Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Fundamental flaw in PureVPN renders it theoretically more insecure and effectively not private. Furthermore, this problem can't be solved with PureVPN's current workflow, making them lose customers who care about privacy and security and are savvy enough to discover this fundamental flaw.

On my hunt for a VPN provider, I was initially impressed by PureVPN's low prices for my use-case (static IP VPNs). I was happy to finally find someone who cared about our privacy and security. However, I quickly noticed two technical problems. I pointed one of them out to customer service, and their response showed me how flawed PureVPNs organizational structure currently is.

PureVPN words and actions don't align

To understand why these are problems, think about the discourse that PureVPN comes at you with: On their main page, they use words like "secure", "trusted", "private", and "anonymous". Yet if you go to their privacy policy, you will see that the app that you download from PureVPN (the 'client') has Google Analytics, Apple Tunes, and Facebook Pixel built into it. PureVPN further tells you to go to each of their privacy policies to see how your personal data is being handled.

Unfortunately, Google and Facebook are infamous for their terrible privacy protections. They each have their own Wikipedia articles: one for Facebook and another one for Google. These companies systematically hoard data from you and then share them with the American government. So much for 'security', 'trust', 'privacy', and 'anonimity'.

Let's remember that this data collection is happening in the very app that PureVPN suggests you download and install to use their services.

However, it also happens in their website. I know they use Google Analytics on their website because googletagmanager, the way Google tracks websites with Google Analytics, appears on my ad-blocker, uBlock Origin.

It's important to note that PureVPN claims that the data hoarded by these services are limited to the purposes stated in their privacy policy. And yet, those purposes do not render you invisible; you can be personally identified with very few pieces of information.

It is mindblowing that a service that claims to be private and anonymous bundles some of the most insidious tracking software not only on the website but on the app/client of a 'private' and 'anonymous' VPN.

There are some workarounds to the invasion of your privacy at PureVPN's website.

Now, while this is enough reason to justify outrage, there are some workarounds. You could use good adblocks and tracker-blockers, such as uBlock Origin and/or Privacy Badger. I will explain shortly why these are good software.

Another option is to use OpenVPN's generic software so that you're not tracked by Google, Apple, and Facebook on the PureVPN app/client (because you'd no longer be using it).

However, by using these workarounds you don't solve the source of the problem. You may be better protected, but thousands of other PureVPNers aren't. They're vulnerable to data hoarding, potential data breaches, and systematic violations of their privacy by the State.

But there are fundamental technical problems with PureVPN.

This hints at the root of the problem with both the website and the client: their code are closed off. If PureVPN cared about your privacy and security today, they'd give you and experts around the world the freedom to "(1) run the program, (2) to study and change the program in source code form, (3) to redistribute exact copies, and (4) to distribute modified versions". This is exactly what respectable VPN providers do, such as Mullvad.

This means that if you find something you dislike on the VPN's app/client, you can change it. You don't like that Google, Apple, and Facebook are hoarding your 'private' data from your PureVPN? No problem, you could change the app/client's code.

This is how PureVPN would stop hoarding your private data. If they opened up their code to public scrutiny, you and I could confirm whether the service holds up to the claims, we could ask for changes (because we know what the baseline is), and we ourselves could change it.

If you're thinking opening up your code is a recipe for disaster, think again. Linux, the most popular software on planet Earth (and probably on space too) is open source. Open source code is the basis for modern computing. Not only that, but trying to make software secure by trying to keep how it works a secret is doomed to fail. That is why plenty of security-critical software is designed in the open. Heck, even the browser add-ons I suggested before were securely developed this way. Experts are able to look at it and improve it. You and I get to confirm that the code actually does what it claims it does. The company gets our trust. Win-win.

So, in summary, open source software makes PureVPN more transparent and more secure.

And there are fundamental organizational problems at PureVPN.

Alright, so this is where it gets juicy. I asked PureVPN's customer service whether their apps were open source. They told me they weren't, and then I told them a summarized version of everything I've told you today. They sent me a link to their official forums, where you could submit an 'idea' to improve the service.

This is where the fundamental flaw of PureVPN lies. Think about it. Who visits those forums? It's probably people who have a specific request for their specific use-case, and people who have problems with the service. Who will upvote the posts? Those people. Alright. What about people who do the work of uncovering PureVPN hypocritical and insidious data-hoarding practices? Do you think people like me will create an account, giving out my email address to a website running Google Analytics to make a suggestion that may not even be voted on (because I know people like me will not visit that forum)?

At the very least, PureVPN has a channel for grievances: those forums. However, using privacy-respecting and secure software on a 'private' and 'secure' VPN provider shouldn't be an 'idea' put up on a whiteboard full of post-it notes. Privacy-respecting and secure software should be the backbone of PureVPN. Open-sourced software should be the way they do business. It's good software design. It creates trust. And yet they don't do business that way.

This problem can be solved at its roots.

So, where does this leave us? This problem can be solved, on the first instance, by submitting an 'idea' on the official forums and voting for it. I'm sure someone here can create an appropriate post on that forum, asking for privacy-respecting analytics (such as Matomo, Plausible, or GoatCounter) and an app/client that is free and open-source.

However, if that doesn't work, it's important to realize that businesses respond to their environment, especially if it affects their bottom line. You, the community of PureVPN, can do many things to let them know this is unacceptable. Inform yourselves. Seek alternatives at, PrivacyGuides, or Prism-Break. Learn about the issue and speak up in forums like PureVPN's, as well as on Reddit and any other forum. Watch technologist Bruce Schneier's views on the issue. Watch John Oliver's take on the companies that PureVPN is pouring your 'private' data to.

If PureVPN realizes it is in their best interest to align their words with their actions, then please ask those privacy-related websites (PrivacyTools, PrivacyGuides, and Prism Break) to include PureVPN as a recommended VPN provider. For now, PureVPN is a service that claims to be private and secure, but struggles to prove it is either.


PureVPN claims to be private and secure, and yet they bundle insidious trackers on their software. Good browser add-ons like uBlock Origin and Privacy Badger help. Using OpenVPN instead of the PureVPN client too. In fact, they may solve the issue for you entirely.

However, this doesn't solve the fundamental problem. The solution would be for PureVPN to use alternative tracking software that actually respects privacy (detailed above) and making their software open source (with the four freedoms of free software). Until then, they can pay lip service to their thousands of customers without actually walking the talk.