How to Actually Evaluate a Privacy Tool (Without Falling for Marketing)

About
,
1

If you’ve spent any time researching a VPN, a password manager, or an encrypted email service, you’ve probably noticed the same thing: every product claims to be the best. Every comparison “review” looks suspiciously similar. Every YouTube video starts with “this video is sponsored by…”

The privacy tools market has a unique pathology: the products are fundamentally trust-based, but the way you find them is through the most untrustworthy channels imaginable. Marketing dollars flow toward the loudest brands. Affiliate-driven content rewards whichever vendor pays best. The result is a discovery experience perfectly designed to make you choose poorly.

This guide is meant to give you a way out. It’s the framework I use, and that we use at VetBench, when evaluating any privacy tool — VPN, password manager, encrypted messenger, email, cloud storage, whatever.

The questions that matter, in order

When I look at a privacy product, here are the questions I work through. The order is intentional: the early questions are deal-breakers; the later ones are tie-breakers.

1. What’s the threat model?

Before you evaluate any tool, decide what you’re protecting against. This sounds obvious, but most people skip it and end up either over- or under-spending.

Possible threat models:

  • ISP and ad-network surveillance (most people, low effort): your ISP sells your browsing data; advertisers profile you across sites. A reputable VPN + a privacy-respecting browser solves most of this.
  • Public wifi attackers (travelers, remote workers): attackers on the same network can intercept unencrypted traffic. Any VPN solves this.
  • Service-level data collection (people who don’t want Google to read their email): you need an encrypted email provider, not a VPN. Different problem, different tool.
  • Geographic restriction circumvention (most people who buy VPNs, honestly): you want a VPN that’s good at unblocking specific services. Privacy is a side effect, not the point.
  • State-level surveillance (journalists, activists, dissidents): you need Tor, plus operational security training. No commercial VPN is sufficient. Don’t pretend otherwise.
  • Targeted attacks by capable adversaries: you need a security team, not a product purchase.

If you can’t articulate which of these applies to you, you probably want category 1 or 2, and you’re likely about to overspend on features you don’t need.

2. Who legally controls this company, and where?

For any service holding your data, you need to know:

  • What entity legally operates the service? (Not the brand name — the actual incorporated company.)
  • In what jurisdiction is it incorporated?
  • What surveillance/data-disclosure obligations does that jurisdiction impose?
  • Has the company been compelled to disclose user data before? What happened?

This matters because no privacy tool is stronger than the legal regime its operators live under. A perfectly engineered service in a five-eyes country is one warrant away from compromised. A flawed service in Switzerland might still resist disclosure better.

Look up the corporate registration. Use zefix.ch for Swiss companies, Companies House for UK, SEC EDGAR for US public filings, OpenCorporates for general lookup. If the company is hard to identify, that’s a red flag. If they hide behind a series of holding companies in privacy-friendly jurisdictions but their actual operations are in the US, that’s also a red flag.

3. Has the company been independently audited?

The single most important question to ask of any privacy product: has someone independent verified the privacy claims?

What “audit” means in practice:

  • Code audits (for software with source available): the code does what they say.
  • No-logs audits (for VPNs and similar): the infrastructure isn’t secretly logging.
  • Penetration tests: the service is reasonably secure.

Look for:

  • The auditor’s name (Cure53, Securitum, Deloitte, PwC, NCC Group, Trail of Bits — these are real firms with reputations).
  • A published report (not just a blog post claiming “we passed an audit”).
  • A recent date (more than 2-3 years old means stale; the company should re-audit periodically).

Major red flag: a privacy product with no published independent audit. Either they’re new (in which case you’re a beta tester) or they’re hoping you don’t ask.

4. Is the client open source?

This is the single biggest tell of how seriously a company takes user trust.

For software that runs on your device — VPN client, password manager, encrypted email client — open source means:

  • Anyone can verify the binary does what the company claims.
  • Anyone can fork it if the company turns hostile.
  • Independent security researchers can find bugs without permission.

Open source is not a panacea (the XZ backdoor incident was 2024’s reminder of that), but it’s a meaningful baseline. Closed-source privacy software requires you to trust the binary. Given the choice, prefer the option you can verify.

In practice, the open-source landscape:

  • VPNs: ProtonVPN (all clients open), Mullvad (all clients open), IVPN (all clients open). Most others are closed.
  • Password managers: Bitwarden (open), KeePass (open), Proton Pass (open). 1Password, NordPass, Dashlane are closed.
  • Email: ProtonMail (web client open), Tutanota (open).
  • Messaging: Signal (open), Matrix clients like Element (open).

5. What’s the company’s incentive structure?

Where does the money come from? Companies follow money, even ones with good intentions.

  • Subscription: most aligned with users (your ongoing payment is the only revenue source). Examples: Proton, Bitwarden Premium, 1Password.
  • Freemium: aligned but with degradation pressure (the free tier has to remain useful enough to attract conversion).
  • Ad-supported: poorly aligned (your data is the product). Avoid for privacy tools.
  • Investor-backed but not yet profitable: pressure to monetize will come; watch what happens at the next funding round or acquisition.
  • Acquired by private equity: prepare for product enshittification within 2-3 years. Move proactively.

Also check: is the company part of a larger holding group with conflicting incentives? (Nord Security owns both NordVPN and Surfshark; Kape Technologies owns ExpressVPN, PIA, CyberGhost, Zenmate. The “competitive” market is more concentrated than it looks.)

6. What happens when things go wrong?

You will eventually need to: recover from a forgotten password, restore from a backup, migrate to another tool, retrieve your data after a billing dispute.

For each tool you’re evaluating, find out:

  • Is there an export-everything function? In what formats?
  • What does account recovery look like? What if you lose all your devices?
  • What’s the customer support like? (Try them before signing up — email a pre-sales question and see how long they take.)
  • If the company shut down tomorrow, how would you migrate?

This is the question that distinguishes “tool I rent” from “tool I own.” You want to be in the second category as much as possible.

The questions that don’t actually matter

There’s a parallel set of questions that the marketing wants you to focus on, that mostly don’t matter:

“How many servers do they have?”

Server count is a marketing metric. What matters is server quality — are they fast, are they in the locations you need, are they actually present (not virtualized in some other country with a pretend country flag), are they audited?

“What’s the encryption?”

Almost every reputable VPN uses AES-256 with the same handful of supporting protocols. “Military-grade encryption” is a phrase that means nothing. If a tool uses standard, audited encryption (AES-256, ChaCha20-Poly1305, Curve25519, etc.), that’s enough. The question is implementation correctness, not algorithm choice.

“Do they have feature X?”

Privacy tools accumulate features as differentiation. Most of them don’t matter. Built-in ad blocker? Use uBlock Origin instead. Dark web monitoring? Use Have I Been Pwned for free. “Smart” DNS? Just use the VPN. The core function is what matters; the extras are mostly marketing.

“Is it the cheapest?”

Privacy tools are not the place to optimize for the lowest price. The cost difference between the best option and a mediocre option is generally $50-100/year. The cost of a wrong choice — bad recovery, data loss, vendor compromise, having to migrate later — is much higher. Don’t be cheap here.

“Is it the most popular?”

Popular is partially a function of marketing budget. The privacy products with the most ads on YouTube are often the least aligned with user interests, because those marketing dollars come from somewhere. Inverse correlation between megaphone size and product alignment is a real pattern in this market.

A scorecard you can actually use

Before you commit to any privacy tool, write down answers to these eight questions. If you can’t answer them confidently, you don’t know enough to pick this product.

  1. Threat model: Specifically what am I protecting against?
  2. Operating company: Who legally runs this? In what jurisdiction?
  3. Audit status: Most recent independent audit (auditor + date)?
  4. Open source: Are the clients open? The server?
  5. Funding model: Where does the money come from? Any acquisition risk?
  6. Recovery story: How do I get my data out if needed?
  7. Real cost: First-year price + renewal price + 5-year total cost?
  8. Independent verification: Where (other than the vendor) have I verified my answers above?

If you can fill in all eight, you’ve done more research than 95% of buyers in this market.

On the limits of any privacy tool

A final, slightly philosophical note.

There is no consumer privacy product that gives you “real” privacy in any unconditional sense. Every tool moves trust from one party to another — your ISP to a VPN provider, your email provider to an encrypted email provider, your cloud storage to a self-hosted server. You’re not eliminating trust; you’re choosing who to trust.

The right framing isn’t “is this tool perfectly private?” It’s “is the entity I’m shifting trust to better aligned with my interests than the entity I’m shifting trust away from?”

For most people, most of the time, the answer is yes for reputable privacy tools. The marginal improvement matters. But it’s not magic, and anyone selling it to you as magic is selling you something else.

*VetBench tests and reviews privacy tools by buying them ourselves and running reproducible tests. Read our methodology · See our reviews ·

How to migrate off LastPass without losing your data
What the Skiff shutdown taught us about picking services
The state of privacy tools today, and what changed this year
Which password managers have actually been audited
Three encrypted messaging apps compared, Signal, Session, and Wire
Tutanota is leaner than Proton, with the trade-offs you'd expect