security

TunnelBear VPN review: The overpriced ursine has trouble living up to the hype – CNET


Like

  • Robust transparency
  • Ease of use
  • Dancing bears

Don’t Like

  • Doesn’t unblock Netflix
  • Can’t select servers by city
  • Prices aren’t competitive

TunnelBear’s gotten a lot of hype in the last couple of years. It was touted by Wirecutter as the New York Times’ top virtual private network pick for several months through 2020, US News and World Report ranked it 6th for the year, and PC Magazine and TechRadar liked it too. But when I look at TunnelBear after a year spent under the hoods of its VPN competitors, I just don’t get the excitement. 

Sure, TunnelBear’s speeds are reasonable. And yes, like some of its competitors, it offers yearly transparency reports and has been audited independently. But it’s also a Canadian business owned by US-based McAfee, so if you’re looking for subpoena-proof international privacy, you’re playing with fire. It holds a paltry 23 server locations from which you can’t manually choose your server or even a city. It doesn’t offer Tor-over-VPN, it only offers split tunneling on Android, and it can’t even unblock Netflix. 

Read more: The best VPN service of 2020

Why do people like this VPN so much? What am I missing? Is it the cutesy little bear animation that you see when you click the connection button? Is that what’s got everyone excited? No judgment. I just want to know. 

I know it can’t be the cost that makes it so appealing. The TunnelBear plan with the best value is $120 for a three-year subscription with a limit of five connected devices. Meanwhile, competitor Surfshark costs half as much at $60 for a two-year subscription, outperforms TunnelBear on every privacy and feature front, has likewise been independently audited, and allows unlimited connected devices.

By every measurement I’ve got, TunnelBear is just a slightly overpriced yet middling offering within a privacy-averse jurisdiction, and has all the configuration options and visual appeal of Baby’s First VPN by PlaySkool. 

Speed

  • Average speed loss: 63% 
  • Number of servers: 1,800 
  • Number of server locations: 23
  • Number of IP addresses: Unknown

I ran speed tests using TunnelBear over three days with dynamic IP addresses, in two locations, using both wireless and ethernet connections. Internet speeds in the US vary by state and provider. And with any speed test, results are going to rely on your local infrastructure. Hyperfast internet service will yield higher test speed results. 

That’s one reason I’m more interested in testing the amount of speed lost (which for most VPNs is typically half or more) across both high-speed and slower connection types, and in using tools such as speedtest.net to even out the playing field. In the case of TunnelBear, nearly 63% of average internet speed was lost. That average includes both the superfast speeds recorded for nearby servers, and the sluggish speeds recorded for the more distant servers. 

Read more: All the VPN terms you need to know

Speeds I recorded for TunnelBear placed it near the middle of the VPN pack. It struggled to catch up to the popular NordVPN‘s overall 32% speed loss, and catching up to other speed-intensive VPNs such as Surfshark and ExpressVPN (which in previous tests experienced overall losses of just 27% and less than 2%, respectively) could be an even bigger problem. TunnelBear’s speeds have steadily improved over the years as measured by other review and testing sites, though, and the US scores I recorded saw a speed loss of only 54%. 

In my tests, US servers delivered the peak speed of 176Mbps, with an average of 112Mbps. That’s more than fast enough to torrent, game, or browse. Non-VPN speeds in the same round averaged about 244Mbps. UK speeds came in second place, averaging 104Mbps. Australia followed in third place, with an average 100Mbps. 

Speeds bottomed out in Singapore, though, with a low of 4.95Mbps and an average speed of 68Mbps. TunnelBear’s connections routinely faltered when testing in the region. The lowest averages were found in Europe, at 65Mbps overall. As has been the case for every VPN I’ve tested, German servers underperformed compared to French. 

Security and privacy

  • Jurisdiction: Canada, with US parent company
  • Encryption: AES-256
  • Leaks: None detected
  • Includes kill switch

You want to unblock Netflix, BBC iPlayer, or another streaming service? TunnelBear isn’t the best choice. You want to torrent? Yes, TunnelBear offers P2P torrenting on all of its servers but its home jurisdiction of Canada — a member of the Five Eyes international mass surveillance and intelligence-sharing agreement — is known to come down hard on copyright violations when they’re caught. As is the US, where its parent company McAfee is headquartered. 

Notably, TunnelBear isn’t making the same “no logs” promise that many other VPNs make. It is open about collecting what would normally be considered very limited connection logs — as opposed to usage logs — which include data on your bandwidth use and whether you’ve used TunnelBear in any given month, and which version of the app you’ve installed on which OS. 

I prefer a VPN keep no logs, especially a VPN located inside a country that’s part of an international intelligence-sharing ring. But TunnelBear is holding its own in the transparency competition among VPNs by publishing the results of its independent security audits and annual transparency reports that are presented in plain, easily understood language. Those reports tell us that from September 2018 to September 2019, TunnelBear received 10 government or legal requests for user information. 


Now playing:
Watch this:

Top 5 reasons to use a VPN



2:42

Those reports also tell us something arguably more important: When TunnelBear is alerted to a significant service or security issue, the company addresses and fixes it. When it contracted Cure53 for its third independent security audit (released in January), TunnelBear set about fixing issues post-haste. While TunnelBear isn’t the only VPN with routine audits and transparency reports, this is the kind of habitual transparency we should all expect from every VPN on the market. 

No IP address, DNS or other potentially user-identifying data leaks were detected during our testing, but in the past TunnelBear was observed to have been leaking WebRTC information on at least two occasions. TunnelBear’s encryption is standard AES-256, and it supports Perfect Forward Secrecy, which means it frequently changes encryption keys to avoid security compromises. 

I’d like to see TunnelBear offer the latest VPN protocol WireGuard, but for now it offers only OpenVPN and IKEv2 protocols. The software includes a kill switch, which prevents network data from leaking outside of their secure VPN tunnel in the event the VPN connection fails. TunnelBear doesn’t offer a multi-hop option nor Tor-over-VPN, but it does offer limited split-tunneling in its Android client so you can pick which of your computer’s connections you want to encrypt. However, split-tunneling is not available on any other OS.

In a recent release, TunnelBear claims to have successfully circumvented a nationwide VPN block in Iran, while offering 10GB worth of free VPN usage to individuals inside the country. Perhaps more interesting, though, is that TunnelBear appears to have become the second app to have built support for a notably effective anti-censorship extension into its Android application. These moves toward expanded privacy under encroaching internet restriction suggest promising advancements in TunnelBear’s security priorities. 

Cost 

  • Usability: Nearly impossible to get wrong, at times oversimple
  • Platforms: Windows, Android, MacOS, iOS, (limited) Linux
  • Price: $3.33 per month, or $120, for a three-year plan
  • Number of simultaneous connections: Five

I don’t usually dig into the aesthetics of VPN software outside of how easily they might allow a newcomer to get the hang of a product, or how intuitively organized and accessible the software’s configuration options are. But nearly every review of TunnelBear ends up noting the unavoidable cuteness of its design as a standout feature, and it’s worth pointing out why it works and how it could help users in the longer run. 

My general distaste for cutesy-tech aside, I get it: In a world full of wanna-be edgy VPN software aesthetics, a cartoon bear doing silly things is an inviting visual queue of user friendliness. VPNs seem complicated and internet surveillance is scary; a teddy bear is comforting and simple. The choice of a bear as a marketing mascot is all the more clever for its dual symbolism: Where other VPNs rely on abstract logo design (or on less cuddly animals like vipers or sharks), a bear mascot stands out from the crowd by suggesting powerful protection of the user. In some design elements, TunnelBear’s mascot is a cub. In others, it’s a giant grizzly using its laser eyes to attack fighter jets. 

When you’re spending more than you should for a product with less features than its competitors, however, the cuteness stops being cute and becomes infantilizing, insulting even. It’s more frustrating than helpful to be presented with an interactive map for choosing your desired country when there’s only one “tunnel” per country. 

frame-1

TunnelBear has cute, accessible branding and design, but its features are lacking.


TunnelBear

But I’m not suggesting TunnelBear grow up and polish its playground look. The mascot strategy is brilliant, and the branding too strong to let go. What’s more, the cartoonish aesthetic provides TunnelBear a better opportunity at creating VPN power users than perhaps any other VPN on the market. If Joe Camel could persuade kids to light up a cigarette, TunnelBear’s grizzly can persuade VPN newcomers to understand encryption and internet censorship

To take advantage of this opportunity, TunnelBear should put some elbow grease into developing a stronger suite of features. Why not introduce WireGuard and let users experiment with different security protocols by allowing them to choose what kind of armor the bear wears (the lighter the armor, the faster he tunnels but the less protected he is)? Why not give the bear more than one cartoon tunnel per country and illustrate the differences in server load by showing the number of other bears queuing through each tunnel?

More playfulness in design is needed across privacy tech as its first-time users flee increasingly invasive domestic surveillance and strive to secure their browsing across an often too-steep learning curve. I don’t think we should kill TunnelBear’s cutesy-tech mascot, but for the money he demands, we should at least put him to work. 

On a per-month breakdown, the least expensive TunnelBear plan is its $120, three-year plan. Given the volatility of the competitive VPN field, though, three years is a long time to commit to a VPN provider, especially one like TunnelBear — one with a 48-hour wait time on its troubleshooting ticketing system instead of 24/7 live chat support, one which “may offer refunds on a case-by-case basis,” and one whose trial period is only available for its free version (which has limited use and features). You can do better. So can TunnelBear. 

You can also go month to month for $10, or pay $60 upfront for a single year. If you’re going to spend $60 on a VPN, though, you might as well spend it on Surfshark’s two-year plan, rather than TunnelBear’s one-year. Either way, TunnelBear accepts payment via credit card and Bitcoin. Unlike other VPNs, it doesn’t take PayPal. Also unlike other VPNs, it doesn’t support Amazon Fire Stick or Android TV



READ SOURCE

Leave a Reply