Cloudflare has become the latest big internet company to take the leap into the VPN market.
Except their new VPN, which is known as WARP, is not a VPN in any commonly understood interpretation of the word.
Sounds confusing? Well, it is, and quite why Cloudflare has decided to muddy the water which such a contradictory product is frankly anybody’s guess.
Why WARP is not a VPN
In their blog announcing the launch of WARP, Cloudflare set up outlining what sounds like a very promising product. WARP is a mobile app which, according to Cloudflare, can be used to secure all of your phone’s internet traffic.
So far, so VPN.
The second section of their blog is entitled ‘mea culpa’ but this is just an apology for taking so long to launch WARP. It is also being used as an offer for an introductory offer with 10GB of WARP Plus, their unlimited subscription service for free to everyone on their waiting list.
According to Cloudflare, this list contains more than 2 million people which is an impressive number. But as you dig into the detail of WARP, it is also a rather troubling figure too.
Their blog post is a long one and you get over halfway down before you get to the real mea culpa. After a rather misleading section entitled ‘Privacy First’, we get to the crux of the issue in another section entitled ‘What WARP is not’.
It transpires that Cloudflare’s VPN is not a VPN.
WARP “will not hide your IP address from the websites you visit,” Cloudflare confesses. They go on to say “WARP is not designed to allow you to access geo-restricted content when you’re traveling.”
Cloudflare inadvertently misleading users
They go on to explain that they have designed WARP for the average user and it is to keep data safe in transit. But the fact is that WARP is half a VPN. Yes, it encrypts data, but it doesn’t protect user’s privacy.
That would be fine if they were upfront about the fact. But their message appears mixed.
Cloudflare has buried this revelation halfway down a lengthy blog. Even then, they have led the section with a claim that WARP is “technically a VPN”. The term VPN is also used no fewer than 30 times during this single blog.
In our view, this is disingenuous at best. And we are not the only ones to be calling Cloudflare out on this.
Criticism for Cloudflare
The issue first came to light when an independent security researcher went through the WARP Terms of Service. On his Twitter account, he described them as “jaw-dropping” and added that WARP was “a privacy minefield”.
The Terms of Service note that WARP will install a VPN profile on your device and operate in the same way as a VPN. But they then go on to say that WARP will not protect your identity or privacy online.
Cloudflare’s head of Research, Nick Sullivan, took to Twitter himself to try and provide some clarification. But his tweets reads like a game of defend the indefensible.
WARP “does not make you anonymous to the sites you are visiting,” he confesses before going on to argue that it “does, however, encrypt your traffic so your local network and ISP can’t see it, providing enhanced privacy.”
Cloudflare appears to be arguing that WARP is a privacy tool despite the fact that it lacks the most fundamental privacy feature any VPN can offer.
While WARP is technically a VPN, the issue centers on the fact that the majority of consumers these days expect a VPN to disguise their IP Address.
Whether this is the technical meaning is besides the point. Similarly to how British consumers interchangeably use the word “Hoover” to mean “Vacuum Cleaner”.
Private Internet Access (PIA) has also published a blog highlighting the potential privacy risks that WARP creates.
As they note, hiding an IP Address is “a must-have feature” for any product purporting to be a VPN. “While there arguably are uses for a VPN that doesn’t provide this key feature, they aren’t anywhere near as numerous,” they add.
What WARP does (and doesn’t do)
If all this is a bit confusing, let’s spell out what WARP does and doesn’t do in clear and unambivalent terms.
It does encrypt your internet data which will stop your ISP, your local network, and any hackers from seeing what you are doing online.
It does not hide your IP Address from the websites you visit or services you use. This means they will all know your real identity and WARP offers no privacy protection from them. For people using a VPN in sensitive locations, this makes WARP pointless.
It also means that WARP is no use for unblocking geo-restricted content either, which is a big reason why many people use a VPN.
In fact, in a poll just a few days ago, VPN provider Windscribe discovered that a massive 39% of users used their service for “Unlocking content”. A further 53% said they used it for “General privacy” and it could be argued that WARP does neither.
The question most people are asking is, should I use WARP?
WARP is better than nothing. If you need to protect your connection when using public Wi-Fi, for example, it will offer some protection.
But in most other circumstances it will not protect your privacy and we, therefore, would not recommend using it.
It seems like a no-brainer to us. But Cloudflare seems to be banking on there being enough kudos behind their own brand to sell users half a VPN for the price of a whole one.
While Cloudflare has a lot to be praised for including their CDN service and secure 220.127.116.11 DNS service, we're just not quite sure they've marketed WARP in the right frame.