New research raises some concerns
The issues with virtual location servers
VPN service providers promote online security and anonymity. They claim to not keep logs and provide high speed downloading by effectively providing you access to the nearest 'virtual' server.
That server, however, may not be that close geographically. To address that, some providers also offer servers at virtual locations. However, there are various reasons to be concerned about where these VPN servers are actually located.
Given that one man's terrortist can be another man's freedom fighter, there are differing views on which physical locations can be considered acceptable or not. Some consider the US and its allies to be dangerous whilst some might prefer US-based servers, as no legal requirement to retain logs is in place.
Likewse, on a purely commercial level, the running costs of having lots of low traffic, remotely located servers versus a few high traffic ones, in turn, impacts pricing.
But the real underlying concern has to be access to reliable, verifiable information on matters as fundanemtal as log retention. Whilst, a user can monitor speed and see access to content (specifically any that is geo-blocked), log retention is not verifiable.
And that is why virtual server usage and disclosure on locations should be made available.
Findings (https://restoreprivacy.com/virtual-server-locations/) suggest that for a variety of reasons, some financial and others practical, that the reality of virtual server locations is that they are often clustered around a small number of easy access locations, usually close to the user's base.
Determining the location of servers
it should be easy to find server locations. There' are a number of public domain data sets that will help point you in the right direction, not least the pronouncements of the providers themselves. That stated, it seems that some information doesn't appear to correspond with reality so the locations remains elusive.
However, whilst it is not easy, there are diagnostics tools available that allow the skilled user to make educated and informed estimations as to where they are.
How can virtual servers locations even be possible?
VPN providers can exploit the lack of coordination between Internet monitoring organizations to help disguise the real locations of their servers. The provider can lease IP addresses owned by various ISPs across the globe. It can then announce them via the ISPs that actually provide the internet access to the server. This ensures any traffic goes directly to them regardless of the nominal locations of their IP addresses.
ISPs can obtain IP addresses from Regional Internet Registries or RIRs. Firms can then setup accounts with an ISP and lease addresses from them.
Firms can also register domain names with multiple name registries. After providing basic organizational and contact information, they can specify named servers which map their domain names to IP addresses delegated to them by their ISPs.
Once your device finds the IP address for any given domain name, and initiates a connection, then your ISP needs to know how to reach it but it's nominal geographical location doesn't help. Once the best routing has been established and the required information is furnished, the determination can be made as to the probable location.
But there's a catch. When arranging Internet connectivity with it's local ISP, a firm discloses it's IP address that it's leased from other ISPs, if those other ISPs agree. It then advises it's ISP of the shortest router-to-router path to the firm's servers, so the ISPs that own the address aren't involved in routing traffic!
Summary of the report's conclusions
- There are pros and cons to virtual server locations. However, users deserve to know where their VPN provider have theirs. VPN providers exploit the lack of coordination between Internet monitoring organizations to hide the real location of their servers.
- Three of the VPNs reviewed (NordVPN, Perfect Privacy and VPN.ac) disclose no virtual locations and no substantial evidence to the contary was discovered. Four of the eight VPN services (ExpressVPN, HideMyAss, PureVPN and Surfshark) disclose at least some virtual locations.
- Virtual locations seem to be clustered around a few cities and/or countriese.g. Singapore, The Netherlands Overall, five of the eight VPN services (ExpressVPN, NordVPN, Perfect Privacy, Surfshark and VPN.ac) have disclosed all or nearly all of their virtual locations.
- Eight providers were reviewed: ExpressVPN, NordVPN, Perfect Privacy, Surfshark, VPN.ac, Hidemyass, PureVPN and VyprVPN
Our general feeling after reading this is that these remain murky waters and long may that continue, although there has been some pushback as to the need and value of this research and what constitutes the 'right' level of disclosure vs privacy.
For the full report, it's disclosures, methodologies and findings, please refer to the link shown above.