VPNs Are Using Virtual Server Locations: What You Need to Know - BestVPN.com
NordVPN

VPNs Are Using Virtual Server Locations: What You Need to Know

Ray Walsh

Ray Walsh

August 25, 2017

Virtual Private Networks (VPNs) provide a service that allows you to pretend to be in a different country. This allows you to overcome any local network restrictions that Internet Service Providers (ISPs), workplaces, and other network administrators put in place. In addition, VPNs allow you to overcome the censorship that many draconian governments impose. Finally, they also permit you to (privately and securely) bypass geo-restrictions (geographic website restrictions), so that you can access foreign services and website content.

Earlier this month, news emerged of a study which alleged that VPN providers (including PureVPN, HideMyAss and ExpressVPN) had been unclear about some of their server locations. This led to some negative publicity about those VPNs, not only because of a perceived lack of transparency but also because of security issues that arise from the nondisclosure of actual server locations.

Since the news broke, BestVPN.com has been working with security experts and the VPNs involved in order to ascertain whether there has been any wrongdoing. Consumers want to know if they have been put at risk. They also want to know why VPNs have been doing this. Could there be a legitimate reason?

Get a VPN Service Today!

A VPN is the best digital privacy tool on the market

Unblock any website with a VPN today

Virtual Locations: Why?

The original report claimed that VPNs hadn’t been clear about server locations in order to look better than they actually are and get more customers. In reality, these motives are untrue for the majority of the providers in question. We communicated directly with ExpressVPN, which is the best of the VPNs referenced in the report. We asked why it had allegedly been advertising false server locations. The answer made it clear that it had only done so in order to provide a better service for consumers.

Firstly, ExpressVPN told us that only 3% of its servers (representing 1% of its overall traffic) are in a different location to the one advertised. In every single one of those cases, connecting to the server provided an IP address located in the endpoint location that the consumer wanted. This is achieved with what is referred to as “virtual server locations”. This is what ExpressVPN told us:

“ExpressVPN has rigorous standards for servers to ensure that users are able to connect securely, reliably, and at consistently fast speeds. In some countries, it can be difficult to find servers that meet these qualifications. Virtual server locations make it possible for users to connect to such countries, while still providing the connection quality they expect from ExpressVPN.

“For example, some of our users requested Bangladeshi IP addresses to access Bangladeshi content, yet we were unable to find reliable servers physically in Bangladesh. To meet these customers’ needs and provide reasonable speed and reliability as well, we decided to offer a virtual solution for them. The alternative would be not providing this service at all, or providing speeds of less than 1 Mbps from a physically located server.”

Impossible Locations

ExpressVPN has assured us that it only ever implemented virtual server locations in response to requests from consumers. Those consumers had specifically asked for endpoint IP addresses in countries where the firm couldn’t get good enough servers.

ExpressVPN was left with two options: either not to provide an IP address in those countries; or to use a server nearby to provide a virtual server location. The latter allowed its subscribers to get an IP address in the desired endpoint locality. ExpressVPN decided in favor of providing the service. It knew that doing so would allow people who needed to use geo-restricted services from those countries to do so.

False Allegations?

ExpressVPN believes that it is providing virtual server locations for the betterment of its service. The company told us that it doesn’t hide the fact that it uses virtual server locations:

“We have a page on our website explaining what virtual server locations are, how they work, and which countries have virtual server locations. A brief description of virtual server locations and a link to the aforementioned page can be found on the page listing server locations as well.”

Unfortunately, the problem with ExpressVPN’s comment is that when you use its software, it doesn’t disclose that you are using a virtual server location. For me, this does raise questions. Less techy consumers will simply assume that their data is being processed by servers in the country they chose.

Even techy users would need to have visited the ExpressVPN website and landed on the virtual servers page in order to find out information about those virtual servers. This is far from ideal.

Security Implications

The big question surrounding this practice is whether there are security risks involved for consumers. Are users at risk when they connect to a server location that isn’t where they thought?

To give you a well-rounded answer to this, we decided to ask cybersecurity experts at some of the world’s leading firms that very question. Mark Nunikhoven, VP cloud research for Trend Micro, told us:

“A VPN is an encrypted connection from the user to the provider and then the provider makes the outbound connections to the rest of the internet. If the provider’s system is sitting in a specific country, that system can be seized, searched, and any number of other activities that are legal in that jurisdiction.

“Not knowing the location of your VPN service definitely has a privacy impact. Jurisdictions have very different privacy expectations and regulations. Expecting to have your privacy protected by one jurisdiction only to find out that your data is sitting in another jurisdiction can be disastrous.”

That sentiment was reinforced by Mike Sandhu, Director of Product Management at Norton by Symantec:

“It is possible that there may be security issues associated with this, but lying about the location of a server is also concerning because it impacts the credibility of the VPN provider. If left unchecked, VPN services can potentially view your data at point of offload and use it for a variety of purposes including profiling, advertising and even hacking.

“Ultimately, VPN users are being asked to put their faith in providers. They are trusting that the providers will route their traffic through a server in a country the user chooses with a secure connection. It’s a disservice to consumers if a provider is unable or unwilling to do this.”

However, ExpressVPN disagrees with this risk assessment. They told us:

“The same level of security applies to all ExpressVPN servers regardless of location. We have multiple technological measures in place to ensure that personally identifiable information aren’t logged or even hit a disk, that servers aren’t tampered with, and that we aren’t vulnerable to man-in-the-middle attacks. Even in the case of server seizure by a government, ExpressVPN customers aren’t put at risk”.

Data Seizure

The main problem surrounding virtual server locations is that the authorities could seize usage data. That could lead to a VPN becoming a honeypot for the authorities of a particular country. This would be particularly concerning if, for example, data was being processed by a VPN server in the US (where a VPN provider could be served a warrant and gag order). In addition, it would be more problematic if the true VPN server location was in a country that is a part of the 5 Eyes surveillance agreement, or to a lesser degree the 14 Eyes agreement.

So, where are the real servers located, and is consumers’ privacy at risk?

The ExpressVPN webpage on virtual server locations reveals that there are 29 server locations in total.

List of ExpressVPN virtual server locations

  1. Andorra (via the Netherlands)
  2. Armenia (via the Netherlands)
  3. Bangladesh (via Singapore)
  4. Belarus (via the Netherlands)
  5. Bhutan (via Singapore)
  6. Bosnia and Herzegovina (via the Netherlands)
  7. Brunei (via Singapore)
  8. Ecuador (via Colombia)
  9. Guatemala (via Colombia)
  10. India (via the UK)
  11. Indonesia (via Singapore)
  12. Isle of Man (via the Netherlands)
  13. Jersey (via the Netherlands)
  14. Laos (via Singapore)
  15. Liechtenstein (via the Netherlands)
  16. Macau (via Singapore)
  17. Macedonia (via the Netherlands)
  18. Malta (via the Netherlands)
  19. Monaco (via the Netherlands)
  20. Montenegro (via the Netherlands)
  21. Myanmar (via Singapore)
  22. Nepal (via Singapore)
  23. Pakistan (via Singapore)
  24. Peru (via Colombia)
  25. Philippines (via Singapore)
  26. Sri Lanka (via Singapore)
  27. Turkey (via the Netherlands)
  28. Uruguay (via Argentina)
  29. Venezuela (via Colombia)

Doing the Sums

Considering that ExpressVPN provides servers in 94 countries, that would seem to be a lot more than 3%. So, what gives? Well, it is true that only 3% of the total number of ExpressVPN’s servers are virtual servers. However, it’s also true that 30.85% of the countries that it provides IP addresses for are, in reality, using virtual servers.

To me, this feels like ExpressVPN is using a loophole technicality to underplay the situation. It troubles me in terms of transparency. I am the first to agree that ExpressVPN is a top-end service. It’s clear from the user feedback we get about the service that it runs a tight ship. In addition, ExpressVPN does have the infrastructure in place to adequately cope with large numbers of new subscribers (not all VPNs can accommodate the large of number of consumers that ExpressVPN copes with – in fact, very few can).

ExpressVPN also has excellent, fully featured software. It has a good privacy policy and, although it keeps minimal connection logs, those are aggregated and can’t be pinned to any one specific user. In addition, I don’t doubt that, on the whole, ExpressVPN was attempting to meet the needs of consumers (and their desire for IP addresses in specific locations).

A Closer Look

However, the cybersecurity experts at Trend Micro and Symantec are right. Not knowing that you are using a virtual server is a security issue. It exposes data to different jurisdictions than the ones you believe are processing your data.

Thankfully, eight of the virtual server locations listed process data in the Netherlands. That country is very secure in terms of data privacy.

Singapore, although generally authoritarian and harsh on copyright protection, doesn’t have mandatory data retention laws. It’s also generally considered secure in terms of data privacy, but it isn’t ideal.

The Venezuela, Equador, and Guatemala servers are actually in Colombia. With the current political situation in Venezuela, I’ll stick my neck out and say that data being stored in Colombia is an advantage. I say this in spite of the fact that Colombia is a terrible place for digital privacy. One presumes that the server is located there to provide users with fast enough connection speeds. Otherwise, Colombia would be an awful choice. For users wanting to connect to Guatemala and Equador, this isn’t great news.

Argentina, where the Uruguay server is located, is also a bad place for a VPN server. Argentina passed mandatory data retention laws in 2013. Uruguay has much better data privacy laws. As such, this can definitely be seen as a security concern.

The Indian IP address that is being processed by UK servers doesn’t ring too many alarm bells. However, the UK has GCHQ, is an active partner of the NSA, and is a member of the 5 Eyes surveillance agreement. With that in mind, it’s not ideal however ExpressVPN told us that they also have India server locations physically in India as well, and that the India (via UK) option is clearly labeled as such in their apps. It is therefore important for consumers using the Indian IP address to check this so that they can make an informed decision.

More Transparency Please!

Although ExpressVPN discloses its use of virtual servers, and isn’t hiding that fact from its users, in my opinion they aren’t advertising it well enough either. Transparency is incredibly important, especially when it concerns consumers’ digital privacy.

For this reason, we urge ExpressVPN, Hide My Ass, PureVPN, and any other VPNs that are using virtual server locations to make it clear exactly which servers are virtual and where subscribers are actually connecting.

At the end of the day, this isn’t a scandal. As far as I can tell, this practice hasn’t harmed any consumers as yet. However, there’s no doubt that more transparency would be good for consumers, good for the VPNs’ reputations, and good for the VPN industry as a whole.

Opinions are the writer’s own.

Image credits: christitzeimaging.com/Shutterstock.com, 

Creative Stall/Shutterstock.com, igorstevanovic/Shutterstock.com

Ray Walsh

I am a freelance journalist and blogger from England. I am highly interested in politics and in particular the subject of IR. I am an advocate for freedom of speech, equality, and personal privacy. On a more personal level I like to stay active, love snowboarding, swimming and cycling, enjoy seafood, and love to listen to trap music.

18 responses to “VPNs Are Using Virtual Server Locations: What You Need to Know

  1. Hello!
    Thank you for covering this important topic. Would you mind linking to the “original report” in the text? Or perhaps, at least giving credit to RestorePrivacy, which was the first to break this information?
    King regards,

    1. Hi RestorePrivacy,

      Sorry about that. Your original report should indeed have been credited in this article. Ray has now added a link to it.

  2. Im glad that the VPN I use which is FrootVPN is very transparent and honest about their servers. They only have a handful of servers but they are all real.

  3. Thanks for this informative article. I’m a PureVPN user based in Sydney, Australia, and use their service to connect to a Sydney server. They claim to have 8 Sydney servers, but their Servers page doesn’t specify which ones are real and which are virtual. I’d always assumed they were all real. But I took a screenshot recently that proves that when I’m connected, I’m (at least sometimes) actually connected to a server whose IP address shows as being in Karachi, Pakistan. This was of concern to me, especially given the incredibly poor speed I’m experiencing lately. I attempted to raise this issue on their public Support page, but all comments are moderated and they chose not to publish my comment. Not impressed.

  4. Thanks for the awesome article.

    I wonder if PIA (Private Internet Access) operates the same as ExpressVPN?

    Thanks in advance.

  5. Thank you Ray. Helpful article you presented. I am testing out a couple different VPN services.

    In regard to Virtual Servers, do you know how IPVanish is doing or at least how they say they’re doing?

    1. Hi Jason,

      IPVanish has said nothing about using virtual servers that we are aware of. I would therefore assume that it doesn’t use them. You could always ask it, though?

  6. Hi Ray, thanks for the alert. Can you show me where can I find the list of vpn providers with true physical servers locations, particularly in Singappre?

    1. Hi James,

      No such definitive list exists, but most VPN providers do not use virtual server locations. Only ExpressVPN, PureVPN and HideMyAss are mentioned in the report. I am sure that any reputable VPN service will be up-front if you ask them about the situation.

  7. The article doesn’t really fit very well with the pop-up ADD that always occurs when your cursor is about to close. EXPRESS VPN-THE #1 TRUSTED VPN

    1. Hi MKM,

      Um… I think the maain point of the article is that ExpressVPN is pretty upfront about its occasional use of virtual servers, and that it has very good reasons for using them.

  8. Thank you Ray for such an awesome article that elaborates what’s behind the Virtual server. In the past I had a bit of straggle with ExpressVPN, as I felt they are not that honest with all the features they provide. They might be good for some people, but they are not that good with every part of the world specially Meddle East.

    A humble request if you can enlighten us also about Hide.me

    1. Hi Mozef, I am glad that you enjoyed the article. As far as I know, hide.me select not to provide IP addresses in places that they do not have a physical server. From their website:
      “Our network consists of 100% physical servers hosted and managed by hide.me ensuring unmatched security for our users.”

Leave a Reply

Your email address will not be published. Required fields are marked *