-log” policies, but the problem is that we have to take them at their word. Providers have been caught logging data even after they promised not to, and have handed this data over to authorities with minimal fuss. [1]
Another issue with logging is that most traditional VPN providers are centralized: they own or rent all their own servers which process your data instead of your ISP.
Even if VPN providers didn’t hand logs over to authorities, their centralization of user traffic creates another risk: if they are logging information at all, a single data breach or other cyber attack could expose these stores of information.
Decentralized VPNs (dVPNs) solve this issue by virtue of the fact they don’t actually own or operate their own data routing infrastructure (servers). Instead, dVPNs consist of hundreds or even thousands of independent node operators that form the wider network. This makes it much harder for your internet usage to be exposed in a single data breach or via requests from authorities. It is the very design of dVPNs that prevents the collection of this information in one central location.
Strong encryption
Encryption is an absolutely critical component of the digital world. Rather than transmitting data “in clear” so that it’s readable by anyone, encryption scrambles user data, relying on secret cryptographic keys in order to access it.
Without encryption, we wouldn’t have the digital economy as we know it. It is encryption that allows people, for example, to securely shop online without leaking their credit card data. Encryption has been a hard-won right: prior to the “crypto wars” when cypherpunks fought for public access to the technology, encryption was viewed essentially as a weapon or military tool by governments.
However, studies have found that some shady VPN providers do not even encrypt their traffic at all, so it’s important to check exactly what you’re signing up for.
That said, not all encryption is equal. When looking for a VPN that actually cares about your privacy, it’s important to understand the kind of encryption being used. Older encryption standards like Point to Point Tunneling Protocol (PTTP) and the Layer 2 Tunneling Protocol/Ipsec are less secure than more modern encryption methods.
Right now, the most popular VPN encryption protocols are OpenVPN and WireGuard. These protocols are well regarded for their strong security and key exchange mechanisms.
Meanwhile, privacy enhancing technologies like Tor, a decentralized privacy network, use something called Onion encryption. This is a multi-layered encryption system that encrypts data multiple times: each server in the circuit decrypts a layer of encryption, making it harder to trace data from end-to-end.
Open source
Some of the most popular VPN protocols like WireGuard and OpenVPN are open source. This means that the source code of the software is public and can be distributed, viewed, or contributed to by anyone. Open source keeps software transparent and secure. Because anyone can view the code, you know what you’re getting.
However, even if they use open source VPN protocols, many of the biggest VPN providers are not open source organizations. Their applications, clients, software, and configurations are closed source or proprietary, so no one in the public can know what’s going on under the hood.
Considering that you are entrusting the VPN provider with your browsing habits, it’s important that you know exactly what the software you’re using actually does.
To allay some of these fears, bigger VPN providers often engage third-party auditors to examine their systems. While some of the auditors may be reputable, this introduces yet another question of trust: isn’t it better to know that anyone in the community can audit the software and find out what’s happening? Open source design ensures this transparency.
Privacy-enhanced payments
If you’re looking for privacy online, it’s crucial you also look for anonymous payments: whenever you pay for any digital service you also leave a financial paper trail tying that payment to you. VPNs are no different.
Some VPN providers do offer quasi-anonymous payments, for example, by using privacy-preserving cryptocurrencies such as Monero or even letting users mail cash to the provider.
On the other end of the spectrum, many free VPNs exploit user browsing information, following the trend of commercializing metadata, by selling the records of your internet habits to data brokers. [2]
However, most VPN providers do not anonymize their payments. This means that in the event of a data breach or some other security issue, there can be a record of payments linking you to your VPN usage.
Simply put, if a paid-for VPN provider does not offer privacy-preserving payments, then its privacy stack can be considered compromised.
Multiple hops
When you connect to a traditional VPN, your traffic is encrypted en route to the VPN providers’ server. This server is called a “hop,” and most traditional VPNs will only send your traffic via one hop. We can think of this as a straight line between the user and the VPN server. If the VPN provider’s servers are compromised or its encryption broken, this line is a direct path linking the VPN provider with the user.
More hops make it harder to trace connections back to the user, adding layers of encryption and obfuscation with each hop in the circuit.
While most traditional VPNs offer just one hop, some centralized VPN providers do offer a [double VPN option](/blog/double-vpn] (2-hops). Alternative privacy systems like the Tor project offer three hops by default. A truly decentralized VPN like NymVPN offers multiple hops by default and a signature 5-hop mode for unparalleled security.
Very few systems offer multiple hops by default. So if you care about privacy, this is a feature you should really look out for because it significantly improves your anonymity.
Decentralized infrastructure with wide server distribution
Traditional VPN providers are centralized, so the whole infrastructure is owned by one organization. To make matters worse, the whole VPN market itself is undergoing centralization, with bigger providers buying and absorbing smaller ones. So what might appear to be an independent VPN provider might actually belong to a mega-corp that you know little about.
With this centralization comes a huge risk: the more infrastructure is centralized by any one single entity, the more vulnerable all user data becomes. The increasing prevalence of supply-side attacks shows that all adversaries need is one entry point to compromise an entire organization.
A [decentralized infrastructure](/blog/what-is-decentralization] makes compromising these networks much more complicated. With dVPNs, each hop or node is run by an individual server rather than the VPN provider.
Additionally, these individuals are incentivized to provide a good quality of service, usually being rewarded via the native token of the dVPN provider. This encourages node runners to keep good uptime. But it also does something unique by providing a community governance mechanism to reward nodes that perform well and thus contributing to the overall health of the network.
Lastly, decentralized infrastructure means that anyone can create a node. Since the whole network is community-powered, it is only as strong as its community. With a healthy decentralized network, dVPN providers don’t have to rely on finding trustworthy server provider partners in various regions or countries. It is the community that creates them instead. This ensures a highly dispersed network that can be accessed from anywhere, free from central governance or control.
Learn more about the difference between decentralized and centralized VPNs in Nym's guide.
NymVPN: The best anonymous VPN
NymVPN is the culmination of years of research into mix networks, or mixnets. Nym has closely analyzed the privacy landscape and assessed what’s working and what’s missing. Crucially, NymVPN allows you to set your own privacy preferences by choosing between a two-hop dVPN and a 5-hop mixnet mode in a single application. The choice is yours: optimize for speed with great privacy, or optimize for complete privacy with the mixnet mode.
The NymVPN Anonymous mode
- Optimized for enhanced privacy
- Offers advanced privacy against even government-level adversaries for sensitive use cases like crypto transactions, messaging, and secure email that are not timing sensitive
- Prevents metadata leakage of timing and volume of packets
- Features traffic analysis resistance via packet shuffling in inner-three mix nodes and dummy traffic to further obfuscate client activity
- Encrypts with a novel form of onion encryption, called Sphinx, designed specifically for mixnet routing
The NymVPN Fast mode
- Optimized for speed
- Features IP address obfuscation for everyday browsing, streaming, or gaming
NymVPN’s privacy infrastructure
Whether users choose the 2-hop Fast mode or the 5-hop Anonymous mode, NymVPN provides unparalleled security features:
- No centralized logging by design, so your traffic can never be seen or logged by Nym
- Fully decentralized infrastructure, even down to its directory authority (the system that oversees the health of a network, which is managed via smart contracts on the Nyx blockchain)
- Multi-hop by default, going far beyond the privacy standards of almost every currently available VPN
- Multi-layer encryption for decentralized routing
- Fully open source Nym stack so anyone can audit the code
- Unlinkable payments through zk-nym anonymous credentials system
With these features, users can have confidence that Nym is committed to privacy, decentralization, and transparency.
