TunnelBear is the newest addition to our list of reviewed VPN service providers. There’s no particular reason why we chose it as our next subject. Okay, maybe it’s the name and their comic take on their service that got us hooked.
In the beginning
The TunnelBear VPN service was developed by the TunnelBear company, which was founded in 2011 by Daniel Kaldor and Ryan Dochuk in Toronto, Canada. The company created, developed and supported the TunnelBear VPN between 2011 and 2018.
In 2018, TunnelBear was acquired by McAfee. A quick look at the “About Us” section on their homepage lets us know that there are more than just two “bears” involved in this project, each of them holding unique perks and amusing, tongue-in-cheek background stories. See, that’s what we were talking about before.
Not much more can be said about the company since they weren’t the subject of any scandal or set a negative example before. Moving on.
McAfee ownership; what does it mean?
So you’ve learned that McAfee recently (kind of) purchased TunnelBear. How does that affect us, regular users? First of all, TunnelBear was based in Canada, so that means that it used to obey Canadian laws when it came to privacy and data security laws.
Data logging policy
Browsing TunnelBear’s homepage for a bit, scrolling around for a while, we stumble upon their views on data logging. Obviously, they are against it, as they state, no VPN service provider will publicly admit that they collect data and sell it to whoever asks or bids the highest amount, you know.
The claim reads that TunnelBear will never monitor your browsing activity, but neither will they log or sell it whatsoever. It’s exactly what you need to hear from a VPN service before you even consider trying it. Same old story, but here’s the catch, TunnelBear has been also publicly audited, so you have one more reason to trust they will keep your connection secure and your data private. Moving on.
TunnelBear’s security audit
Alright, it appears that they weren’t subjected to just one, but multiple security audits, starting in 2016 and from the looks of it, they plan on doing that every year, so expect future reports!
What’s more, compared to other VPN service providers who only get their applications audited, TunnelBear got a “full body scan,” meaning that their whole infrastructure has been placed under close scrutiny by an independent team and the results have been made available for the wide public to access, read and analyze.
A bad start
A quick glance on their blog reveals that the first third-party audit (Cure53) that they underwent was in late 2016 and the results weren’t exactly great. A bunch of vulnerabilities was detected in the Chrome extension, and the team was pondering on whether to publish the audit results or not. However, they did, hoping that the community would appreciate their transparency and not bash them over the security flaws that have been found. Besides, they were eager to repair the harms done. The outcome was that “All findings discovered in the 2016 audit were promptly addressed by TunnelBear’s engineering team and verified to be fixed by Cure53.”
In 2017, they took an audit again and the results were more satisfying than the last time since all the things that’ve been found by the Cure53 team were reportedly low-risk. Again, the findings were addressed by the same engineering team as above, thus proving that the team behind the project responded promptly to flaws in their security system. The results of the 2017 audit can be accessed here. Note that this report only features critical findings, since the low-risk findings have been filtered out. However, if you’re interested to see the list of low-risk findings, you can do so by accessing this link.
Right back on track
The 2018 audit comes with a bit of flaunting and for good reason. TunnelBear stood their ground and paid for yet another audit from the same Cure53 team that they previously signed with. They claim that the audit took “a few hundred hours,” that they were given the chance to provide some feedback on the final report, where findings were considered inaccurate or impossible to reproduce, and that they are the only VPN service provider in the world who audited their whole infrastructure instead of just the apps. They used a “white-box” approach, meaning that Cure53 have received full access to their systems and code.
The findings on the 2018 security audit consisted of 2 critical findings, 5 high, 3 medium, 7 low ones and a bunch of informational issues. According to their website, all of the findings were promptly fixed. More so, reportedly, the more severe vulnerabilities would’ve been possible to exploit only if the attacker had direct access to the device and was logged in as a guest. The results can be viewed by accessing this link.
Considering that TunnelBear has been subjected to more than one independent security audit, it’s safe to say that they’ve learned the importance of regular security assessments, considering that none of the audits were 100% clean, despite the team’s efforts to keep things nice and tidy.
Technology is ever growing and nowadays there’s no such thing as a foolproof system, one that, once fully-developed, can ensure permanent protection forever without any additional assistance or tweaking. The safest way to keep you and your computer out of harm’s reach would be staying offline all the time, but that’s not really a valid option, is it?
Right from the top of the document, you receive an explanation on what does this document mean: it describes how TunnelBear handles your personal data when you’re using their services.
An important point of this document is situated somewhere in the beginning (as it should) and informs you that even though TunnelBear has servers in several countries around the world, no Personal Data will be stored outside of Canada’s physical borders. That tells us two things: one – personal data is, in fact, stored by TunnelBear and two – you have to give TunnelBear permission to use your info according to Canadian laws, regardless of where you’re located.
Among the account data that’s collected by TunnelBear you can find email addresses (used for marketing, product news, communication, and receipts), Twitter IDs (optional, used for a Twitter promotion), email confirmation and paid user info.
An example of a trade-off that’s been mentioned above would be that a while ago, TunnelBear collected your full name to personalize communication, but decided to delete this data and only use an email address as a requirement instead.
How you use the services
We’re still in the “what type of data does TunnelBear store” chapter and the next sub-genre is operational data. This is the type of data that’s collected each time you connect to their network.
It includes your Operating System’s version (used for troubleshooting and product planning), TunnelBear’s app’s version, whether your account has been active or not in the current month, the total amount of data you used in the current month, as well as operational events such as creating an account, making a payment or completing the Twitter bonus.
When creating an account and purchasing a subscription plan, TunnelBear processes the payment through various services such as PayPal or Stripe. As a result, whenever you’re paying with your credit card, some information can be stored.
This data collection includes the cardholder’s last name, the date that the card has been used and the last four numbers of your credit card. As an addition, they mention that the following data won’t be stored, but TunnelBear can log in securely and view it through their third-party payment processors (Stripe and PayPal): your card billing address, your card expiry date and the last four numbers of your credit card. Wait, didn’t they say that the last four numbers are actually stored? Something doesn’t add up.
The payment information that TunnelBear collects or securely logs in and views is mainly used for credit card fraud prevention.
Cookies and trackers
“Cookie name – Service – Cookie Expiry – Why do we store it?
- tb_mkt – TunnelBear marketing – Session – TunnelBear records a bit of information that helps us track how people are finding TunnelBear.
- tb_ref – TunnelBear marketing – Session – This cookie helps us understand which TunnelBear touchpoint (eg: website, email) led you to purchase TunnelBear.
- ac – TunnelBear marketing – 1 year – This cookie lets us know if you’ve already acknowledged our cookie banner. It saves your preferences so that the banner doesn’t show up every time you visit the site.
- TB_SESSION – TunnelBear website customization – 7 days – This cookie stores your account type and is used to customize your TunnelBear.com account. For example, if you have a paid account, we set your bearType to Grizzly and all of the graphics change to Grizzly Bears. We set a cookie so we don’t have to continue checking your account type in the database as you use the website.
- PLAY_SESSION – TunnelBear authentication – 7 days – PLAY_SESSION is the authentication token for TunnelBear.com. It allows you to use your account without having to continuously login.
- tb_user – TunnelBear authentication – 30 days – tb_user allows us to understand whether you are a new or returning visitor to our website. By setting this cookie, we’re able to customize the content on our own without using any third party tools.
- XSRF-TOKEN – TunnelBear XSRF protection – 1 year – One common attack used against website visitors is a cross-site request forgery attack. TunnelBear uses this cookie to protect you from XSRF attacks.
- _ga – Google Analytics – IP anonymization enabled – 2 years – To make our website better, we use Google Analytics (GA) to see how many people are visiting it. We have set GA to use the minimum available retention period and not store IP addresses.
- _gaid – Google Analytics – IP anonymization enabled – 24 hours – To make our website better, we use Google Analytics (GA) to see how many people are visiting it. We have set GA to use the minimum available retention period and not store IP addresses.
- _gat – Google Analytics – IP anonymization enabled – 1 minute – Google Analytics uses this cookie to limit the number of requests that we can make to their service in a given time period.
- ki_r – Qualaroo – 90 days – This cookie helps us show anonymous surveys to visitors who find us through specific services, like Google.
- ki_s – Qualaroo – 90 days – This cookie tells us whether visitors have viewed or interacted with a survey so we can stop showing it to them.
- ki_t – Qualaroo – 90 days – This cookie gives us timestamps and view counts for pages in which surveys are active.
- ki_u – Qualaroo – 90 days – This cookie provides our visitors with an anonymous identity to associate with responses.
- _cfuid – DDoS protection – Cloudflare ID – 1 year – TunnelBear uses Cloudflare to protect our service from DDoS attacks. Cloudflare uses _cfuid in your browser so that once they have checked to see if you’re a bot, they won’t have to check again while you use our website.
- _stripe_mid – Payment provider – Stripe user – 1 year – TunnelBear uses Stripe to process credit card payments on our website. Stripe uses this cookie to help prevent fraud on TunnelBear.com.
- _stripe_sid – Payment provider – Stripe session – 24 hours – TunnelBear uses Stripe to process credit card payments on our website. Stripe uses this cookie to help prevent fraud on TunnelBear.com.”
Data that’s not kept
After a lengthy journey in the trove of collected, stored, logged personal data, it’s time to take a look at the data bits that TunnelBear claims not to collect, store or log.
The list is fairly short and consists of the following:
“IP addresses visiting our website
IP addresses upon service connection
DNS Queries while connected
Any information about the applications, services or websites our users use while connected to our Service”
Although they didn’t stress the no-logging part enough, at least it’s there. Right now there’s a little icon depicting a bunch of logs above a large “X” stating a “No logging!” message. Told you these guys are funny.
Moving on, if you scroll down, you’ll see the following message that’s a bit more reassuring, in case you were worried:
“TunnelBear does NOT store users’ originating IP addresses when connected to our service and thus cannot identify users when provided IP addresses of our servers. Additionally, we cannot disclose information about the applications, services, or websites our users consume while connected to our Services; as TunnelBear does NOT store this information.”
“Becoming” a TunnelBear
First thing’s first, you can acquire a subscription plan, accessing the “Pricing” category by simply clicking the designated button on the top toolbar and picking whatever plan suits your needs best.
After selecting the plan you want, the website will redirect you to a payment page, where you need to provide your personal data and payment details as requested. After submitting this information to the website, you can press the “Buy Now” button, which lets you choose whether to create a new account by typing an email address and a password in the designated fields or log into your existing account (assuming you already have one).
After successfully taking these steps, you’ll be prompted with an offer for their password manager, “RememBear.” If you’re not interested in purchasing it, you can press the “No thanks” button, which will redirect you to your account page. From here you can download TunnelBear on any supported device, whether it’s a Mac, Windows, iOS or Android device, or even your Chrome, Firefox or Opera browsers, if you’re interested in extensions. It’s worth mentioning that it’s recommended to verify your email address after creating your account.
Once you’ve logged in on their website, you can access your account page, or, how everyone likes to call it, the dashboard. This page keeps things pretty simple. The controls are organized in four different categories, “Overview,” “Privacy,” “Billing History” and “Subscription.”
The “Overview” section lets you see your current plan, but also change your email address or password, from the “Privacy” category it’s possible to see and manage personal data in your account, “Billing History” lets you see up to two years of billing history and “Subscription” lets you see a more detailed view of your subscription plan and also update payment details.
As you’re probably aware by now, we’re only getting into details for deploying the application on Windows computers. The reason behind our decision is that we believe Windows computers are one of the most commonly owned devices in a household and that, compared to handheld devices like iPhones or Android phones, it can be more difficult for users to install apps on Windows devices.
The first step would be downloading the application, but we’ve already discussed this part a bit earlier. Assuming you’re already the proud owner of the installation package, you can double-click the downloaded executable to begin the setup. First thing first, you have to accept the End User License Agreement (EULA).
The next step is to decide where exactly on your computer do you want this application to be deployed and, after doing so, just click the “Install” button. The rest of the process unfolds automatically, without any additional assistance on your side, and you’ll be able to sit back and enjoy the funny progress text fragments that are displayed during the installation.
The version we installed on our computer is 3.7.6.
Running it for the first time on your PC
Compared to other VPN service providers, TunnelBear took a while to be completely deployed to our computer and once the installation was completed, the app was automatically launched for us to use.
Naturally, once the app is launched, you’ll be required to type your email address and password so that you can access its services or, if you lack an account, you can create one directly from within the app.
Past the login gates
Ok, you’ve logged in your account, now you’re in the app. What’s next? The first time you run TunnelBear you’ll receive a brief tutorial regarding how to use it efficiently. But don’t worry, it’s only a three-step quick guide and if you’re not in the mood for this kind of thing, you can just skip it right from the start by using the, you guessed, “Skip” button.
The main window of the app displays an interactive map with a bunch of countries. Don’t be surprised if the map is centered to display your location, it’s only natural to inform you of your real location, don’t you think? A sheep is displayed in your vicinity along with the message “Don’t be an Internet sheep!” floating somewhere above it.
You’ll notice that scattered all around the map, are some tunnels. Actually, they’re more like those tubes from Super Mario. Clicking them quickly pops a message on your screen, asking if you want to tunnel to that location (i.e. the tube you just selected).
If you push the “Yes” button, the sheep we talked about before turns into a bear and starts digging to the country you selected and from the moment it pops its head out you are officially connected to that location’s server. Note that before you were connected, the map was displayed in grayscale; now that your connection is secure, the map is all bright and colored. Nice touch.
TunnelBear’s main screen consists of an interactive map, a bunch of buttons and a dropdown menu. If you prefer to see a simplified version of the app, you can click the bottom-left button, the one with the two arrows pointing at each other. This will shrink the window so that it only displays the server you’re connected to, the On/Off switch that lets you quickly connect and disconnect to and from the VPN server, and the same two-arrow button you used to shrink the app that can now be used to enlarge it.
The hamburger button (three horizontal lines on top of each other) enables you to expand the main menu of the app and see the description of the buttons it encompasses. So, if the globe button wasn’t suggestive enough for you to understand that it takes you to the map, or if the gear button didn’t make you think about “Settings,” then this function is for you.
Accessing the settings section
Often avoided for having the potential of ruining stuff on your PC, the “Settings” section of any application should be easy to access, at least for users who are interested in having quick access to it. TunnelBear lets you jump right to it by simply pressing the gear-shaped button mentioned above.
Here you’ll notice that there are four different categories you can simply switch between by clicking the one you’re interested in. Thus, you can choose from “General,” “Security,” “Trusted Networks” and “Account.” Although the settings are explained quite clearly in the designated section, you might want to hold back if you’ve no idea what you’re doing, since you could jeopardize your privacy without even realizing if you mess with the wrong options.
Exploring our options
The “General” section, as you expected, allows you to customize general settings such as launching the app upon system startup, minimizing it to the system tray and toggling notifications for various events, but you can also enable or disable the TCP override feature.
From the “Security” category you can enable or disable two features with unique names: “VigilantBear” and “GhostBear.” VigilantBear is essentially the application’s kill switch since it blocks all traffic between reconnections and GhostBear is a feature meant to let you bypass VPN bans by making your encrypted data look like regular Internet data.
The “Trusted Networks” is actually a whitelist that you can use to include networks that you feel are secure enough to give TunnelBear a break. So, to keep it short, if you’re connected to any of the networks in the trusted list, TunnelBear won’t automatically connect to one of its servers and vice-versa.
Finally, the “Account” category only lets you manage your account by quickly opening your account page in an external browser, log out of your account and access the “Help” section of their website.
VigilantBear and GhostBear
Since these features are a bit more specific to TunnelBear itself, we’ve decided to dedicate them a full subchapter. Starting with “VigilantBear,” this feature is meant to prevent your online identity from being exposed by blocking all the traffic in those moments when TunnelBear is connecting or reconnecting to a private server. It can be really useful if you ever change WiFi networks or you are briefly out of range. TunnelBear is designed to automatically reconnect as soon as it detects Internet and VigilantBear protects you in those precious seconds.
It works on Windows, macOS and Android (Lollipop 5.0 or later). It won’t work if your computer (device) is running a custom proxy. However, some networks use custom proxies as a requirement, so before you go ahead and disable them blindly, be sure to check with your network administrator or ISP beforehand.
The second “unique” feature is GhostBear. In some countries, the usage of VPN providers is forbidden, so users need to improvise-adapt-overcome in order to bypass these limitations. TunnelBear offers these users an alternative to their problem through GhostBear, which was designed to make VPN traffic less detectable on the network they’re on, thus making it harder to block.
An important aspect of GhostBear is that it won’t work on iOS devices, due to iOS design restrictions. It is worth mentioning that GhostBear shouldn’t be used haphazardly since it can unnecessarily make your connection very slow. GhostBear should only be used if you can’t connect to TunnelBear due to VPN censorship. As the TunnelBear team puts it, “Leaving GhostBear off doesn’t make you less secure.”
Servers you can connect to
Unlike other VPN service providers, TunnelBear doesn’t provide the wide public with a detailed list of servers available for you to connect to, but only mentions the regions where they’re located. These are as follows:
As you can see, the number of servers/locations available for you isn’t impressive at all (22), but we hope that we’ll get good security results and high speeds at least.
Our customer support experience
First of all, we should mention that TunnelBear doesn’t provide you with any form of live chat. Reaching the “Support” section on their website can’t be done directly from the bottom menu, but you have to access the “Help” page, then click the “Contact Us” hyperlink. Alternatively, you can also reach this page by navigating to the “About” section, scrolling all the way down past the wall of “bears” and clicking the “Contact Us” hyperlink.
Their support system is partly automated, meaning that you need to make a few selections before you can reach the ticket text box. For instance, you can mention that you have a subscription issue or that you want to send them general feedback by clicking a radio button on the “Support” page.
After you’re happy with your selection, you can type a description of your issue in the designated field, upload a screenshot (optional) and include your email address (this one’s mandatory).
Although the lack of a live chat system isn’t an ideal situation, we received a fairly quick reply to our ticket. More so, their “Help” section (knowledge base) is quite extensive and lets you access a wide range of guides regarding various issues you might encounter.
The tests we’re going to run
As we do with any other VPN service provider, we’re going to run a bunch of tests on TunnelBear and see for ourselves whether or not it can protect you against the prying eyes of various agents (hackers, ISPs, government agencies, you name it) and if the connection speeds are satisfactory.
The importance of security is way greater than the need for fast servers since the main purpose of VPNs is to hide your identity while browsing the Internet or doing any other online activity. In an ideal world, a VPN service should be able to provide its users with both airtight security and fast servers, but we can’t always have it all.
As with previous VPNs, we’re going to use the IPX service to test for security flaws and Netflix’s fast.com website to check how exactly fast the servers are, since we found it provided us with more accurate results than the traditional Ookla Speedtest. Alright, let’s get to work.
Security test results
We’ve finished running the security tests and if you’re impatient for the results, you can see them by accessing this link.
Now for those of you who like a good read: the IP, PTR, country, city, latitude and longitude were successfully spoofed. We chose a Norway, Oslo server and our location was shifted to match the server’s. The ASN, ISP, domain type and IP type were set to AS9009 M247 Ltd, Venus Business Communications Limited, m247.com and respectively Non-Residential (Data Center). So far so good.
The rest of the details that are available in the report are generic ones and are not nearly enough to be used for identification purposes. These include the browser that’s been used, the user agent, the operating system, the screen resolution, and browser version. Everything looks great here. Nice job!
Speed benchmark results
We’re going to pick a few random servers and run our speed test against them. The reason why we don’t just test one server (preferably the one that’s closest to us) is that we’re trying to see its behavior in various scenarios and use a reasonably wide spread while doing so.
The results are in and are as displayed here:
- Norway – 38 Mbps;
- Hong Kong SAR – 21 Mbps;
- Brazil – 23 Mbps;
- United States – 32 Mbps;
- Canada – 49 Mbps;
- India – 1.9 Mbps.
The speed values for these servers is quite good; we couldn’t help but notice the difference of speed between servers in Europe , for instance, and the ones in Canada. It’s rather obvious that the server cluster on that side received a greater deal of attention. Not saying that the others were neglected, but a bit more balance would’ve been nice, too.
Unlocking popular services with TunnelBear
Usually, when a VPN service is capable of unlocking certain services that are geographically restricted for one reason or another, they proudly display it on their website. Although we weren’t able to find any specific claims on TunnelBear’s website (other than a generic “Bypass local censorship”), we decided to give it a go.
We’ve attempted to access a bunch of popular services, such as Hulu, Netflix, BBC iPlayer and Amazon Prime Video, but, unfortunately, none of these worked for us. Given that the network of servers that TunnelBear provides to its customers is quite narrow and that the providers for the said services are getting better by the day at banning VPN users, this situation is understandable.
However, torrenting is available when using TunnelBear and, if you’re interested, you can also use TOR (The Onion Router) in combination with this VPN. However, you should understand that using TOR in conjunction with TunnelBear can and will lead to a severe drop in your connection speed.
Free trial available
We’ve reached that part of our review where we start talking about the money. However, you’ll be glad to learn that this time we’re going to start with a “this VPN offers you a free trial” instead of an “unfortunately, no trial is available.”
Compared to other services, TunnelBear doesn’t put a time restriction on their trial, but a bandwidth one. So, according to their website, you can use up to 500 Mbs of data per month before you decide whether TunnelBear is the right choice for you.
The real money talk
Alright, let’s get down to business. Navigating to the website’s “Pricing” section displays three different subscription plans, one of them being the trial we’ve previously talked about.
The other two plans are available as listed here:
- A 1-month plan that lets you connect a maximum of 5 devices and is billed at 9.99$ per month;
- A 1-year plan that has the same features as the 1-month plan and costs 4.99$ per month but billed as 59.88$ every 12 months.
Paying for these services can be done with Visa, MasterCard, American Express, Bitcoin and even jars of honey. I’m sure the last one is just a bear-related pun (told you they’re full of bear puns and jokes), but it wouldn’t hurt to ask them if they actually accept this form of payment. Who knows?
On an ending note
To wrap it up, TunnelBear is a VPN service provider that’s been around for 8 years now and still provides its users with great security, despite the company has been bought by McAfee back in 2018.
It’s been audited by an independent security company a couple of times so far, but the team behind this project made it a goal to take such audits yearly and provide their customers with the results, boosting their popularity and trust through transparency. Although some vulnerabilities were detected during the audits, the engineering team solved the issues promptly, as stated in the reports.
Downloading the app to your device, installing it on your computer and using it can be done without breaking a sweat since all of these operations are user-friendly and highly intuitive. Both their website and application (and dare I say their customer support) are full of enjoyable bear-related puns, so buckle up ’cause you’re in for a ride!
Security-wise, the tests proved that TunnelBear don’t mess around and they offer you high protection, no leaks were detected. Speed-wise we’ve got satisfactory results, with higher speeds for the Canada servers,(cough) where the company is based (cough).
Unfortunately, if you’re looking for a VPN that can unlock popular entertainment services like Netflix and Hulu, we kindly recommend that you keep looking, since TunnelBear doesn’t provide you with these features.
They offer a trial that’s limited to 500 Mbs per month and two subscription plans: a 1-month plan and a 1-year one. The monthly plan comes with no discount whatsoever, and compared to the yearly plan, you pay double the price per month of service if you choose this one.
+ Great security; (5)
+ User-friendly interface (and bear puns); (5)
+ Free 500 Mbs trial; (4)
+ Friendly customer support; (4)
+ Torrent/TOR support; (4)
– Narrow server/location list; (1)
– Lack of live chat support; (2)
– Can’t unlock Netflix/Hulu; (1)
– Quite slow speeds except for Canada/US servers. (2.5)
TunnelBear gets a 3.16/5 rating.