Senator Ron Wyden and Representative Anna G. Eshoo have written FTC Chairwoman Lina Khan asking the agency to address “deceptive data practices” in the VPN industry.

Virtual private networks are often touted as a vital security and privacy measure, but many computer experts say their importance is overrated. To make matters worse, many VPN providers don’t live up to the claims they make about the privacy they offer.

The lawmakers point out how widespread the problems are in their letter:

“In December 2021, Consumer Reports (CR) found that 75 percent of leading VPN providers misrepresented their products and technology or made hyperbolic claims about the protection they provide users on their websites, such as advertising a ‘military-grade encryption’ which doesn’t exist,” the lawmakers write. “Advocacy groups have also found that leading VPN services intentionally misrepresent the functionality of their product and fail to provide adequate security to their users. We’re highly concerned that this deceptive advertising is giving abortion-seekers a false sense of security when searching for abortion-related care or information, putting them at a higher risk of prosecution.”

The lawmakers then went to provide specific examples of some of the abuses VPN companies have become known for:

“VPN services have also been exposed for collecting, and, in some cases, abusing, user data. In 2020 it was revealed that a leading analytics firm used personal data from over 35 million people who had downloaded one of their 20 VPN and ad-blocking apps to power their analytics platform without consent.  Notably, the apps didn’t reveal their connection to the analytics firm. Another study found that 75 percent of Android VPN apps report personal user data to third-party tracking companies and 82 percent request permissions to access sensitive resources, including user accounts and text messages.”

The lawmakers’ letter makes clear the dangers of downloading and installing a VPN without doing due diligence to ensure it lives up to its claims. Many VPNs provide little to no information about their business or their leadership, offering little real-world accountability for their actions. Many have not been independently audited to verify their claims.

One VPN that often comes recommended by top security experts for checking all of the above boxes is Mullvad. Based in a privacy-friendly jurisdiction, Mullvad’s apps are open-source and have been externally audited. The company has a zero-logs policy, and accounts are anonymous. In fact, the company recently removed the ability to have a reoccurring subscription to cut down on how much information it has on its customers.

Unfortunately, VPN companies of Mullvad’s caliber are few and far between.