Surfshark Review

The VPN service supports split tunneling under the Whitelister feature, but it does not allow the configuration of the auto-connect option to be based on the network type. Other noteworthy options include a facility to override the device GPS to match the location of the connected server and a camouflage mode that disguises network traffic to hide VPN use from the ISP. Another good feature is the inclusion of an Adblocker function known as CleanWeb that claims to block trackers and malware though this feature needs to be manually enabled.

Surfshark VPN 2023 Review

The Good: Surfshark has its headquarters in the Brittish Virgin Island, and therefore away from nosy governmental agencies. It also has a zero-logs policy, features a kill-switch, and uses the open-source OpenVPN protocol and top of the line AES-256 encryption.

The Bad: Surfshark does not operate its own DNS servers.

What privacy and security elements do we test for?

1. Logging Policy
2. Jurisdiction
3. Protocol
4. Encryption
5. Own DNS Servers
6. Kill Switch Test
7. Leak Test

What does “logging policy” mean and why is it significant?

VPN providers may gather information about your internet activity. This is called “logging.” Of course, everyone prefers those VPN providers that don’t gather or store user information, but not all of them can claim this.

Data collection is actually a way for your VPN provider to optimize its service. This improves service performance and helps prevent service abuse. Of course, the amounts of collected data vary from VPN provider to VPN provider.

VPN providers can gather and store 4 different “types” of information. Here they are listed from the least harmful to the most harmful:

• VPN service data: Data regarding which VPN server you’ve connected to, the operating system that you use, and version of the app you use.
• Connection data: Your login and logout dates and times, the duration of service usage, and the amount of downloaded and uploaded data.
• Original IP address: Your device’s real IP address. Using your phone or computer’s IP address, your location can be determined.
• Online activity: Webpages that you go to, your search queries, your services. Your entire browsing history, in essence.

VPN service data and the connection data isn’t considered harmful information to hold. After all, you are connected to your VPN anonymously and the data collected is all bundled together with that of other users. This data is used for optimizing and enhancing the VPN service’s performance. This data is generally considered fair game and most VPN providers gather it on a regular basis.

Although IP address collection isn’t really a huge offense, many users are still apprehensive about this, and for a reason. At the end of the day, VPN services are used to retain anonymity, which doesn’t go hand-in-hand with IP address collection.

Finally, your internet activity falls under data that really shouldn’t be collected by your VPN service. In fact, many users resort to VPN to prevent their ISPs from collecting such data. Therefore, this is something of a hefty red flag for a VPN provider.

Out of all the VPNs recommend here , none of them collect this data type, but some free VPN providers actually do. This is very dangerous as they may end up selling this info to data collectors, which is why free VPNs are generally frowned upon.

Despite the fact that the vast majority of VPN services claim zero-log policies, there isn’t an actual standard or a set of rules regarding what a “zero-log policy” actually means. This is why it’s important that you carefully read the privacy policy and google about the VPN provider before subscribing to it.

What is Surfshark’s logging policy like?

As with all top-performing VPNs, Surfshark collects some metadata on its users. As clearly stated in the privacy policy, Surfshark collects the following:

“To maintain a perfect quality of our Services and provide you with efficient support we collect diagnostics information and monitor crash reports on our apps. The information we collect contain aggregated performance data, the frequency of use of our Services, unsuccessful connection attempts and other similar information. As you probably already understood, the data collected for diagnostic purposes does not contain uniquely identifiable information.”

In short: It collects only that data needed to improve its service to you. It is not collecting your browsing behavior, IP address or other sensitive material.

On top of that, Surfshark announced in July 2020 that it has moved entirely to RAM-only servers. This is important, as these servers have no hard disk. As RAM is short-term memory, that is wiped regularly, Surfshark cannot store any data on its users, even if it wanted to.

What does jurisdiction mean and why is it significant?

Essentially, the country of a VPN provider’s incorporation is called a “jurisdiction.” Every country has its own regulations to abide by, so you should take jurisdiction into consideration when choosing your VPN provider.

For instance, certain countries like Australia, the USA, and some EU members are under strict data retention laws. Data retention laws actually require ISPs in that particular country to provide a wide range of user data. This data includes websites visited and emails sent.

One of the main purposes of VPN is encrypting data that is sent over an ISP network. This means that the ISP isn’t able to read and get its hands on your data. This is among the primary reasons why many people resort to VPN in the first place – to escape mass surveillance.

The word on the web is that the VPN services are bound by data retention laws to collect user information. This rumor is a myth, as VPN services are private network providers, unlike ISPs. This means that a VPN service isn’t bound by identical rules as your standard internet service provider. A VPN service isn’t required to collect data.

That being said, government agencies actually have ways of bypassing this rule. In the US, a federal agency can actually issue a secret subpoena, like a National Security Letter, which allows it to gain access to data logs of a VPN, even of entire servers.

Bear in mind that these aren’t folktales. Instead of letting the NSA get their hands on Edward Snowden , Lavabit, an email encryption provider was forced to close operations, back in 2013. Similarly, Private Internet Access had to close its servers in Russia to avoid the overly-strict data logging rules in 2016. This means that government agencies are constantly making efforts to seize VPN user data.

To avoid these issues, there are two main things that a private user can do:

• When selecting a VPN provider, pick a VPN location that isn’t a country that’s an international intelligence treaty member (for instance, the UKUSA agreement) and doesn’t have any data retention laws. NordVPN, for example, has its HQ in Panama, while Express VPN is seated in the British Virgin Islands. Both of these providers are immensely popular.
• Make sure that your VPN has a legitimate zero-logging policy and that vouches not to store your internet activity (visited websites, services used, searches made, etc.) If a VPN provider doesn’t store that information, it can’t give it, sell it, or surrender it to the government.

What is Surfshark’s jurisdiction?

Surfshark is based in the British Virgin Island, this not only is a tax-haven, but also a privacy-haven. There are no data retention laws, and it is not connected to any of the international data sharing arrangements.

On top of that, Surfshark features a warrant canary on its website. This means that it will publically display any data requests it receives from governmental organizations through National Security letters and gag orders.

What does protocol mean and why is it significant?

A VPN protocol is essentially a set of rules on how the data is transmitted and formatted via a network (internet or local area (LAN)). Several protocols exist and they vary in terms of security and speed. OpenVPN is deemed as the one that’s the most secure, followed by L2TP, IKEv2, PPTP, and SSTP. Surfshark now also includes the Wireguard procol.

What protocols does Surfshark use?

Surfshark uses the opensource OpenVPN (TCP/UDP) and IKEv2/IPSec protocol.

What does encryption mean and why is it significant?

Encryption is the “translation” of fully readable information into “coded gibberish.” In order to encrypt something, an encryption key is used. Naturally, only those that have key access can decipher and, therefore, read the information in question.

Advanced Encryption Standard (AES) is widely considered as the best one around. There are two main encryption key lengths: AES-128 and AES-256. AES-128 is generally considered to be unbreakable, while AES-256 is stronger. The former is 128 bit long while the latter is 256 bits long.

What encryption standard does Surfshark use?

Surfshark encrypts your data according to the highest possible standard: AES-256.

What do DNS servers mean and why are they significant?

Web addresses, such as YouTube.com and Facebook.com are, in fact, long strings of numbers. These numbers are the above-mentioned IP addresses. Complex and seemingly illogical, they aren’t easy to remember, which is why domain names, such as Facebook.com, exist.

DNS-server s are basically the internet’s phone operators. Countless domain names are stored on DNS-servers and so are their respective IP addresses. These servers make sure that you always reach the IP address that you were looking for when you type a website’s name into the address bar.

If a VPN provider happens to have DNS servers of its own, this means that your movement is encrypted using the exact same VPN-tunnel like any other online activity that you perform. This further means that a third-party can’t log or intercept it and that the government agencies and organizations can’t censor it.

Does Surfshark use its own DNS servers?

Yes. Surfshark runs its own DNS servers.

What does a kill switch mean and why is it significant?

The moment the VPN becomes inactive on your connection, a safety feature called the “kill switch” is triggered. It immediately kills your internet connection. Essentially, this means that if your VPN fails, your online activity will remain hidden.

Does Surfshark use a kill switch?

Yes, Surfshark features a kill switch.

What does a leak mean and why is it significant?

It can occur that a VPN fails to hide a certain data amount, despite it being continuously active. This is called a “leak.” The most common of the bunch are IP Leaks, DNS leaks, the Windows Credential Leak, WebRTC Leaks.

Does Surfshark leak your data?

No, Surfshark does not leak any of your data.

Surfshark Review

Surfshark is a premium VPN service based in the British Virgin Islands that offers easy-to-use anonymous and safe browsing features for the consumer market.

Its primary selling features are the unlimited number of devices per subscription and privacy protection features. It offers subscribers unlimited bandwidth using fast diskless servers, and the company claims never to throttle speeds. However, the terms of service include a fair use clause that will allow the company to restrict services if simultaneously connected devices adversely affect other subscribers. It is unclear how this is monitored and how services are limited if the company deems this to have occurred. The terms of service do require subscribers to be adults 18 years or older and prohibit the use of the service for illegal activity from copyright infringement through to distribution of malware. There are currently no data retention laws for services based in the British Virgin Islands, unlike other regions such as Europe.

Along with the no-logging policy and dynamic data storage, this means that user privacy should be assured.

Article by

PHQ Team

Contents

vpn_speeds

Pros & Cons of Private Internet Access

The Surfshark VPN service is implemented using trusted open-source VPN protocols.

The subscription fee for the Surfshark VPN service covers the simultaneous use of an unlimited number of devices, subject to the fair use restrictions.

The Surfshark VPN subscription fee can be paid using anonymous payment methods.

The Surfshark VPN services for Windows and Android support Shadowsocks proxy servers for additional VPN routing obscuration and supports torrenting.

The Surfshark VPN service includes connection to servers with static IP addresses as standard.

The Surfshark VPN service includes a safe search option that enables an unmonitored and log-free internet search engine an additional cost of £0.72 per month. This fee includes an alert service that promises real-time breach alerts and identity protection.

Access to configuration settings is limited using the iOS app; it is necessary to log in through the website to gain access to more advanced features such as enabling two-factor authentication.

The service offers 24/7 live support, but access is limited to email or an automated helpdesk popup via the application or the website.

The number of servers for countries other than the US is limited, and geographic regions outside Europe and North America have very few available servers.

Implementation of the VPN service uses open-source protocols to provide users with transparency of the integrity of the service. Configuration of the protocol can be automatic or manual, using IPsec (IKEv2), OpenVPN (TCP or UDP), or WireGuard. These are the latest and most secure protocols available. Subscriptions can be taken out monthly, half-yearly, or on a two-year subscription—the latter offering the best value for money over the long term. The service cost compares favorably with other popular premium VPN service providers when choosing the two-year subscription, the monthly subscription incurring significantly higher prices.

The VPN apps support the most popular devices and platforms, including Windows, macOS, Linux, Android, and iOS. There are also browser extensions available for most popular browsers, including Brave, Chrome, Firefox, and Opera. The VPN apps can be configured quickly and easily, though the iOS app only included limited configuration options. Therefore, it was necessary to log into the service via the website to access all configuration settings.

The Surfshark VPN service has an automatic Kill Switch to prevent any data leakage should the VPN connection drop out during use. In addition, the Surfshark service offers automated multi-hop connection via two VPN servers and uses DNS servers to avoid possible DNS leaks. These features provide users with high levels of privacy. The list of available services also includes thirty servers with fixed IP addresses located in Germany, Japan, Singapore, the UK, and the US. These are useful if the user wishes to access services protected with Captcha-type mechanisms. As a result, this fixed IP address means that the user only has to verify their humanness once.

Unhindered accessibility to streaming services such as Disney+, Netflix, and BBC iPlayer makes this service suitable for users looking for legitimate access to such services while maintaining browsing history privacy. Users should be aware that the Surfshark VPN service terms of use do not permit subscribers to download and share illegal material.

Payments Accepted by Private Internet Access

Private Internet Access Speeds

Private Internet Access VPN Server Locations	Download	Upload
United Kingdom	418.75 Mbit	164.6 Mbit
Australia	346.95 Mbit	22.6 Mbit
Taiwan	325.03 Mbit	0.98 Mbit
South Africa	176.8 Mbit	3.07 Mbit
California, USA	284.36 Mbit	21.46 Mbit
New York, USA	315.07 Mbit	52.57 Mbit
Germany	540.44 Mbit	148 Mbit
Spain	445.98 Mbit	45.04 Mbit
Brazil	228.1 Mbit	24.61 Mbit

Using Surfshark

The Surfshark VPN is straightforward to install and configure.

There are minimal configuration options available, with no option to alter encryption strength, so the security settings are reasonably secure by default. Some privacy-related functions, such as CleanWeb, are disabled by default, and the Surfshark Search function is an additional cost add-on service.

Applications are available for Windows, Linux, macOS, Android, and iOS. In addition, browser extensions are available for almost all browsers, including Brave, Chrome, Firefox, and Opera. Surfshark commissioned an independent security audit of the browser extension code and the results reported on the website. Note that this audit did not cover the installable applications.

For this review, the iOS app was installed on an iPad and evaluated.

The Application Interface

The interface is minimalist, with the screen changing color when a connection has been established, along with a clear indication of the connected VPN server location. In addition, the display includes a pull-up window showing the IP address of the linked server and the volume of data downloaded and uploaded in the current session. Switching to a different server was straightforward. Once the current session is disconnected, a quick-connect list of the last three servers used is available, along with the option to automatically connect to either the fastest available server or the nearest country. However, testing this function did highlight a peculiarity. The test was conducted from a location near London, United Kingdom. The fastest server was always Manchester, United Kingdom, and the nearest country was always Ireland.

Alternatively, pressing the locations button brings up a list of all the available servers that can be sorted by name. This page also has the option of showing just the servers with a static IP address or the multi-hop server options. The latter allows connection via two servers in different countries to improve privacy at the expense of a slower connection speed. While the service supports a global network, the focus is on the US.

The application offers connections through around 3200 servers located in 65 different countries, but there is only one connection option for most countries. For the US, there are 25 locations available; for the UK and Canada, there are three each. Once connected, the VPN connection is transparent to the user apart from latency issues seen with some servers tested. The VPN service also includes an automatic Kill Switch function to block the internet connection if the VPN connection drops unexpectedly.

The VPN service supports split tunneling under the Whitelister feature, but it does not allow the configuration of the auto-connect option to be based on the network type. Other noteworthy options include a facility to override the device GPS to match the location of the connected server and a camouflage mode that disguises network traffic to hide VPN use from the ISP. Another good feature is the inclusion of an Adblocker function known as CleanWeb that claims to block trackers and malware though this feature needs to be manually enabled.

Logging Policy and Privacy of Surfshark

Surfshark states that it operates with a strict no-monitoring and no-logging policy to ensure the privacy and anonymity of subscribers’ internet usage. It uses diskless servers that prevent permanent storage of any data and claims that it undertakes regular remote wiping of memory as part of its security processes. This RAM-only approach means that all server-held information would be deleted when the power supply is disconnected.

The headquarters of Surfshark is in the British Virgin Islands, where there is no requirement to record or retain any user information, which severely restricts what data a Government agency or law enforcement organization can access.

It is important to note that Surfshark stores subscriber account information that comprises an email address, associated payment information, details of the device used to access the VPN service, and regional location information. These account details are retained for up to two years after the date of termination of the account. Therefore, the subscriber can achieve total anonymity if they can provide a non-attributable email address and uses an anonymous payment method. The website presents visitors with non-persistent cookies that manage the current session. In addition, it uses cookies to store the device’s geographic region with a one-year expiration and website analytics and advertising tracking cookies that have a two-year end date. The privacy policy for the website covers the use of these cookies.