YouTube influencers selling VPNs may be a security issue - what are providers doing?
These ads "could negatively influence viewers' mental models of internet safety," say researchers
Whether you're a keen YouTube streamer or you hop on the platform from time to time, it's very likely you have come across several hosts advertising the best VPN service of the moment for top privacy and geo-blocking online.
From a niche tool targeting businesses and cybersecurity nerds, virtual private networks (VPNs) have seen a boom in usage among everyday users in the latest years. VPN popularity is indeed tangled up with the fact that today's digital life—for better or worse—is getting more complex and central in our lives. Even so, influencers trying to convince their subscribers to make the purchase have inevitably been a big push for this growth—while getting their cut.
Nothing out of the ordinary that other companies don't do, you might think. Yet, helping people to protect their most sensitive data involves way more responsibilities than recommending a new pair of shoes or a smartphone.
Recent research investigating influencer VPN ads might be more harmful than good after all, by "negatively influencing viewers' mental models of internet safety." We asked the main providers out there what they are doing—if anything—to prevent this from happening.
The risks of influencer VPN ads on YouTube
"Our analysis suggests that VPN ads make many claims that have the potential to influence viewers' mental models not just of VPNs, but of computer security and privacy in general," concluded the research paper after reviewing 243 YouTube videos containing these ads.
For instance, researchers found many influencers using absolute terms, false technical claims, and misleading visuals to oversell the security and privacy guarantees of the products.
Among all the providers analyzed, VirtualShield was the one with the highest ratio of videos contaminated with overpromises and exaggerations. These ads less frequently mentioned encryption and IP address routing, too, the two very features at the core of the product itself.
Get the best Black Friday deals direct to your inbox, plus news, reviews, and more.
Sign up to be the first to know about unmissable Black Friday deals on top tech, plus get all your favorite TechRadar content.
Providers are also used to target a wide range of audiences, including those mainly interested in lifestyle, gaming, or politics. This means that many people watching these ads are likely to have no (or very limited) understanding of security software and digital privacy.
The scenario gets even worse considering that these kinds of videos have way more engagement than those not advertising VPNs, said the researchers, gaining a total of 63 million views between 2016 and 2020 only.
"This could leave them [viewers] susceptible to scams that promise protection, or even contribute to resignation, in which people decide that if true security or privacy is impossible, there's no reason even to make an effort to improve their posture," warned researchers.
Influencer VPN ads - differences and similarities
Researchers thoroughly highlighted how VPN providers display different strategies when it comes to advertise their products through YouTubers.
For instance, ExpressVPN (54 videos) and Tunnelbear (22 videos) appear to be the oldest advertisers on the platform. Yet, NordVPN now features in more videos (60) with more views. Private Internet Access (PIA) ads are included in only 18 videos, but the company is the third in terms of views.
The messages vary, too, with NordVPN, ExpressVPN, and Surfshark ads generally describing all the product's main capabilities in the same ad. While providers like Tunnelbear and VirtualShield seem more focused on mentioning the threats rather than features. Yet, "other content, such as technical claims and broad guarantees, appears consistent among VPN companies and over time," noted researchers.
What the study couldn't identify was how much control—or interest, actually—the companies have over the content YouTubers craft into the ads. Looking at the video below, probably not much.
That's why we decided to contact 15 providers—those figuring the most on our lists of favorites—to understand their strategy and whether or not they assure that influencers don't mislead their customers through bad-crafted ads. Five companies, including VirtualShield and Tunnelbear, didn't get back to us so far.
Seven out of 10 providers confirmed influencer VPN ad campaigns as one of the channels included in their marketing strategy. These are thought to better connect with different audiences due to, as a Surfshark spokesperson described, "a humanized approach." Surfshark, PIA, and CyberGhost also confirmed to work on similar projects with creators across other social media platforms.
When asked about the overpromises around password and financial information protection against hackers—the research noted this to be recurrent across NordVPN and Surfshark ads, in fact—both companies stressed the fact that a VPN isn't a one-tool solution.
"Therefore a couple years ago we started working on additional products, like NordPass or features, like Threat Protection," Laura Tyrylytė, Head of Public Relations at Nord Security, told us. Likewise, Surfshark pointed out that its Surfshark Alert can, in fact, "prevent hackers from doing further damage" and encourages users to upgrade to its Surfshark One bundle for more comprehensive protection.
These and other misleading messages might then be the result of how influencers presented the final content. In fact, when it comes to how providers guide and review the influencer VPN ads, we got mixed replies.
Both Surfshark and NordVPN said to equip creators with thorough guides and guidelines containing all the things they need to know about the product. Yet, despite recognizing cybersecurity as a highly sensitive topic, they said to leave the rest to the influencer's creative freedom.
At the same time, Tyrylytė from Nord Security stressed how the research marks only a fraction of NordVPN videos as overpromising. "As a matter of fact, NordVPN shows one of the best results among key players in the market."
AtlasVPN seems to take a further step to ensure ads' accuracy by enabling influencers to try out the product for themselves for about a month prior to starting producing their content. "This approach helps ensure that our product is promoted by individuals who have firsthand experience using it and are familiar with its features and benefits."
On a slightly different tone are Pia and CyberGhost which are said to have "processes in place" to address issues with content published on their behalf. While Proton claims to review content on ProtonVPN ahead and after publication to ensure it is as accurate as possible.
The Swiss-based provider also stressed the importance of trust among consumers. "For this reason we are incredibly selective when choosing who to collaborate with, and to ensure that no misleading or irrelevant information is included."
Trust seems to be something very important to the ExpressVPN team, too. The company is said to have launched the VPN Trust Initiative with the i2Coalition in 2020 exactly to create a set of standards around privacy, security, transparency, and advertising practices. Talking about the ExpressVPN ads included in the research paper, the firm claims that a lot has changed since then.
"Today, we work much more closely with influencers to ensure even more accuracy and precision in their materials," an ExpressVPN spokesperson told TechRadar. "We recognize that there is always work to be done to better educate consumers (and influencers), and will be working even harder to inform and empower everyone to take control of their internet experience."
The VPNs deeming influencer ads as "unethical"
Only three among all the providers we spoke to took a strong stance against any type of influencer VPN ads, deeming the practice unethical.
Talking about the harm caused by these campaigns, Mullvad CEO Jan Jonsson told us: "They simply recommend something since they get paid for doing so. Influencers have no trustworthiness for anything they say if money is involved."
He also assured the company's continuous effort to educate the market, while keeping doing things the "Mullvad way" no matter the competition.
Yegor Sak, Founder of Windscribe, was also very vocal against this growing marketing practice. He said: "For most products, the worst that can happen is that you buy garbage and waste your money. With VPNs, buying the wrong one based on a suggestion of an 'influencer' can land you in prison, or worse, in many countries where VPNs are highly popular."
Sak also said to have reached out in the past to several Youtubers responsible for spreading misinformation about privacy tools, proposing to produce paid anti-VPN sponsored content to expose these inaccuracies. "As expected, we had zero takers as none of them were interested in biting the hand that feeds them."
Also Hide.me, another member of the i2Coalition, is said to have never engaged with influencers to advertise its product. The company believes, in fact, that this type of marketing—which exploits viewer trust—is not well suited for a security product. It then pledges for the VPN industry to engage in higher standards while condemning misleading and false messages about security.
Yet, the firm thinks the damage these ads can do is quite limited nowadays. "Even though some marketing claims are exaggerated, it might draw interest to the subject. All in all we believe the average audience won't have a negative impression of VPNs after watching a 30 second ad."
Beyond influencer VPN ads
As we have seen, providers have different views when it comes to the risks of influencers' VPN campaigns. While researchers are calling for further study to measure the level of harm that these ads have on viewers, what's certain now is that this advertising channel is expected only to keep growing.
We believe in a correct education, especially when it comes to a complex and ever-changing matter such as cybersecurity. We then invite anyone thinking to get the VPN recommended by their favorite YouTubers, to always be skeptical about their explanations. Checking different sources like websites and community forums before finally clicking the Buy button is key, in fact.
It is also worth reminding that even the most secure VPN out there isn't a magical antidote to all cyber threats. VPNs can only boost up users' privacy and anonymity online, but they can never vow 100% protection.
Other tools like antivirus, secure browsers, and encrypted communication apps can help as well, but only if users also improve their digital posture with actions like—among other things—limiting the details they shared online, regularly reviewing privacy settings, and keeping up-to-date all their apps/devices.
With many different VPNs out there delivering reliable and secure performances, it's ultimately up to consumers to decide which company to trust with their data and—more importantly—the business model to support with their money.
Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com