Photo illustration by Lisa Larson-Walker. Photos by Unsplash.

The Internet Censor’s Dilemma

The more countries try to restrict virtual private networks, the more people use them.

It’s the best of times and the worst of times for virtual private network providers. In the past year, several governments, most notably China and Russia, have tried to crack down on VPN usage. In July, China went so far as to pressure Apple to remove VPN apps from the Chinese App Store. But even as VPN providers have struggled to outmaneuver some of these technical restrictions, many report that demand for their services is growing—even in China—and that efforts aimed at curbing their usage have generated interest in VPNs rather than deterring users.

VPNs are a natural target for governments trying to tighten national control over the internet. When you connect to a VPN, the VPN provider essentially takes on the role of your internet service provider. So instead of being able to track which websites you connect to, the only thing your local ISP—or your government—can see about your traffic is that it’s all going to servers owned by your VPN provider. If those servers are located outside your own country, then you can often access sites that would be blocked for traffic originating from your own IP address. If your VPN provider doesn’t store any data about its customers or their online activities, it also becomes much harder for anyone to trace your online activity back to you.


VPNs are useful for more than just protecting people’s privacy—they also allow users to access online content that is blocked in their country (particularly Netflix shows or movies, for instance). But whatever people’s motivations, several governments that surveil internet use and restrict content have regarded VPNs with suspicion for a long time, and a handful of countries have actually passed laws aimed at restricting their use. In the United Arab Emirates, for instance, it is illegal to use a VPN to commit a crime or prevent the discovery of a crime. But banning VPNs outright is a nonstarter because they’re so critical for business. Organizations, especially those with an international presence, need to operate VPNs in order for their employees to be able to connect securely to their internal networks from home or hotels, or so that their offices in different countries can all be connected to the same corporate network.

Because of this need to tolerate corporate VPNs, regulations around the services are rarely clear-cut, and most attempts at cracking down on them have focused on the companies that market their VPN services to individual users. This past summer, when China decided to get more aggressive about VPNs in the months leading up to its National Congress of the Communist Party in October, the government blocked the websites of popular VPN providers so that people in China would be unable to find them or download their portals. They recruited Apple to block access to those same providers’ mobile apps and ordered China’s three state-owned telecommunications companies to block access to VPN servers as well.

Yet many VPN providers report that user growth—both in China and outside—climbed steadily in 2017 as they developed alternative solutions to circumvent China’s restrictions. For instance, NordVPN, which operates just under 3,000 servers, has seen “lots of interest and really high growth” in China over the past year, according to head of communications Ruby Gonzalez. Similarly, a Russian law ostensibly came into effect in November forbidding VPNs from allowing users to access a list of blocked sites and requiring internet service providers to block access to VPN services, but it appears to have made little difference. Gonzalez said that NordVPN, which operates 16 servers in Russia (and none in mainland China), has taken no steps to block any sites banned by Russia and experienced no consequences thus far.

“Theoretically any VPN that fails to comply with those restrictions is supposed to be banned, and we never even considered complying. So we were ready to drop our Russian service, but so far nothing has changed for us,” Gonzalez said.

Gonzalez declined to share specific numbers about how many users the company has in China or Russia, but she said that in 2017 the company saw overall user growth of 400 percent worldwide—growth that she thinks was helped by news stories about restrictions like those in Russia and China. “There’s this irony that as governments try to limit encryption or VPNs people get to know about these ways to access the internet,” Gonzalez said. “They know that these services are being banned, but at the same time they know there’s a reason they’re being banned and that actually drives up the interest.”


Private Internet Access (PIA) and ExpressVPN, two other VPN providers, also witnessed user growth worldwide in 2017, according to ExpressVPN Vice President Harold Li and Ted Kim, CEO of London Trust Media, which owns PIA. Both Li and Kim declined to share how many users their services had overall and in specific countries, though Li said that recently the greatest user growth for ExpressVPN has been in Western countries, where personal VPNs are typically less common than they are in Asia.

VPN providers are very reluctant to disclose how many users they have, much less where those users are located, both for business purposes and for fear of attracting attention from regimes trying to crack down on these services. This makes it difficult to estimate the number of people using VPNs or trends in usage, but in 2017 roughly one-quarter of internet users worldwide had used a VPN in the past month, according to a survey by Global Web Index, a firm that collects data on technology users. Unsurprisingly, the survey found that VPN usage was most heavily concentrated in countries with more restrictive internet regulations. Roughly 31 percent of internet users in China and 25 percent in the UAE used VPNs, for instance, compared with only 17 percent in North America and Europe. But the motivations for using VPNs differ by region in interesting ways. Western VPN providers often view (and promote) their services as a means for protecting user privacy online, but in the Global Web Index survey, the majority of Chinese VPN users said they turned to the services primarily in order to access blocked TV shows, movies, and music. The anonymity protections are more like a fringe benefit—they provide added security that undoubtedly benefits users but might not, on its own, have been enough to motivate them to pay for a VPN without the additional draw of access to movies, games, and music.

Just as the publicity surrounding policies and restrictions in China and Russia may have helped drive interest in VPNs there, so, too, did policy changes in the U.S. in 2017 lead to user growth, several providers said. For instance, Li said ExpressVPN saw a spike in interest in the U.S. after the March 2017 vote by Congress to roll back privacy protections that prevented internet service providers from selling customer information without first obtaining permission from their customers. In the week following that vote, Li said, U.S. subscriptions to ExpressVPN increased 97 percent compared with the same period during the previous month, and 204 percent compared to the same period during the previous year. “Demand hasn’t abated since, making the U.S. one of ExpressVPN’s largest and fastest-growing markets,” Li added.

Pushing back against restrictive regulations isn’t new for VPN providers. They’ve been facing blocks and bans in countries like China and the UAE for years and finding ways to circumvent these restrictions for just as long. Since they can operate remotely from anywhere, VPN providers always have the option of picking up and leaving any country they find to be overly restrictive, while still being able to serve customers in those countries. In this way, they can avoid legal requirements to store logs of user activity, or law enforcement raids. For instance, several PIA servers in Russia were seized without warning a few years ago. The company subsequently stopped operating any servers in Russia, Kim said.


So VPN providers have been going back-and-forth with restrictive governments for some time. The thing about 2017 that felt really new—and different—to many of them was the sudden involvement of Apple. To have a U.S.–based company suddenly get involved in cutting off access to VPNs for people in certain countries changed providers’ understanding of who was on their side and who they were fighting against. Moreover, Apple’s App Store block was more effective than any other technical restrictions the VPN services had faced before. According to Gonzalez, it’s the one restriction that NordVPN has been unable to circumvent for iPhone users based in China.

For both practical and political reasons, many VPN providers are concerned about the potential for governments like China’s to use their economic clout to convince Western intermediary tech companies to assist them. As long as there continue to be countries where VPN providers can locate their servers and are not required to store logs they don’t want to keep, or provide information to governments they don’t want to comply with, these services will continue to operate regardless of the regulatory shifts in any individual nation. But being able to advertise and provide those services could get much harder if governments follow in China’s footsteps by roping in intermediaries like Apple. If, for instance, Google agreed not to show any links to VPN providers in its search results for certain countries, or PayPal agreed not to process payments to VPN providers (something that has, in fact, happened as close by as Canada), then marketing and monetizing their services could become significantly more difficult for VPN providers. It’s these U.S.–based companies that seem to pose the greatest potential threat to the thriving VPN business at the moment, rather than foreign governments or restrictive regulations.

More from Technology

Is the Worst of the Cambridge Analytica Scandal Over for Facebook?

Why University Networks Are Such a Tempting Target for Foreign Hackers

Farewell to Craigslist’s Personals Section, an Artifact of the Older, Weirder Web

Would Facebook Ever Let Users Pay to Get Out of Data Collection?

Elon Musk Takes Down Facebook Pages for Tesla and SpaceX After Bizarre Twitter Exchanges

We Have No Idea What Self-Driving Car Problems Will Really Challenge the Legal System