Determining whether or not a VPN provider is considered safe is crucial when shopping for a VPN service.
But how do you make that call?
There are many things to look at: the logging policy, the privacy policy, the available encryption, the network infrastructure, the history of the company (i.e. have they ever been hacked?), and more.
Let’s find out what we can find by scouring the Internet in general, and Surfshark‘s website in particular.
Read on below as we answer the question: Is Surfshark safe?
Reputation
Any Hackers in the Room?
Surfshark was founded in 2018, and operates from the British Virgin Islands.
Their marketing materials put a strong focus on user privacy and security – which is always nice to see from a VPN provider. And, as of today, they have never been hacked.
This is great news. But the company is still very young. Time will tell if this stays true. And if it does, it will make the “Never been hacked” claim much stronger.
Security Audit
In late 2018, Surfshark commissioned the German security firm, Cure53, to audittheir Firefox and Chrome browser plugins.
The results were released in November of that year. And despite finding two extremely low severity issues, the results of the audit were glowing.
From Cure53’s report:
“As the extremely low number of findings and their limited implications clearly indicate, the results of this Cure53 assessment of the Surfshark VPN extensions position the product in a very good light. […] To sum up, Cure53 is highly satisfied to see such a strong security posture on the Surfshark VPN extensions, especially given the common vulnerability of similar products to privacy issues.”
So this is all good. The only problem here is scope, for the two above points.
It’s great that they’ve never been hacked. But the Surfshark service is less than three years old.
And it’s great that the security audit only found two very low severity issues. And that they rate the security and privacy of the tested products as being very robust.
But the audit only applies to the Firefox and Chrome browser extensions. Not their VPN apps. And not their VPN infrastructure.
So while limited in scope, for now, this is still encouraging.
Click here to get Surfshark (83% discount)Policies
Let’s take a look at Surfshark’s Privacy Policy.
Right off the bat, we find this:
“We’re based in the British Virgin Islands, which allows us to keep our VPN logs-free. We don’t collect any information that could lead us to know who you are or what you’re up to online. Surfshark respects your privacy, therefore we are committed to not process any data related to the online activity of our users. Surfshark is based in the British Virgin Islands, which does not require data storage or reporting. We do not collect IP addresses, browsing history, session information, used bandwidth, connection timestamps, network traffic and other similar data.”
To break that down, Surfshark privacy policy explicitly states:
- No IP address logs
- No browsing history logs
- No session information logs
- No bandwidth consumption logs
- No connection timestamps logs
- No network traffic logs
This is all in line with what you’d expect from a safe VPN service.
But a few paragraphs down, the privacy policy gets into the information they do collect. And while Surfshark can be commended for wanting to be transparent with its users, there are a few little things that caught our eye.
From Surfshark’s privacy policy:
“The information we collect contains aggregated performance data, the frequency of use of our Services, unsuccessful connection attempts and other similar information.”
To be clear, this is not nefarious. They do need to assess their network’s performance. We would just like them to perhaps explain what “aggregated performance data” means and implies.
They should also explain how “the frequency of use of our service” and “unsuccessful connection attempts” differ from “session information logs” and “connection timestamps”.
We have no reason to doubt their word. But more thoughtful explanations would be welcome.
Nonetheless, their privacy policy ticks most of the right boxes and its tone is resolutely pro-privacy.
Jurisdiction
If you’ve read any of my previous articles on the subject, you know that I believe a VPN provider’s no-logging policy is more important than its jurisdiction, in regards to the security of the service.
However, it could still be argued that VPN providers based in jurisdictions outside of the 14 Eyes nations are slightly safer. Surfshark is based in the British Virgin Islands.
Now, officially, the Virgin Islands have political and legal independence from the U.K. And the Virgin Islands have no mandatory data retention laws, which allows Surfshark to operate log-free.
But some suspect that independence isn’t that clear cut in reality. After all, they are called the British Virgin Islands.
I’ll let you make up your own mind on that one. But I would not have a problem with a VPN provider operating from the British Virgin Islands, myself.
We discuss VPN jurisdiction issue in-depth, in our 5, 9 & 14 Eyes: What Does It All Mean For VPN Users? article, if you would like more information on the subject.
Security Features
VPN Protocols
Surfshark only offer two VPN protocols and this is good.
- IKEv2/IPSec
- OpenVPN
It’s good because these two protocols are the two most secure VPN protocols available today. Some providers still offer weaker protocols, such as L2TP/IPSec, or worse, the obsolete PPTP protocol.
We’re happy to see Surfshark focus their service on secure protocols.
Encryption
Surfshark uses industry-standard AES-256-GCM encryption. This is extremely secure. The AES-256-GCM cipher has no known vulnerabilities.
VPN Kill Switch
The Surfshark service comes with a VPN Kill Switch. The Kill Switch automatically blocks all traffic from leaving your device, if your connection to the server ever drops.
This protects you from traffic leaks even if your device is unattended.
DNS Leak Protection
Surfshark, in line with VPN providers who take privacy seriously, operate their no-logging DNS servers from within the VPN tunnel.
Your DNS requests are also protected by the same encryption as the VPN tunnel.
And because the DNS servers are inside the tunnel, your DNS requests cannot leak.
MultiHop
Surfshark’s MultiHop feature routes your traffic through two VPN servers, rather than one, before sending it to its destination.
This adds a second level of security to your connection. And is great for your more critical activities.
Dissidents in authoritarian countries should definitely use this feature.
CleanWeb
CleanWeb is Surfshark’s ad & tracker blocking service. With this enabled, you won’t see any ads.
And your connection will be that much more private without all those pesky trackers that have infested the Web.
HackLock & BlindSearch
When you sign-up, Surfshark gives you the option of bundling two extra services to your subscription, for an extra 1 USD per month.
Hacklock, scans compromised databases for your email addresses & passwords. The service alerts you if any of your credentials have leaked.
BlindSearch is Surfshark’s proxied Bing search. When searching the Web with BlindSearch (accessible from within their native apps), the server proxies your search requests, gets the results and pushes them back to you.
Bing does not get the opportunity to funnel any of your data as you never interact directly with them.
P2P Servers
On the surface, all of Surfshark’s servers appear to be P2P-friendly. But they host numerous dedicated P2P servers.
While on the Surfshark network, as soon as you launch your torrent client, you are automatically redirected to a dedicated P2P server.
You don’t need to hunt for P2P servers on Surfshark’s network. Just launch your favourite torrent client and you’re done. Surfshark makes sure you’re on a safe and dedicated P2P server.
For more information, check out our Does Surfshark Allow Torrenting / P2P? article.
So Is Surfshark Safe to Use?
Surfshark should be safe to use, yes.
They only allow robust VPN protocols that use strong, proven encryption ciphers.
Their service includes a VPN Kill Switch, DNS Leak Protection, CleanWeb & MultiHop servers, and a strict no-logging policy.
However, as we mentioned, their privacy policy should clarify certain things.
And some people might be uncomfortable with their jurisdiction – though I am not one of them.
All and all, Surfshark should be a safe and private VPN provider for the overwhelming majority of us.
For more detailed information on Surfshark’s service, take a look at our Surfshark review.
Can you be tracked using Surfshark?
Surfshark offer some robust security and privacy features. You should be very hard to track. Of course, if you’re primarily using a VPN for anonymity, do not log into any online accounts tied to your real-world identity.
I would also recommend enabling CleanWeb and using MultiHop.
And if tracking is really an issue for you, try and stay away from Google and Facebook – with or without a VPN.
Is Surfshark safe for torrenting?
Many VPN providers offer dedicated servers for P2P. This is usually done for security reasons, as well as for bandwidth optimization.
Security, because some countries are more hostile to P2P traffic than others.
Bandwidth optimization, because torrenting can quickly use up a lot of bandwidth. By segregating their servers, a provider can make sure that the torrenting activities of some users on the server aren’t slowing down other users.
Surfshark also follows that approach. But as we mentioned above, you just need to connect to any Surfshark VPN server and as soon as you launch your torrent client, you will be redirected to a dedicated P2P server in the background.
This makes torrenting safely extremely easy.
Click here to get Surfshark (83% discount)Is Surfshark Safe?
By Marc Dahan
Last updated: April 30, 2020